Just another piece of advice, you may want to .htaccess your admincp and modcp (and also rename to something more secure if you wish)
Site hacked, can someone please help?
Collapse
This topic is closed.
X
X
-
"Our greatest weakness lies in giving up. The most certain way to succeed is always to try just one more time!"
"It's important to only think about what you desire, not what you fear to achieve your ultimate goal!!"
"When doors close, tear down the walls. Never give up!" -
and yes to above up a few posts, when i add a new user its like user ID 123244533.
Comment
-
I board got hacked too now is running fine
Instruction how to remove
1) Search for new update file and delete it
go to your root forum
and run this command to fine new update file
login as shell
find . -mtime -1 -print
(-1 is day of update file)
you might see this file and delete it
index.php
index.html
admincp/index.php
admincp/index.html
modcp/index.php
modcp/index.html
and delete unknow files
and Upload load original files you just delete it
2)reset admin login to admin cp
upload tools.php to admincp
and reset admin login
3)login to admincp and disable Cyb rules and install new version do not foget to over write it
4)Go to phpmyadmin
go to Table: user
4.1delete everything in this field = usertitle
UPDATE user SET usertitle = ''
4.2update this field customtitle =0
UPDATE user SET customtitle = '0' where customtitle = '1'
4.3. deelte user id that over '13371337'
4.4 Table: user > AUTO_INCREMENT set number to you real latest user
5)Go to admincp > user group > adminstrators
Delete user that you didn't add
6) admincp > update counter > update user title
this step you will get users title back
7) turn on board
---all done ---
im still getting after adding new user the id (id: 13371339)
user befor that is fine ie: 57000.
Comment
-
searching more log files, we've narrowed down the hit on ours. Obviously a script followed by a person to check the status.
Run a search through your logs for a GET request of: /?page=
and a POST request of: /?page=[randompagetitle]/register.php?do=register
[randompagetitle] is random, including what they used in our logs would be irrelevent.Comment
-
-
searching more log files, we've narrowed down the hit on ours. Obviously a script followed by a person to check the status.
Run a search through your logs for a GET request of: /?page=
and a POST request of: /?page=[randompagetitle]/register.php?do=register
[randompagetitle] is random, including what they used in our logs would be irrelevent.
would re-uploading all vbulletin files help? thxComment
-
Comment
-
Comment
-
I decoded the vba.php file - CyberAnarchy.org maybe part of this hackenvironment: Centos 6.9, Apache v2.4.25, PHP 5.6.30/xCache, MariaDB 10.22 -- vB5 Connect Licensed
AusPhotography - Australia's Premier Photographic Forum vB4.2.3
Rick (site owner) and Kym (site tech) sharing this accountComment
-
Do I now have to be afraid of running any other Mods of him (either for v3.x or v4.x) because of this ? My trust in his Mods just went out of the window.Comment
-
You should also change DB, root and other major passwords. Just good practiceenvironment: Centos 6.9, Apache v2.4.25, PHP 5.6.30/xCache, MariaDB 10.22 -- vB5 Connect Licensed
AusPhotography - Australia's Premier Photographic Forum vB4.2.3
Rick (site owner) and Kym (site tech) sharing this accountComment
-
No practice that wasn't really necessary. Just getting a negative wibe about others of his (Valter) Mods.
And yes, I changed all these Passwords and other things. And tbh, people that do something like this (the hacker I mean), should be shot on sight. Sorry for the harsh words, but there is nothing to forgive in my oppinion about killing someone else's work.Comment
Related Topics
Collapse
-
I just signed up for vbulletin. It is used in a lot of gaming communities. I am trying to build my own community and now have enough members to justify building a forum. So I know alot of the clans/gaming...
-
Channel: vB Cloud Support & Troubleshooting.
-
Comment