Recovering a hacked vBulletin Site

Collapse
X
Collapse
 

  • Recovering a hacked vBulletin Site

    Symptoms
    Having your site hacked is something no owner wants to experience due to the fact it takes quite a bit of effort to fix, often times requiring payment to a experienced third-party when a owner feels inundated by the sheer amount of work required to troubleshoot and remedy the situation.
    • Site has been defaced - This is the most blatant form of hacking where your sites pages have been replaced with a very disruptive and sometimes rude message from the hacker themselves.
    • Error Messages - These can vary from extra text on the page all the way up to database errors that do not allow the page to display properly.
    • Odd behavior - If your site is simply acting up, it seems to have began out of nowhere and you've checked with your host in regards to recent changes and none have been made it's quite possible you have been hacked. *Redirects to external sites, inability to post (database errors, blank pages etc), and anything that simply seems "odd".

    Initial Steps
    Scan Your Computer Use anti-virus and anti-malware software to scan your pc, sometimes a virus can gain entry. For example, when browsing your site without knowing it was present.
    Change All Passwords This includes all passwords, yes that includes primary hosting password, cpanel, ftp, phpmyadmin, databases, forum account, any and everything web related! Please use long passowords with both numbers and letters (some uppercase as well to make it stronger)

    *Remember, when you change database passwords you must also update the configuration files for some software so the new password is current.


    Cause and Effect
    Determine How Much Damage Was Made Using various methods, you can determine how much damage has been made, if countless threads and posts have been deleted a backup may be your only option. What matters is that your content is intact, if so you only need to worry about restoring the site appearance and/or functionality.

    *If your host does not offer backups you must run them on regular intervals.
    **How to Restore a Database via cpanel/phpmyadmin.
    Determine The Cause How did this happen? Was it the vBulletin Software? Were you up to date and secure or patched at least? Another software installed on your server? A Third Party Modification?

    *There are countless ways this could have occurred, now is the time to sit down and figure out how it happened, fix it and get back to business as usual.
    Cleanup The Mess It may turn out to be something simple however if not, depending on the severity of the situation different decisions will need to be made and some steps required to cleanup the mess if possible.
    Stay Up To Date And Secure The most important responsibility as owner is to maintain your site, this includes any and all software. Update regularly, patch when a security vulnerability is found and keep track of this, as you can now tell it's very important for you to do so.

    *Follow these guides by Wayne Luke to help secure your forum:
    **Additionally:


    Run Some Tests
    • Check for new Administrators: > AdminCP > Usergroups > Administrator Permissions > *Are there any new administrators listed? If so remove their admin permissions. *Also check the config.php file to see if their userid# has been added to the special administrators line:
    PHP Code:
        //    ****** SUPER ADMINISTRATORS ******
        //    The users specified below will have permission to access the administrator permissions
        //    page, which controls the permissions of other administrators
    $config['SpecialUsers']['superadministrators'] = '1'
    ^ Typically userid #1 is the only userid listed, if you see another # and your not responsible for making the change to config.php, remove it and cross reference their forum account to see who had these permissions.
    • Run Suspect File Versions: > AdminCP > Maintenance > Diagnostics > Suspect File Versions > *Click Submit > Review the files listed, research and delete all files you suspect are malicious. *Also check your .htaccess file and config.php file for modified code, the suspect file versions script does not check config.php or .htaccess.
    • Delete the /install/ directory, after installation it is no longer required UNLESS you need to run tools.php to correct another underlying issue in which case you would re-upload the /install/ folder long enough to use tools.php then delete promptly when done.
    • Run the following Queries in phpMyAdmin:
    Code:
    SELECT title, phpcode,  hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode  LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%'  OR phpcode like '%iframe%';
    Code:
    SELECT styleid, title,  template FROM template WHERE template LIKE '%base64%' OR template LIKE  '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR  template like '%iframe%';

    *If the above queries produce results you need to review them carefully, if they are in fact malicious delete them from the plugin manager in the admincp or in a worst case scenario using phpmyadmin.
    **If your unsure of the results please create a new thread including details about your current situation and the results from these queries.
    • If you feel the issue is within your templates themselves, you can rebuild your styles and to easily do this simply re-run the upgrade script, example url is yoursiteurl.com/install/upgrade.php
    • Rebuild the plugin datastore: AdminCP > Plugins & Products > Plugin Manager > *Click to "Save Active Status". *Even though you did not change the order, saving has now rebuilt the plugin datastore.
    • Check all software installed on your server, the hacker could have gained entry via another software. If there are updates available please update all software accordingly.


    *Having issues using a behind the scenes function? No administrator control panel access? Try this guide.
    *Slightly off subject... Spam issues? Try this guide.

    Possible Quick Fixes
    1) File Replacement - Using this method we are simply testing to see if it's something in a file on the server:
    • If you have SSH access then simply copy your forum folder as a backup, if not download the entire forums folder to your computer via FTP, after it's downloaded locally be sure to run your anti-virus scan on the folder for good measure.
    • Now you have a complete backup of the folder so if you "over" delete it's ok you can restore.
    • Note the modifications you currently have installed and plugins as well. Now ensure you have fresh copies of those mods downloaded and ready to go.
    • Run Suspect File Versions: > AdminCP > Maintenance > Diagnostics > Suspect File Versions > *Click Submit > Review the files listed, research and delete all files you suspect are malicious. *Check your .htaccess file for any added/modified code and your config.php file as well.
    • Check your admin control panel log, sometimes they leave a footprint and it will be listed here if so.
    • Download the same exact version of vBulletin your currently running from the members area and have it ready for upload.
    • Delete the /install/install.php file and also edit the config.php.new and rename it to config.php and edit in your database details and such then save and have it ready for upload.
    • Delete all the files in your forums root directory.
    • Now upload the fresh vBulletin files and the newly updated config.php.
    • Now upload all the modification files.
    • AdminCP > Maintenance > Clear System Cache.


    Now check the site - If it's not sorted you can simply overwrite the new files with the backup copies then continue testing per the above instructions.

    2) A template may have been modified, create a new default style and check the site in that style.

    3) Check to see if the issue is within your templates using Fix-it: Template Edition.

    Special Thanks to:
    Wayne Luke for the queries to run selecting suspect code & various posts over the years by all staff members.
    Last edited by TheLastSuperman; Tue 17 Sep '13, 5:03pm. Reason: Updated info

    • RS25.com
      #4
      RS25.com commented
      Editing a comment
      The "Fix-it: template edition" solved my problem, thank you so much for posting this.

    • TheLastSuperman
      #5
      TheLastSuperman commented
      Editing a comment
      Glad it helped RS25.com .

    • TheLastSuperman
      #6
      TheLastSuperman commented
      Editing a comment
      White Page on all pages of your forum including admincp?

      Have an error message such as:
      PHP Code:
      PHP Fatal errorCannot redeclare fi() (previously declared in /home/user/public_html/forum/showthread.php(1) : eval()'d code(2) : eval()'d code(1) : eval()'d code:1) in /home/user/public_html/forum/global.php(1) : eval()'d code(2) : eval()'d code(1) : eval()'d code on line 1 

      See my post here: http://www.vbulletin.com/forum/forum...31#post4012531
      Last edited by TheLastSuperman; Fri 20 Dec '13, 10:32am.
    Posting comments is disabled.

Related Topics

Collapse

Working...