Announcement

Collapse
No announcement yet.

Repairing VB hacked forum

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Repairing VB hacked forum

    FYI - vbulletin can be used to infiltrate your entire server and allow hackers to install malware, microsoft account phishing login page, including allowing access to other web accounts on the server such as wordpress sites, etc.

    Anyway.... this is my situation.

    I have a db backup of the vb site before it was either hacked or before files were activated inside of the vb public_html folder.

    What are the exact steps to delete the entire public_html folder from scratch and install the latest version of vb?

    I have a backup of the config.php and the db and have a backup of attachments, customavatar, custom profilepic, signaturepic folders or at least have a backup that I have access to in order to upload those.

    When uploading the upload folder files from the zip of the latest version to public_html, going to the url ask for db info, username, pw, etc. how do I get around that so it knows there is a config.php with all that info so it doesn't overwrite the db with a new db file? I have a backup of the db. Should I do all that and then restore the db after?

    Please give very specific instructions on what to do.

    Also, where is the attachments folder normally located as well as customavatar, customprofilepic and signaturepics folders? I will upload the backups to replace the new folders after the forum is back up and running.

    All the above is the exact same case for two forums I have.



  • #2
    This happened to 2 forums with 5.5.6 I believe that were upgraded to the latest with the patch.

    Comment


    • #3
      You cannot upgrade with a Patch. Patches are made specifically for the version released and there was no 5.5.6 patch in this last release. You need to run a full upgrade. Otherwise delete the contents of the widget_php template for all styles on the server. The vBulletin files should be read only (chmod 444) or read/execute (chmod 555) only depending on your server configuration.

      The exploit allows the hacker to upload files onto your server if your webserver can write to the disk (not recommended) or if you use FastCGI and the Fast CGI process can write to the disk (also not recommended). You must review your non-vBulletin files to know if they have been exploited. This means checking your notes and making sure that software that you did not install is not on the server. With vBulletin we the software can tell you if there are non-vBulletin files. However, it cannot tell you this for Wordpress or any other software installed on the server. There is literally no way for Technical Support to know if a file (outside the vBulletin directory) is there on purpose or not either.

      When uploading the upload folder files from the zip of the latest version to public_html, going to the url ask for db info, username, pw, etc. how do I get around that so it knows there is a config.php with all that info so it doesn't overwrite the db with a new db file? I have a backup of the db. Should I do all that and then restore the db after?
      The mere existence of the /config.php and /core/includes/config.php files with proper database information will bypass the MakeConfig.php file. There is nothing else that needs to be done except run upgrade.php, not install.php.

      Read the section on manually editing the config.php files in your vB5Readme.html file.

      Also, where is the attachments folder normally located as well as customavatar, customprofilepic and signaturepics folders? I will upload the backups to replace the new folders after the forum is back up and running.
      attachments? We suggest that it is ./attachments in the AdminCP. However there is no real default and it can be placed anywhere on the server. For security purposes, it is recommended that it is placed outside the web root (public_html) directory. These files do not need to be accessible by web browsers. You might be able to see this in the AdminCP if it hasn't been modified. It will be under Attachments -> Attachment Storage Type.

      customavatars? It is suggested that they are placed in the /core/customavatars directory that we provide. Though this can be any directory and should be placed within the web root (public_html) so browsers can access the files. This can be seen in the AdminCP if it hasn't been modified. It will be under Settings -> User Picture Storage Type.

      customprofilepic? vBulletin 5 doesn't support these so the directory isn't relevant.

      signaturepics? These are stored as attachments and will be located in the attachment directory. Wherever you had that.
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API

      Comment


      • #4
        It was 5.6.2 with the patch level 1 - it was upgraded and it was hacked so hacked files were probably already there before the upgrade. I did the upgrade properly.

        The entire public_html folder was deleted because it is the only way to ensure only vb files are in there.

        If I install from scratch and the core/config.php file is there, can I just run the install.php? That is what I tried and it asks for the db credentials, etc. when going to the URL for the homepage.

        The db is restored so would it wipe out the db or do I let it make a new db from scratch and then simply restore the db so it is updated with the backup?

        So this is like a fresh install of 5.6.2 PL1 - I have the config.php and db restored. What now?

        Comment


        • #5
          How do I use vb admin cp to verify what is or isn't vb files? I might just have to restore my public_html folder, run that and delete whatever non-vb files I know I put there myself.

          Comment


          • #6
            For file scanner, found in options, but says:
            Enabled Scanners
            At least one scanner must be enabled for vBulletin to scan uploaded files.
            Note that scanning is performed at the time of upload, and previously uploaded files will not be retroactively scanned after enabling a scanner.
            I'm not sure that makes any sense. If there are compromised files inserted before the upgrade to 5.6.2. PL1, then they will never be found and they can take the forum down again.

            Comment


            • #7
              I left the restored db, uploaded a restored public_html, uploaded upload folder contents, did upgrade and it seems to work fine. However, is there a way for vb to point out all non-vb files even ones that were installed before the upgrade?

              I also changed the administrator users pw's.

              Comment


              • #8
                In images/css, is kk2.php a legit file? I removed it. Looks suspicious.

                How about public_html\vendor\phpspec\prophecy\ the readme.php inside this folder?

                Or public_html\vendor\phpunit\php-code-coverage\src\ app.php?

                public_html\vendor\phpunit\php-file-iterator\src\ yah.php?

                public_html\vendor\phpunit\php-file-iterator\ composer.php?

                public_html\vendor\phpunit\php-timer\src\ service.php?

                \public_html\vendor\phpunit\phpunit\ composer.php?

                I deleted the entire vendor folder - doesn't look right.

                \public_html\license.php lots of chinese characters inside - doesn't look right. Removed this too.

                Comment


                • #9
                  Originally posted by energetic-forum View Post
                  However, is there a way for vb to point out all non-vb files even ones that were installed before the upgrade?
                  AdminCP/Maintenance/Diagnostics/Suspect File Versions

                  Comment


                  • #10
                    Originally posted by shka View Post

                    AdminCP/Maintenance/Diagnostics/Suspect File Versions
                    Thank you!!!

                    Comment


                    • #11
                      Checksum file md5_sums_vbulletin.php is currently writable. Please ensure that this file is not writable by the webserver.

                      Where is this file and what permissions does it get set to to make it not writable by the webserver?

                      Comment


                      • #12
                        Originally posted by energetic-forum View Post
                        If I install from scratch and the core/config.php file is there, can I just run the install.php? That is what I tried and it asks for the db credentials, etc. when going to the URL for the homepage.
                        The correct location for this file is /core/includes/config.php. There should not be a file named config.php in /core/

                        The db is restored so would it wipe out the db or do I let it make a new db from scratch and then simply restore the db so it is updated with the backup?

                        So this is like a fresh install of 5.6.2 PL1 - I have the config.php and db restored. What now?
                        The install connects to the database, checks for specific tables like the user table. If it finds them then it will consider the software installed and prompt an upgrade. If the specific database doesn't exist then it will try to create a database on install.

                        If either or both of the /config.php and /core/includes/config.php files do not exist, then it will launch the configuration maker script.

                        If the restored database is 5.6.2 PL1 and the files are 5.6.2 PL1, there is no reason to run the upgrade.php script. Just pointing /core/includes/config.php at the proper database with the proper table prefix should be enough to bring the forums back online. If this does not happen then the software cannot connect to the database with the information provided in the file.

                        You can use the Suspect File Diagnostic in the AdminCP to find non-vBulletin files. This is under Maintenance -> Diagnostics.
                        Translations provided by Google.

                        Wayne Luke
                        The Rabid Badger - a vBulletin Cloud demonstration site.
                        vBulletin 5 API

                        Comment


                        • #13
                          Originally posted by energetic-forum View Post
                          Checksum file md5_sums_vbulletin.php is currently writable. Please ensure that this file is not writable by the webserver.

                          Where is this file and what permissions does it get set to to make it not writable by the webserver?
                          It is in /core/includes currently. Changing permissions is really a question for the hosting provider since it will vary on server's operating system and configuration.

                          On a Linux install, making it read only would be the permissions of 444 or 555. Which you use depends on your server configuration. You can read about chmod here: https://opensource.com/article/19/8/...%20permission.

                          If you use your FTP client, these are probably represented as checkboxes labeled read, write, and execute for the three levels of permissions. Unchecking read for each level and submitting it should make it write only.
                          Translations provided by Google.

                          Wayne Luke
                          The Rabid Badger - a vBulletin Cloud demonstration site.
                          vBulletin 5 API

                          Comment

                          Related Topics

                          Collapse

                          Working...
                          X