Announcement

Collapse
No announcement yet.

Forum Hacked - Need Some Assistance

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forum Hacked - Need Some Assistance

    Looks like one of my forums got hacked last night. I think its some kind of template hack as creating a new style lets me get back into the forum but I need to clean up the mess. Anyone got any ideas of where I should start to get rid of the compromised template? The site is http://www.trianglecycling.com

    Im running 3.6.0 but will update just as soon as I get this crap taken care of.

    Thanks

  • #2
    look at the file ww.trianglecycling.com/index.php, he probably changed the whole content of this file to a joke. Then go to your admincp and in the Maintenace links at the bottom , you can run a script that will check the content of each of your vbulletin files and report to you suspicious ones. But if you really want it safer, uupgrade to the last vbulletion 3.6.8, replace all files, do the upgrade guidelines, but if you cannot upgrade make sure to have at least all security patch installed and to run the Maintenance stuff from the admincp to check all vb files validity,beware hackers are often leaving a PHP backdoor do go back in later when you think all is patched.Also big hole, make sure to not have a publicly available folder writable by any users, like if your forum root has a chmod of 777, attackers are often able to rewrite files like the index.php hack, it sounds like you left a folder or file writable to any user, this could ba hacked in only one request such hole
    Last edited by class101; Fri 4th Jan '08, 9:01am.
    security community

    Comment


    • #3
      Near as I can tell, the index file has not been changed. The timestamp wasnt changed on any of my files that I can find.

      Creating a new style let me get back into the forum but Id like to clean up the old style, I just have no idea where to start looking. As this hacker seems to have hit a lot of forums, I was hoping someone would have been through this before.

      Comment


      • #4
        ok then if index.php is untounched, I guess index.php was pointing to your forum home no ? Looks at the templae called ForumHome and lemme know if that looks malicious
        security community

        Comment


        • #5
          and also load a search within all templates for the word "H4Ck3d", that could reveal the glitch
          security community

          Comment


          • #6
            Forumhome looks okay. No sign of H4Ck3d in any of the templates.

            Comment


            • #7
              This is not possible nor your index.php is changed nor FORUMHOME or navbar is changed

              you sure there is the
              Code:
              eval('$navbar = "' . fetch_template('navbar') . '";');
              eval('print_output("' . fetch_template('FORUMHOME') . '");');
              at the bottom of your index.php ???

              nor if really all is unchanged I think to another possible reason, he used to add an url rewrite that is redirectiong all index.php request to hacked.php for example, he maybe changed the .htaccess no?

              ha yes your index.php looks ok I see it working now since you changed to default vb style. So the hack is withink the templates then , so in the db, he probably managed to read your config.php file , took the passwd and played with your db because there is no templates in files
              Last edited by class101; Fri 4th Jan '08, 9:28am.
              security community

              Comment


              • #8
                The upgrade wont help. I was upgraded to the newest release on 2 of my 5-6 forums
                I am guessing you are running vbgallery in your forum as well? maybe photo post?
                they uploaded a file through it which started the hack

                you can read about it here sorry to Vbulletin forum guys if the link was in appropiate
                http://www.photopost.com/forum/showt...48#post1213648

                I got nailed monday on one forum and then wednesday night on the rest.
                In my case I was running vbgallery

                I was just getting ready to send a note to vbulletin when I saw this.

                I dont think they can hack it on a stock vbulletin board due to the way the file structure is when the gallery uploaded vs the attachments upload in VB
                After you fix your forum shut the gallery down until they have a fix and watch the thread above.
                Do not I repeat Do NOT click on any gallery files that are not a picture like wav files or video files thats how they got in. Personally if you don't know who uploaded delete it.

                If its a vbulletin problem and the vbulletin guys need the files they used to figure out how they hacked into the system I saved them. along with some info as we watched them do the hack while we were trying to stop it.

                3 groups are doing it now( that I know of). yours was one of the unsophisticated groups. the first group that hit me was really sophisticated and got very far into the server and software.

                2 of my forums don't have a gallery software at all and they were not hacked.

                Delw

                Comment


                • #9
                  interesting post delw I didn't seen any security warning about photopost but that sounds like the hole used, do you have the last version number wich is vulnerable ? I see 2.4.1 is mentionned, is it a safe one ?
                  security community

                  Comment


                  • #10
                    all the versions of vbgallery.
                    they are looking into the photopost side to see if its the same

                    when I first got hacked on monday I immediatly upgraded to forums. they 2 were hit on wednesday night along with the other 2 of older versions.

                    Comment


                    • #11
                      Delw, it sounds like the hacker has gained direct access to your database and manually updated certin templates via the database. They won't even showup as modified.

                      Can you start a support ticket and I (or the other staff members) can take a look and should be able to sort it.

                      Comment


                      • #12
                        Zach I did a support ticket a few mins ago.

                        I am all fixed up my hosts got it taken care f right away.
                        I have my galleries off until I am sure a fix done.

                        Delw

                        Comment


                        • #13
                          Let us know when do you know much about your issue Delw , I like survey security news
                          security community

                          Comment


                          • #14
                            Ive gotten my problem sorted.

                            Basically download the old style and reupload it as a new style and that resets everything. This was defintely caused by an exploit in VBGallery but I dont know if the latest version is effected.

                            Ive uploaded the file that apparently rewrites everything. He also puts a hidden backdoor file in the same dir.
                            Attached Files

                            Comment


                            • #15
                              I would post the codes and the filesytem section they came through but I dont believe that is a good idea lol

                              I am not very pc literate at all so my info might be worded different.

                              one group came from washington dc and the other came from saudia arabia.
                              When we saw the hacking going on I tried everything to get into the admin section they blocked me completely out.
                              I then change my config sys file ( taking out the data base name and pw left it blank making the admin deleteable) uploaded it via while they were working and they still got teh job done. they were already in my Mysql data base I guess and having a hayday.
                              one of my admins who was online couldnt deleted the Admin user at all. then after a few mins he got knocked off.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X