Announcement

Collapse
No announcement yet.

Hacked vbulletin

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hacked vbulletin

    Hi

    My vbulletin was hacked - Click
    Site runs PhotoPost/Vbulletin/Vbportal on PHP.
    Any ideas how to deal with this,it's not ordinary iframe ??

  • #2
    Download fresh copies of all files for the installation of vB you were running along with PhotoPost and vBPortal and upload them onto the server (unless you already have them locally).

    Next, check for updates to all of these and ensure that you have your site running the latest versions. It will also be a good idea to change your passwords to the following:

    - FTP access
    - Database
    - AdminCP
    - Hosting Account/Control Panel

    Make sure all of these are different also.
    Vote for:

    - *Admin Settable Paid Subscription Reminder Timeframe*
    -
    *PM - Add ability to reply to originator only*
    - Add Admin ability to auto-subscribe users to specific channel(s)
    - Highlight the correct navigation tab when you are on a custom page
    - "Quick Route" Interface...
    - Allow to use custom icons for individual forums

    Comment


    • #3
      I forgot to mention that no matter which file I open /index.php /display.php or anything else I receive this hacked screen.Is it possible to be some kinda of redirection ??
      I tried to reupload the files,no effect.I will try again.

      Comment


      • #4
        Hello, if you are using VBSEO, today we found a security hole in vBSEO while working on a client's website. This hole affects all versions of vBSEO, including 3.3.2, and allows an attacker to perform any operation by installing shell scripts in your writable directories. It does not matter if these writable directories are into the public root of your forums; through vBSEO, they can include also files outside the public root.

        We reported the hole to vBSEO, and they confirmed it. They then added the patch to their 3.3.2 version; so even if you have 3.3.2, you should re-upgrade it. They have not yet issued a public statement about this, but the latest vBSEO version includes today's patch.

        Today, we had 6 different reports of the hack from other clients, so the thing is spreading fast.
        CarlitoBrigante on vb.org - MagnetiCat.com
        Professional vBulletin development, support, upgrades

        Comment


        • #5
          Test this
          Administrator vBulletin-Ressources.com,
          French vBulletin Resources.

          Comment


          • #6
            Originally posted by DirtyHarry View Post
            Hello, if you are using VBSEO, today we found a security hole in vBSEO while working on a client's website. This hole affects all versions of vBSEO, including 3.3.2, and allows an attacker to perform any operation by installing shell scripts in your writable directories. It does not matter if these writable directories are into the public root of your forums; through vBSEO, they can include also files outside the public root.

            We reported the hole to vBSEO, and they confirmed it. They then added the patch to their 3.3.2 version; so even if you have 3.3.2, you should re-upgrade it. They have not yet issued a public statement about this, but the latest vBSEO version includes today's patch.

            Today, we had 6 different reports of the hack from other clients, so the thing is spreading fast.
            Yes I am using this,I am not sure but it is almost two years old...
            How I can get my site up again ?

            I am going to try Allan offer

            Comment


            • #7
              As I thought. You will need to fully clean-up your installation, better if done by somebody who knows what he is doing.

              Once you have cleaned-up, upgrade your vBSEO to the latest package. Even if you already have 3.3.2, re-download it. They applied the patch few hours ago and left the version number the same.
              CarlitoBrigante on vb.org - MagnetiCat.com
              Professional vBulletin development, support, upgrades

              Comment


              • #8
                I have some experience with vbulletin but for first time I am hacked
                I can't afford to make a new installation,I checked most of the files and they seem to be okay,no extra code,no changed variables - at least in my vbportal and photopost.

                Can you give me some directions where to search for the malicious code ?
                Last edited by delxoz; Tue 17th Nov '09, 3:47pm.

                Comment


                • #9
                  It is not easy - in the hacked sites we fixed today, they used 6-7 different shell scripts. I won't detail the way the hack works, but you REALLY need to have somebody who knows his way with Linux administration (or Windows, depending on your server) and vBulletin. The shell script used by hackers to install their stuff and gain almost full control over your vBulletin are usually downloaded into your world writable directories. So search for php files where they should not be - for example into the attachments directory.

                  Then look for all files modified recently, remove them, and change ALL your passwords. Then overwrite all vBulletin files, and reimport the Master style. Then search your templates for iframes, and eventually clean that up.

                  Again, it is a very long work that changes from installation to installation. On our client's website it took nearly 48 hours to clean-up everything.
                  CarlitoBrigante on vb.org - MagnetiCat.com
                  Professional vBulletin development, support, upgrades

                  Comment


                  • #10
                    Nobody's heard of root kit?

                    If the hacker can run any script on your server he wants, every single program from apache to mysql to the shell prompt to ftp server could all be compromised. When I say compromised, I mean they can let you type in a password then send it to the hacker.

                    If you want to be paranoid about it, a fresh OS install with the ethernet cable unplugged is in order.

                    Comment


                    • #11
                      In case that this is out of my skills range can you hit me with a price ?

                      Comment


                      • #12
                        Mykes, definitely the only way to go if you are unable to track down exactly what they did or you are even a little bit unsure. Also, if you have a file checksum checker in place in your system, you can always know exactly what they did.

                        When there is DB-based software in place then, you should also restore the most recent backup, or make 100% sure the DB is not infected with their stuff, which can take ages.
                        CarlitoBrigante on vb.org - MagnetiCat.com
                        Professional vBulletin development, support, upgrades

                        Comment


                        • #13
                          I would recommend adding a table prefix to all your database tables, thats how i got rid of my hackers from my forum. It add's more security cause everyone knows the default names of v bulletins tables and can easily access a php page and do some wrong doings with a query.

                          Comment


                          • #14
                            Originally posted by Arrangements View Post
                            I would recommend adding a table prefix to all your database tables, thats how i got rid of my hackers from my forum. It add's more security cause everyone knows the default names of v bulletins tables and can easily access a php page and do some wrong doings with a query.
                            That doesn't help.

                            SHOW TABLES

                            And they can see all the table names with prefix.

                            Comment

                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                            Working...
                            X