Announcement

Collapse
No announcement yet.

Recovering a hacked vBulletin Site

Collapse
X
Collapse

  • Recovering a hacked vBulletin Site

    Symptoms

    Having your site hacked is something no owner wants to experience due to the fact it takes quite a bit of effort to fix, often times requiring payment to a experienced third-party when a owner feels inundated by the sheer amount of work required to troubleshoot and remedy the situation.
    • Site has been defaced - This is the most blatant form of hacking where your sites pages have been replaced with a very disruptive and sometimes rude message from the hacker themselves.
    • Error Messages - These can vary from extra text on the page all the way up to database errors that do not allow the page to display properly.
    • Odd behavior - If your site is simply acting up, it seems to have began out of nowhere and you've checked with your host in regards to recent changes and none have been made it's quite possible you have been hacked. *Redirects to external sites, inability to post (database errors, blank pages etc), and anything that simply seems "odd".

    Initial Steps


    Scan Your Computer Use anti-virus and anti-malware software to scan your pc, sometimes a virus can gain entry. For example, when browsing your site without knowing it was present.
    Change All Passwords This includes all passwords, yes that includes primary hosting password, cpanel, ftp, phpmyadmin, databases, forum account, any and everything web related! Please use long passowords with both numbers and letters (some uppercase as well to make it stronger)

    *Remember, when you change database passwords you must also update the configuration files for some software so the new password is current.


    Cause and Effect


    Determine How Much Damage Was Made Using various methods, you can determine how much damage has been made, if countless threads and posts have been deleted a backup may be your only option. What matters is that your content is intact, if so you only need to worry about restoring the site appearance and/or functionality.

    *If your host does not offer backups you must run them on regular intervals.
    **How to Restore a Database via cPanel phpMyAdmin.
    Determine The Cause How did this happen? Was it the vBulletin Software? Were you up to date and secure or patched at least? Another software installed on your server? A Third Party Modification?

    *There are countless ways this could have occurred, now is the time to sit down and figure out how it happened, fix it and get back to business as usual.
    Cleanup The Mess It may turn out to be something simple however if not, depending on the severity of the situation different decisions will need to be made and some steps required to cleanup the mess if possible.
    Stay Up To Date And Secure The most important responsibility as owner is to maintain your site, this includes any and all software. Update regularly, patch when a security vulnerability is found and keep track of this, as you can now tell it's very important for you to do so.

    *Follow these guides by Wayne Luke to help secure your forum:
    **Additionally:


    Run Some Tests

    • Check for new Administrators: > AdminCP > Usergroups > Administrator Permissions > *Are there any new administrators listed? If so remove their admin permissions. *Also check the config.php file to see if their userid# has been added to the special administrators line:
    PHP Code:
        //    ****** SUPER ADMINISTRATORS ******
        //    The users specified below will have permission to access the administrator permissions
        //    page, which controls the permissions of other administrators
    $config['SpecialUsers']['superadministrators'] = '1'
    ^ Typically userid #1 is the only userid listed, if you see another # and your not responsible for making the change to config.php, remove it and cross reference their forum account to see who had these permissions.


    • Run Suspect File Versions: > AdminCP > Maintenance > Diagnostics > Suspect File Versions > *Click Submit > Review the files listed, research and delete all files you suspect are malicious. *Also check your .htaccess file and config.php file for modified code, the suspect file versions script does not check config.php or .htaccess.
    Click image for larger version

Name:	suspectfilevers.jpg
Views:	1
Size:	100.7 KB
ID:	4024185


    • Run the following Queries in phpMyAdmin:
    Code:
    SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';
    Code:
    SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';
    Click image for larger version

Name:	phpmyadminsql.jpg
Views:	1
Size:	56.7 KB
ID:	4024186
    *If the above queries produce results you need to review them carefully, if they are in fact malicious delete them from the plugin manager in the admincp or in a worst case scenario using phpmyadmin.
    **If your unsure of the results please create a new thread including details about your current situation and the results from these queries.

    • If you feel the issue is within your templates themselves, you can rebuild your styles and to easily do this simply re-run the upgrade script, example url is yoursiteurl.com/install/upgrade.php

    • Rebuild the plugin datastore: AdminCP > Plugins & Products > Plugin Manager > *Click to "Save Active Status". *Even though you did not change the order, saving has now rebuilt the plugin datastore.

    • Check all software installed on your server, the hacker could have gained entry via another software. If there are updates available please update all software accordingly.


    *Having issues using a behind the scenes function? No administrator control panel access? Try this guide.
    *Slightly off subject... Spam issues? Try this guide.



    Possible Quick Fixes


    1) File Replacement - Using this method we are simply testing to see if it's something in a file on the server:
    • If you have SSH access then simply copy your forum folder as a backup, if not download the entire forums folder to your computer via FTP, after it's downloaded locally be sure to run your anti-virus scan on the folder for good measure.
    • Now you have a complete backup of the folder so if you "over" delete it's ok you can restore.
    • Note the modifications you currently have installed and plugins as well. Now ensure you have fresh copies of those mods downloaded and ready to go.
    • Run Suspect File Versions: > AdminCP > Maintenance > Diagnostics > Suspect File Versions > *Click Submit > Review the files listed, research and delete all files you suspect are malicious. *Check your .htaccess file for any added/modified code and your config.php file as well.
    • Check your admin control panel log, sometimes they leave a footprint and it will be listed here if so.
    • Download the same exact version of vBulletin your currently running from the members area and have it ready for upload.
    • Delete the /install/install.php file and also edit the config.php.new and rename it to config.php and edit in your database details and such then save and have it ready for upload.
    • Delete all the files in your forums root directory.
    • Now upload the fresh vBulletin files and the newly updated config.php.
    • Now upload all the modification files.
    • AdminCP > Maintenance > Clear System Cache.


    Now check the site - If it's not sorted you can simply overwrite the new files with the backup copies then continue testing per the above instructions.

    2) A template may have been modified, create a new default style and check the site in that style.

    3)
    Check to see if the issue is within your templates using Fix-it: Template Edition.

    Special Thanks to:
    Wayne Luke for the queries to run selecting suspect code & various posts over the years by all staff members.

    • AusPhotography
      #2
      AusPhotography commented
      Editing a comment
      It cannot be overstated that like any system, the number one defense is a good backup.
      That backup should be tested from time to time.

      Ideally a daily backup with quite a few generations.

      Kym

    • sgpsai
      #3
      sgpsai commented
      Editing a comment
      Originally posted by AusPhotography
      It cannot be overstated that like any system, the number one defense is a good backup.
      That backup should be tested from time to time.

      Ideally a daily backup with quite a few generations.

      Kym
      hi kym
      this is what came to my mind,
      1. if one has daily backup, CANNOT he just restore the whole site with the existing backup?
      2. if yes, can the hosting guy do it for us? or do we need again vb expert need to do this job.
      3. how in the first place, i know that the BACKUP i have taken daily works? what the methods we know that the backup i have taken is CORRECT backup

      exprerts comment !!!!

    • Trevor Hannant
      #4
      Trevor Hannant commented
      Editing a comment
      To get vB support on these forums you first need to be a licensed customer and register for Priority Forum Support. To do this, please go here:

      http://members.vbulletin.com/membersupport_priority.php

      ...and enter your email address in one of the boxes. You'll need to have your customer number and password to access the page.

      If you still have problems after doing this, send an email to support@vbulletin.com. Please include your user name, the email address you registered with and your customer number so we can fix the problem.
    Posting comments is disabled.

About the Author

Collapse

TheLastSuperman I'm a silly father of three wonderful kiddos ranging from ages 5 to 12 years old, I have a beautiful wife of 11+ years, and I develop Websites and Forums for a living 40+ hours a week. Find out more about TheLastSuperman

Article Tags

Collapse

advanced (5) android (2) api (29) application (1) array (17) beginner (17) blog (4) blog response (1) calendar (2) cms (2) forum (3) forums (4) howto (1) Intermediate (7) iphone (3) mapi (30) methods (10) mobile (34) security (2) style (2) subforums (1) threads (4) users (1) vb5howto (5) vBulletin (5)

Latest Articles

Collapse

  • Welcome to the new CMS. Read me first.
    by Don Kuramura
    Welcome to the new CMS. Here's a quick guide of the different areas of this page.

    1. Section Navigation Widget. This widget allows you to go to different sections. The "plus icon" means that this section has sub-sections. Clicking on the "plus icon" will display the sub-sections. ...
    Tue 11th Mar '14, 2:04pm
  • Promoting Articles from the Forums
    by Don Kuramura
    One of the innovative new features on vBulletin 4.0 Publishing Suite is the cross-publishing "Promote to Article" functionality. In the spirit of promoting content discovery, we wanted to create features that will allow content to flow between Forums, Blogs, and Articles. For example, there might be a really popular post in the forums, but unfortunately it is buried inside page 13 of a thread. We will now have an option (if you have permissions) to “promote” a forum (or blog) post as a new artic...
    Tue 11th Mar '14, 2:04pm
  • How to Create a New Article
    by Don Kuramura
    Here's a quick visual guide on how to create a new article with the CMS.

    1. Create New Article Button: Navigate to the section you want the article to be published in. Click on the “Create a New Article” button. This will open an article form.


    2. Article Title: In the "Add/Edit Article" screen, enter the title of your article in the “Title” textbox.
    ...
    Tue 11th Mar '14, 2:04pm
  • Managing CMS Section and Content
    by Don Kuramura
    Here's a quick Visual Guide on how Manage Sections in the new CMS.

    1. Editing a Section: If you have permissions to manage a Section, as you hover over the Section title, a pencil icon will display.

    After clicking the pencil icon, you will be taken to the Section Edit page. Here's what you will see:

    2. Section Name:
    Enter the Section Name
    3. SEO URL Alias: This is the SEO Friendly URL. By default, if this is blank, the system will automatically copy the section title.
    4. Section Layout: For each section you can define an individual section layout.
    ...
    Tue 11th Mar '14, 2:04pm
  • Recovering a hacked vBulletin Site
    by TheLastSuperman
    Symptoms

    Having your site hacked is something no owner wants to experience due to the fact it takes quite a bit of effort to fix, often times requiring payment to a experienced third-party when a owner feels inundated by the sheer amount of work required to troubleshoot and remedy the situation.
    • Site has been defaced - This is the most blatant form of hacking where your sites pages have been replaced with a very disruptive and sometimes rude message from the hacker themselves.
    ...
    Tue 12th Jun '12, 1:37am
  • Issues After Upgrading
    by TheLastSuperman
    If your running a completely default forum upgrading is a very simple process. Many sites however run third-party add-ons and even use a custom style therefor when things change between older and newer
    Thu 24th May '12, 12:02pm
Working...
X