AdminCP Comprimised and Fixed-Need Advice

**TheNewOne** · Tue 27 Sep '11, 1:46pm

http://www.logect.com/content.php?r=258-htaccess-Online-Editor

**BirdOPrey5** · Tue 27 Sep '11, 3:55pm

Here is a thread about making your forum more secure: https://www.vbulletin.com/forum/showthread.php/172234-How-To-Make-My-Forums-More-Secure

Especially helpful is adding the htaccess password to your admincp, install, and include directories.

Remember when making passwords (for both htaccess and your forum/database) LENGTH is vastly more important than Complexity... "WhereInTheWorldIsYOUR_DOGS_NAME" is orders of magnitude harder to crack than "d#7@!!zSgX"

**Bergler** · Tue 27 Sep '11, 10:40pm

Originally posted by markpg47

A comprise to my forum was discovered this morning after a non-authorized mass email was sent out. When I logged into the forum and looked at the control panel log, I found one of the admin accounts was used and referenced plugin.php and subscriptions.php. When I went to the subscription section I found !C99madShell v. 2.0 madnet edition! in its place. After a quick search here in support I found other threads with information to delete fraudulent plugins that were installed on the system. I also changed all of the admin account passwords and the database username and password. From other threads I have read, it seems this vulnerability has existed for a while as other threads mention VB 3.6.8 and 4.1.4 (I am running 4.0.8 PL1), is there more that I can do to keep this from happening again such as changing permissions on directories in the file system or change options in the CP? Upgrading to the current version of VB would be a last resort at this time of year or require weeks of testing before attempting the upgrade (last attempt, not so well). Any advice or direction would be helpful.

How did you fix it? I am having the same kind of issue, though It all happened instantly after I upgrade the software to 4.1.6 I dont have a admincp and the site header has disappeared? I have already changed all the passwords. Any help would be greatly appreciated.

**markpg47** · Thu 29 Sep '11, 9:22am

Originally posted by Bergler

How did you fix it? I am having the same kind of issue, though It all happened instantly after I upgrade the software to 4.1.6 I dont have a admincp and the site header has disappeared? I have already changed all the passwords. Any help would be greatly appreciated.

I wish I had more information for you, but my was fix was to delete the fraudulent plugin and change admin/sql passwords. Now I'm following the advice here by setting up htaccess. My AdminCP was accessible, so it was not as bad as your situation. Maybe you can edit the config files to disable all plugins to get your CP running or get around it by editing the DB.

**ukhostz** · Tue 11 Oct '11, 8:01am

I fixed the issue by going into manage plugins, look at the very first plugin which will be listed as vbulletin . Just delete it then make sure you follow the advice of the other posts on here for securing your site.

Hope this helps

For your information I have included a screenshot of what I removed...

**Mr Peabody** · Tue 7 Aug '12, 2:58am

Bump.
7 Years hack free and we just got done over by this script.

**Zachery** · Tue 7 Aug '12, 2:59am

You really need to start your own thread with your own details about the issues.

**Mr Peabody** · Tue 7 Aug '12, 3:07am

That's just the thing mate the issue is resolved. This happened to us last Thursday where all of our php files were modified. We though we had cleaned it out then I found this chestnut when I clicked on subscriptions in the control panel and we are running 4.2.0 PL2.
Not sure its even worth starting a new thread, this one told me about the plugin that was affected.
Our host sent you guys the report.

vBulletin 4 End of Life

AdminCP Comprimised and Fixed-Need Advice

[Forum] AdminCP Comprimised and Fixed-Need Advice

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment