Same happened to me. Deleted "install" folder, found two admin accounts (deleted them), found three plugin entries (deleted them), and also found entries in one of the database tables.
That FORUMHOME entry in the database, how do I fix it? Copying vB files via FTP will not help.
Thanks
P.S.
Well, I just saw a REVERT button...
A new type hack method?
Collapse
X
-
Also it wan't vbseo itself i was suspecting, it was the vbseo sitemap generator which people can use without vbseo,, before vb4 vbulletin had no built in sitemap generator and everyone was using the vbseo one because it was free, when vb4 came out a lot of people continued to use itand i do;t beleive their is a problem with it, only the fact that some people use the same passwords and it's clearly shown in a normal field in admincp,
yours was obviously done via style manager or it wouldn't still say vbseo at the bottom of the page, i was just curious
i'm just really confused as to why someone with that level of access would try and cover their tracks by removing the plugin and user account but not prune the logs?Leave a comment:
-
I'm still wondering how they managed to change peoples index pages just from creating an admin account which means the got ftp access or cpanel access which isn't available just for having an admin account?
i see the original poster of this thread had vbseo installed, just out of interest, can you go to ADMInCP>SETTINGS>OPTIONS> vBSEO Search Engine XML Sitemap
scroll down to "vBSEO Sitemap Interface Access Password" and tell me if the password you used their is the same as your cpanel or ftp account?
This is the only way i can currently think of that they might have gained higher access because the password is not encrypted their and any admin can view it and as we've seen before people continue to use the same passwords for everything which is how they get caught out.
And no, I never use same passwords.
You can easily change peoples' index pages via style manager if you have admin account btw.Leave a comment:
-
-
I'm still wondering how they managed to change peoples index pages just from creating an admin account which means the got ftp access or cpanel access which isn't available just for having an admin account?
i see the original poster of this thread had vbseo installed, just out of interest, can you go to ADMInCP>SETTINGS>OPTIONS> vBSEO Search Engine XML Sitemap
scroll down to "vBSEO Sitemap Interface Access Password" and tell me if the password you used their is the same as your cpanel or ftp account?
This is the only way i can currently think of that they might have gained higher access because the password is not encrypted their and any admin can view it and as we've seen before people continue to use the same passwords for everything which is how they get caught out.Leave a comment:
-
This happened to my forum as well. I misread the announcement (I thought 4.1+ didn't include 4.2.0) and didn't remove the install directory.
I couldn't find any other changes though except the new admin account "Th3H4ck", maybe because I noticed the unusual username in time or password-protected admincp/modcp directory.
A really scary moment.Leave a comment:
-
After looking up the IP, I see it is in China...http://ip-lookup.net/index.php
Oddly enough, that is where I reside...
Thanks for your input, this is a learning curve for me too...Leave a comment:
-
From that, my assumption is that they came in, stuck something into your database using the plug in thing, erased the plug in thing to try and cover up what it was they did. Don't want to make you paranoid but what if they put something into your database that will or can be triggered by time or some other device. Or maybe I am the one that is paranoid?
The post above also supports my paranoid theory..
Leave a comment:
-
This happened to my forum as well. I misread the announcement (I thought 4.1+ didn't include 4.2.0) and didn't remove the install directory.
I couldn't find any other changes though except the new admin account "Th3H4ck", maybe because I noticed the unusual username in time or password-protected admincp/modcp directory.
A really scary moment.Leave a comment:
-
The post above also supports my paranoid theory..Leave a comment:
-
[QUOTE}
From the looks of it they created a plugin, then deleted it then created a user and deleted that, i can't find any modified files on my server and i have don't have the plugins that other people have, the question is why give them selves access and take it away? i've looked through everything and can't find anything out of place
[/QUOTE]
While I still had my forum running, someone suggest running a admincp thing that checks for unknown or unrecognized files, my system found several (and I have not modded much at all from the original install)
What I found odd was the sql injections, they tried to inject all kinds of tags and code for various video sites, directly into the sql database, they were not trying to add posts or anything, just doing straight sql injections. Not sure there would be any way to check the sql file and see what has been changed in the last 4 days or not. If not, I am just pulling the forums completely so they can not compromise anything else on my server.Leave a comment:
-
Show entres by:
Blank space at the top (if they deleted themselves)
or select their name if their still their,
i got:
Code:[TABLE="class: tborder, align: center"] [TR] [TD="class: alt1, align: left"]102106[/TD] [TD="class: alt1"]N/A[/TD] [TD="class: alt1"]18:13, 30th Aug 2013[/TD] [TD="class: alt1"]user.php[/TD] [TD="class: alt1"]kill[/TD] [TD="class: alt1"]user id = 333162[/TD] [TD="class: alt1, align: right"]198.203.28.247[/TD] [/TR] [TR] [TD="class: alt2, align: left"]102105[/TD] [TD="class: alt2"]N/A[/TD] [TD="class: alt2"]18:13, 30th Aug 2013[/TD] [TD="class: alt2"]user.php[/TD] [TD="class: alt2"]remove[/TD] [TD="class: alt2"]user id = 333162[/TD] [TD="class: alt2, align: right"]198.203.28.247[/TD] [/TR] [TR] [TD="class: alt1, align: left"]102104[/TD] [TD="class: alt1"]N/A[/TD] [TD="class: alt1"]18:13, 30th Aug 2013[/TD] [TD="class: alt1"]user.php[/TD] [TD="class: alt1"]edit[/TD] [TD="class: alt1"]user id = 333162[/TD] [TD="class: alt1, align: right"]198.203.28.247[/TD] [/TR] [TR] [TD="class: alt2, align: left"]102103[/TD] [TD="class: alt2"]N/A[/TD] [TD="class: alt2"]18:13, 30th Aug 2013[/TD] [TD="class: alt2"]user.php[/TD] [TD="class: alt2"]find[/TD] [TD="class: alt2"] [/TD] [TD="class: alt2, align: right"]198.203.28.247[/TD] [/TR] [TR] [TD="class: alt1, align: left"]102102[/TD] [TD="class: alt1"]N/A[/TD] [TD="class: alt1"]18:13, 30th Aug 2013[/TD] [TD="class: alt1"]user.php[/TD] [TD="class: alt1"]modify[/TD] [TD="class: alt1"] [/TD] [TD="class: alt1, align: right"]198.203.28.247[/TD] [/TR] [TR] [TD="class: alt2, align: left"]102101[/TD] [TD="class: alt2"]N/A[/TD] [TD="class: alt2"]18:13, 30th Aug 2013[/TD] [TD="class: alt2"]plugin.php[/TD] [TD="class: alt2"] [/TD] [TD="class: alt2"] [/TD] [TD="class: alt2, align: right"]198.203.28.247[/TD] [/TR] [TR] [TD="class: alt1, align: left"]102100[/TD] [TD="class: alt1"]N/A[/TD] [TD="class: alt1"]18:13, 30th Aug 2013[/TD] [TD="class: alt1"]plugin.php[/TD] [TD="class: alt1"]kill[/TD] [TD="class: alt1"]plugin id = 8305[/TD] [TD="class: alt1, align: right"]198.203.28.247[/TD] [/TR] [TR] [TD="class: alt2, align: left"]102099[/TD] [TD="class: alt2"]N/A[/TD] [TD="class: alt2"]18:13, 30th Aug 2013[/TD] [TD="class: alt2"]plugin.php[/TD] [TD="class: alt2"]delete[/TD] [TD="class: alt2"]plugin id = 8305[/TD] [TD="class: alt2, align: right"]198.203.28.247[/TD] [/TR] [TR] [TD="class: alt1, align: left"]102098[/TD] [TD="class: alt1"]N/A[/TD] [TD="class: alt1"]18:13, 30th Aug 2013[/TD] [TD="class: alt1"]plugin.php[/TD] [TD="class: alt1"]modify[/TD] [TD="class: alt1"] [/TD] [TD="class: alt1, align: right"]198.203.28.247[/TD] [/TR] [TR] [TD="class: alt2, align: left"]102097[/TD] [TD="class: alt2"]N/A[/TD] [TD="class: alt2"]18:05, 30th Aug 2013[/TD] [TD="class: alt2"]plugin.php[/TD] [TD="class: alt2"] [/TD] [TD="class: alt2"] [/TD] [TD="class: alt2, align: right"]198.203.28.247[/TD] [/TR] [TR] [TD="class: alt1, align: left"]102096[/TD] [TD="class: alt1"]N/A[/TD] [TD="class: alt1"]18:05, 30th Aug 2013[/TD] [TD="class: alt1"]plugin.php[/TD] [TD="class: alt1"]doimport[/TD] [TD="class: alt1"] [/TD] [TD="class: alt1, align: right"]198.203.28.247[/TD] [/TR] [TR] [TD="class: alt2, align: left"]102095[/TD] [TD="class: alt2"]N/A[/TD] [TD="class: alt2"]18:04, 30th Aug 2013[/TD] [TD="class: alt2"]plugin.php[/TD] [TD="class: alt2"]files[/TD] [TD="class: alt2"] [/TD] [TD="class: alt2, align: right"]198.203.28.247[/TD] [/TR] [/TABLE]
Leave a comment:
-
May not be relevant but there you go...Leave a comment:
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Leave a comment: