A new type hack method?

I was hacked too, but I found so much I they had added!

Most important, As soon as you are in using the normal method, do not re-enter your password anywhere, go straight to your user page and change it.

Before all, delete the install folder!!!!

Then:

1, Check the admin accounts,
2, If unusual admins the check your permissions, you need to change them all to yes again, and change the hacker(s) to no.
3, Ban the hacker.
4, Check Admin Logs, Look at the user list, if you see lots of spaces before the first username (which may be the hackers), they have changed things, then deleted the user, click on each one and write down what scripts they have edited. You'll probably find it's nearly all of them. (This is how they don't show up unless you select them).
3, Check your plugins for init_startup & ajax_complete, delete them.
4, Search your templates for the following words "Biz", "derpina" and if you don't use iframes, do a search for "iframe" too, delete all references.
5, Check all your headers for scripts at the bottom of their code, I found a long one there.
6, Go to Advert manager, check all adverts & coding, I found one there (it was checked to only show if not an admin, so I wouldn't see it!).
7, Check all your custom BB Codes are all OK.
8, Search users signatures for code.

IP addresses that were used (add them to banned list!):
95.211.10.3
71.64.124.240
80.46.173.224
24.93.174.137
4.247.80.228
81.31.96.176
81.137.3.125
199.19.94.179
72.73.225.101
63.255.222.11
98.110.89.122
65.94.217.225
65.93.219.195
130.63.229.181
81.178.229.11
81.178.242.65
37.24.146.52
178.73.207.151
118.96.174.234
41.99.103.211


Hope this helps, took me about 3 hours on a small (3000 member) forum!

Please read the following two blog posts:




Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

I dont know who "abdou" is, but this guy apparently has a script crawling the web and looking for sites with the exploit and creating accounts. Later on (a few days sometimes), someone (or another bot) comes back and tries to do more. My admincp is locked down by IP and with a password, so I escaped with only some deleted records (and i have daily backups) that I had to restore.

My site was hacked last night. I'm running 4.2.1 and I did have the install directory in place.

The hacker "mast3r" made an admin account and installed some plugin titled "vbulletin"

The plugin takes over the "subscription.php" template with some type of user-interface the hacker uses to access and edit all the files and such..

Both sites I run were hit by this 'account' - neither have done anything apart from register an Administrator called "Th3H4ck". Looks like they do a mass script to register the account, then access it later to cause problems? Either way, both accounts had the user Th3H4ck and no changes other than that, so i've removed the /install folders. This is 4.2.1.

If was hacked once can be hacked allways if the tunel is not closed!

vBulletin support how can we fix this issue?

I'd been out of town, other admins hadn't done the recommendation (remove the install directory) - so I found we'd been hacked today. Went through all the steps detailed in previous posts (only one additional admin, no other users). This person tried to run a plugin, which appears to only have tried to rewrite the ajax.php file, and then deleted the plugin. Doesn't look like they touched anything else, no other modified files that I've been able to find (looking at modified dates). The ajax.php file was completely boned, I'm attaching it in case it can be of assistance. Replaced with a backup, everything seems OK. ajax.txt

I have deleted the install folder but it was after my site was hacked. Now what?

From what has been said so far this hack apparently uses a plugin to do its mischief. Could vBulletin issue a patch that would add userid, username and date fields to the plugin table and modify the queries to record any new plugins created or edits to existing plugins? None of the new fields would need to show on the plugin page but you could at least go through the plugin table with phpMyAdmin and find the problem. Maybe even create a patch later that could seek out and fix the problem.

We still should of had some type of notification. This thread was created on 27th, it happened to my forum last night. Most of us receive email on our phones so if we received notification we could of fixed the issue. With the type of access they had I think we are lucky they were only editing templates, they could of deleted data, threads forums etc. I hope you will also look at securing the admin group and not just fix install source issue. New member with 0 posts should never be able to be in this group if you have some checks around that and maybe have extra approvals so this doesn't happen again.

They just moved to another site and left your's alone. Their main interest is to use a server as a spam-door and this is what they tried to do at my place. surely nobody ever should mention that they take part of the category of hackers, since I'll literally nail them into the ground.

Hello,

I came to know of this exploit and looks like we too had this attack, we did the below:

1.Deleted install folder
2. Deleted suspicious admin user accounts
4. Refer thread - http://www.vbulletin.org/forum/showthread.php?t=301892 as mentioned there I didn't have any Iframe injection , but there was a line added in the "header" template of one of our custom style that reads as "Kindly delete "install" directory of your forums. Otherwise you will keep getting hacked" and the suspicious lines were removed.

Also we notice that few templates in the custom style has edit history that says "Edited by .." the suspicious admin accounts with time stamp in the past year 2010.

Is there any other precautions that need to be done. Am I currently still exploited? What are the other security measures that I need to do to protect my forums.

Unless you have or somebody else has removed it, it should be at your forum root. With me, it comes after the includes folder. Alphabetical order I assume.

Hi,
We suspected if they changed something in the styles / templates.

Looking at the templates (both in parent style and other styles), reviewing the 'Edit history', some of the templates show
'Edited by Jelsoft', 'Edited by vBulletin' which are vbulletin edits
Some show 'Edited by' our own admin accounts - probably some template customizations
While some templates show as below:
blog_blog_rown - Last edited December 15 2010 at 13:29 by ksours
blog_comment_profile - Last edited December 21 2009 at 16:59 by freddie
blog_cp_manage_categories - Last edited December 9 2010 at 16:32 bymichael.lavaveshkuli

Are these something that we should suspect? Could it be possible they changed the edit date and time?

Hi Ambro,
Our site was a hacked. We just removed the 'install' directory. There were Admin accounts created. Removed and blocked IP.
We also see via Control panel log (for the date on which these admin accounts got created) there were few more usernames (edit and killed) and plugins touched (displays plugin id).

But when we ran your above query in plugin table in vB DB, it returned no results.

We did not see anything weird so far in the front end or any redirect of 'index.php'. However, in one of the style we use, got a message at the top of the header:
"Kindly delete your install directory of forums. Otherwise, you will keep getting hacked".

Did the hacker put up this message? Wierd? However, this message was not displaying in other styles we use.