I was hacked too, but I found so much I they had added!
Most important, As soon as you are in using the normal method, do not re-enter your password anywhere, go straight to your user page and change it.
Before all, delete the install folder!!!!
Then:
1, Check the admin accounts,
2, If unusual admins the check your permissions, you need to change them all to yes again, and change the hacker(s) to no.
3, Ban the hacker.
4, Check Admin Logs, Look at the user list, if you see lots of spaces before the first username (which may be the hackers), they have changed things, then deleted the user, click on each one and write down what scripts they have edited. You'll probably find it's nearly all of them. (This is how they don't show up unless you select them).
3, Check your plugins for init_startup & ajax_complete, delete them.
4, Search your templates for the following words "Biz", "derpina" and if you don't use iframes, do a search for "iframe" too, delete all references.
5, Check all your headers for scripts at the bottom of their code, I found a long one there.
6, Go to Advert manager, check all adverts & coding, I found one there (it was checked to only show if not an admin, so I wouldn't see it!).
7, Check all your custom BB Codes are all OK.
8, Search users signatures for code.
IP addresses that were used (add them to banned list!):
95.211.10.3
71.64.124.240
80.46.173.224
24.93.174.137
4.247.80.228
81.31.96.176
81.137.3.125
199.19.94.179
72.73.225.101
63.255.222.11
98.110.89.122
65.94.217.225
65.93.219.195
130.63.229.181
81.178.229.11
81.178.242.65
37.24.146.52
178.73.207.151
118.96.174.234
41.99.103.211
Hope this helps, took me about 3 hours on a small (3000 member) forum!
A new type hack method?
Collapse
X
-
Please read the following two blog posts:
This guide is for what to do, after youve been hacked, exploited, and or defaced. Step 1, Change everything: If you believe, or think your site has
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-siteGetting Started This guide is intended to be a starting point for helping to keep your site safe and secure in the long run. It is not a be-all, end-all guide
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versionsLeave a comment:
-
Leave a comment:
-
My site was hacked last night. I'm running 4.2.1 and I did have the install directory in place.
The hacker "mast3r" made an admin account and installed some plugin titled "vbulletin"
The plugin takes over the "subscription.php" template with some type of user-interface the hacker uses to access and edit all the files and such..Leave a comment:
-
Looks like I got hit with a similar exploit - they did not deface my site like the OP's - not yet anyway. They did find a way to add about 10 new users, all with the same username, (Th3H4ck) and all with admin privs.
I would not have known about this vulnerability, or the active exploit, if they had not .. maybe I should not post what triggered my knowledge of this.
I would of like to have received an email about this exploit. Now going to 302 redirect to my buddypress install. Hope my host has backup database and files from 5 days ago. Fingers crossed.
vbulletin 4.2.1 running, and had new member moderation turned on -
what I wonder is how they were able to run sql insert commands from /forums/core/install/upgrade.php --- when I do not even have a /core/ or /core/install/ folder on this server.
Will we get an email if the exploit fix is found?Leave a comment:
-
If was hacked once can be hacked allways if the tunel is not closed!
vBulletin support how can we fix this issue?Leave a comment:
-
I'd been out of town, other admins hadn't done the recommendation (remove the install directory) - so I found we'd been hacked today. Went through all the steps detailed in previous posts (only one additional admin, no other users). This person tried to run a plugin, which appears to only have tried to rewrite the ajax.php file, and then deleted the plugin. Doesn't look like they touched anything else, no other modified files that I've been able to find (looking at modified dates). The ajax.php file was completely boned, I'm attaching it in case it can be of assistance. Replaced with a backup, everything seems OK. ajax.txtLeave a comment:
-
I have deleted the install folder but it was after my site was hacked. Now what?Leave a comment:
-
From what has been said so far this hack apparently uses a plugin to do its mischief. Could vBulletin issue a patch that would add userid, username and date fields to the plugin table and modify the queries to record any new plugins created or edits to existing plugins? None of the new fields would need to show on the plugin page but you could at least go through the plugin table with phpMyAdmin and find the problem. Maybe even create a patch later that could seek out and fix the problem.Leave a comment:
-
We've advised customers to remove the install folder, that is our response. Once you remove it the exploit vector is gone. In the past it wasn't required to remove the install folder based on how the install/upgrade system worked. Overtime the system changed which allowed an issue to crop back up.Leave a comment:
-
Yeah but a few comments i read said that people had had their index.php and forum.php files switched and they just put the originals back i and everything was fine,
Also it wan't vbseo itself i was suspecting, it was the vbseo sitemap generator which people can use without vbseo,, before vb4 vbulletin had no built in sitemap generator and everyone was using the vbseo one because it was free, when vb4 came out a lot of people continued to use itand i do;t beleive their is a problem with it, only the fact that some people use the same passwords and it's clearly shown in a normal field in admincp,
yours was obviously done via style manager or it wouldn't still say vbseo at the bottom of the page, i was just curious
i'm just really confused as to why someone with that level of access would try and cover their tracks by removing the plugin and user account but not prune the logs?Leave a comment:
-
Hello,
I came to know of this exploit and looks like we too had this attack, we did the below:
1.Deleted install folder
2. Deleted suspicious admin user accounts
4. Refer thread - http://www.vbulletin.org/forum/showthread.php?t=301892 as mentioned there I didn't have any Iframe injection , but there was a line added in the "header" template of one of our custom style that reads as "Kindly delete "install" directory of your forums. Otherwise you will keep getting hacked" and the suspicious lines were removed.
Also we notice that few templates in the custom style has edit history that says "Edited by .." the suspicious admin accounts with time stamp in the past year 2010.
Is there any other precautions that need to be done. Am I currently still exploited? What are the other security measures that I need to do to protect my forums.Leave a comment:
-
Unless you have or somebody else has removed it, it should be at your forum root. With me, it comes after the includes folder. Alphabetical order I assume.Leave a comment:
-
Hi,
We suspected if they changed something in the styles / templates.
Looking at the templates (both in parent style and other styles), reviewing the 'Edit history', some of the templates show
'Edited by Jelsoft', 'Edited by vBulletin' which are vbulletin edits
Some show 'Edited by' our own admin accounts - probably some template customizations
While some templates show as below:
blog_blog_rown - Last edited December 15 2010 at 13:29 by ksours
blog_comment_profile - Last edited December 21 2009 at 16:59 by freddie
blog_cp_manage_categories - Last edited December 9 2010 at 16:32 bymichael.lavaveshkuli
Are these something that we should suspect? Could it be possible they changed the edit date and time?Leave a comment:
-
Hi Ambro,
Our site was a hacked. We just removed the 'install' directory. There were Admin accounts created. Removed and blocked IP.
We also see via Control panel log (for the date on which these admin accounts got created) there were few more usernames (edit and killed) and plugins touched (displays plugin id).
But when we ran your above query in plugin table in vB DB, it returned no results.
We did not see anything weird so far in the front end or any redirect of 'index.php'. However, in one of the style we use, got a message at the top of the header:
"Kindly delete your install directory of forums. Otherwise, you will keep getting hacked".
Did the hacker put up this message? Wierd? However, this message was not displaying in other styles we use.
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Leave a comment: