A comprise to my forum was discovered this morning after a non-authorized mass email was sent out. When I logged into the forum and looked at the control panel log, I found one of the admin accounts was used and referenced plugin.php and subscriptions.php. When I went to the subscription section I found !C99madShell v. 2.0 madnet edition! in its place. After a quick search here in support I found other threads with information to delete fraudulent plugins that were installed on the system. I also changed all of the admin account passwords and the database username and password. From other threads I have read, it seems this vulnerability has existed for a while as other threads mention VB 3.6.8 and 4.1.4 (I am running 4.0.8 PL1), is there more that I can do to keep this from happening again such as changing permissions on directories in the file system or change options in the CP? Upgrading to the current version of VB would be a last resort at this time of year or require weeks of testing before attempting the upgrade (last attempt, not so well). Any advice or direction would be helpful.
AdminCP Comprimised and Fixed-Need Advice
Collapse
X
-
-
Here is a thread about making your forum more secure: https://www.vbulletin.com/forum/showthread.php/172234-How-To-Make-My-Forums-More-Secure
Especially helpful is adding the htaccess password to your admincp, install, and include directories.
Remember when making passwords (for both htaccess and your forum/database) LENGTH is vastly more important than Complexity... "WhereInTheWorldIsYOUR_DOGS_NAME" is orders of magnitude harder to crack than "d#7@!!zSgX"Comment
-
A comprise to my forum was discovered this morning after a non-authorized mass email was sent out. When I logged into the forum and looked at the control panel log, I found one of the admin accounts was used and referenced plugin.php and subscriptions.php. When I went to the subscription section I found !C99madShell v. 2.0 madnet edition! in its place. After a quick search here in support I found other threads with information to delete fraudulent plugins that were installed on the system. I also changed all of the admin account passwords and the database username and password. From other threads I have read, it seems this vulnerability has existed for a while as other threads mention VB 3.6.8 and 4.1.4 (I am running 4.0.8 PL1), is there more that I can do to keep this from happening again such as changing permissions on directories in the file system or change options in the CP? Upgrading to the current version of VB would be a last resort at this time of year or require weeks of testing before attempting the upgrade (last attempt, not so well). Any advice or direction would be helpful.Comment
-
I wish I had more information for you, but my was fix was to delete the fraudulent plugin and change admin/sql passwords. Now I'm following the advice here by setting up htaccess. My AdminCP was accessible, so it was not as bad as your situation. Maybe you can edit the config files to disable all plugins to get your CP running or get around it by editing the DB.Comment
-
I fixed the issue by going into manage plugins, look at the very first plugin which will be listed as vbulletin . Just delete it then make sure you follow the advice of the other posts on here for securing your site.
Hope this helps
For your information I have included a screenshot of what I removed...
Comment
-
-
You really need to start your own thread with your own details about the issues.Comment
-
That's just the thing mate the issue is resolved. This happened to us last Thursday where all of our php files were modified. We though we had cleaned it out then I found this chestnut when I clicked on subscriptions in the control panel and we are running 4.2.0 PL2.
Not sure its even worth starting a new thread, this one told me about the plugin that was affected.
Our host sent you guys the report.Comment
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment