Announcement

Collapse
No announcement yet.

vBulletin 3.6... hacked!!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • vBulletin 3.6... hacked!!

    Version 3.6.7

    I thought it was only the index file, but now I can't even log in, my password has been changed and I'm the adminstrator!!!

    This is the index file as showed in my browser at:
    www.latrinchera.org/foros

    I hope someone knows how to deal with this:


    XXIn ThE Name Of Allah XX
    Th3 G3n3r4l l0s3r W4s Her3
    HaCkeD By
    ThE General Loser ( T-G-L)
    Unicef HaCker (x40)
    le-fils-de-hacker (xov)
    ++ This My Life AndI'm The Loser ++
    ++ You Live Once , Die For Ever ++
    Free Your Mind ,Don't Talk About My H2cking
    Fix UrFucking System ,But i Remove UrData
    -`- Contact me -´-
    [^_^] I'm N0t S0rry Adm!n [^_^]

    Gr33tz to L-F-D-H4ck3r and All Morrocan Cr4ckers
    CopyLeft © 2oo7
    Last edited by D2S; Sun 25 Nov '07, 6:40am.

  • #2
    vB hacked? Unbelievable

    perhaps one of your plugins have a hole on it.

    Comment


    • #3
      Did you follo these guildlines as it says on this topic : http://www.vbulletin.com/forum/showthread.php?t=194701 its a good idea to protect your AdminCP and ModCP using .htaccess files as well as protect the config.php files using .htaccess files.

      Comment


      • #4
        Ja!, i thought it wouldn't be a problem since A Small Orange is supposed to make dialy backups, this what they just sent me:

        Hello,

        This particular hack looks like it was injected into the vBulletin database. I have a backup from Oct 26th that can be restored. If you have any later backups I would be happy to restore that as well.

        Regards,
        Mike
        Aren't you supposed to make dialy backups??? That's an entire month!!!
        Hello,

        It's what I have. After this ticket is completed I intend to escalate it to find why backups have not been generated since then, but for now the reality of the situation is I have a backup from Oct 26th. I can restore it or any backups you have created and downloaded.

        You may also want to try to contact vBulletin support. They may have more knowledge of this specific hack against their product and might be able to help you manually remove it to restore the site without needing to restore a backup.

        Regards,
        Mike

        Comment


        • #5
          From what I can see it isnt injected into the vBulletin database, or other pages would be messed up too, such as http://www.latrinchera.org/foros/memberlist.php for example, where they would have had to inject into templates that would affect that page to at the least. So from what I can see, they DIDNT inject the database, but instead replaced the index.php file.

          So my guess is they exploited a hole in the server software and not vBulletin. The reason I say that, is because, if it is vBulletin at fault, why havnt hundreds of other sites still using 3.6.7 been so much as touched?

          Also I would reccomend you upgrade to 3.6.8 PL2 ("Powered by: vBulletin, Version 3.6.7")
          http://data.collectiveirc.net/status/user/Jobe.png

          Comment


          • #6
            It's in the database, I can't log in, my password or username has been changed, and i can't change the index file via FTP, when I do it, it appears like alright but the other index is still showing even when deleting cache and reloading...

            Comment


            • #7
              I dont have plug-ins nor mods, its the vBulletin 3.6.7 just as it came from "the box"...

              Comment


              • #8
                ive seen other vbulletin sites been hacked by these same people.. .this is not the first time a vbulletin site has been hacked by these hackers.

                Comment


                • #9
                  Can you contact me with those sites?, I'd like to know how the dealed with it...

                  Comment


                  • #10
                    Originally posted by D2S View Post
                    It's in the database, I can't log in, my password or username has been changed, and i can't change the index file via FTP, when I do it, it appears like alright but the other index is still showing even when deleting cache and reloading...
                    If you can't FTP then someone either figured you password or they got in further down. I don't think it's a vB issue. vB wouldn't have anything to do with FTP.

                    I know it's frustrating. It happened to me when I had UBB and phpBB.
                    I have no idea how someone hacked into my site last time, but EVERY password has been changed. vB was not the cause.
                    ...steven
                    www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
                    bmwcca.org/forum | m135i.net
                    "I tried to clean this up but this thread is beyond redemption." - Steve Machol

                    Comment


                    • #11
                      I can access my FTP, what it seems impossible to do, is changing the index.php file.

                      Comment


                      • #12
                        Originally posted by D2S View Post
                        I can access my FTP, what it seems impossible to do, is changing the index.php file.
                        ASO needs to change your password so you can get back in.
                        ...steven
                        www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
                        bmwcca.org/forum | m135i.net
                        "I tried to clean this up but this thread is beyond redemption." - Steve Machol

                        Comment


                        • #13
                          Ok, I'm changing the password...

                          About the index.php, I can delete it, and it works, but when I upload the new index.php, downloaded just a few minutes ago, it appears again the hacked index. Both files have very different sizes, hacked index is about 40kb and vbulletin index is about 18kb... the one in my server appears to be the vbulletin 18kb file, but the 40kb hacked file is the one showed.

                          Comment


                          • #14
                            What does your .htaccess look like?
                            ...steven
                            www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
                            bmwcca.org/forum | m135i.net
                            "I tried to clean this up but this thread is beyond redemption." - Steve Machol

                            Comment


                            • #15
                              This is the .htaccess file:

                              PHP Code:
                              php_value suhosin.request.max_vars 2048
                              php_value suhosin
                              .post.max_vars 2048 

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X