Forum hacked...

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Jaxo
    Member
    • Dec 2011
    • 36

    Forum hacked...

    Hi, my site has been hacked and I am unsure what to do.

    I logged in today and just by concidence noticed an administrator by the name of h311-c0d3 was online,.. I checked admin permissions and logs and there where about 6-7 admin there who should not have been.

    I check logs and deleted the admin. Most had no logs but a couple had been running scripts which seems to be to do with paid subscriptions. When I tried to access this section of the admin panel it asked for a password.. (something I have never set, as I have no paid subs)

    I`m at a bit of a loss,.. what should I do? How did they get in etc?

    I`d be greatful for any advice,.. The site is http://cccam-exchange.com and its running Version 4.2.0

    Thanks invance

    Jack

  • Hartmut
    Senior Member
    • Nov 2007
    • 2870
    • 4.2.x

    #2
    Delete your /install folder, there has been an exploit in vB with this.
    No private support, only PM me when I ask for it. Support in the forums only.

    Comment

    • Jaxo
      Member
      • Dec 2011
      • 36

      #3
      Thanks, Should I also upgrade to the latest version?

      Comment


      • Hartmut
        Hartmut commented
        Editing a comment
        Would be better in order to avoid exploits from the past.
    • WildWayz
      Senior Member
      • May 2000
      • 587
      • 3.6.x

      #4
      Mine was hacked too - but thankfully all they did was register an admin and didn't do anything with it, so i've removed that admin account. I checked the logs and that account hadn't done anything.

      That was 3 days ago he registered it - but i've also removed /install

      Comment

      • Jaxo
        Member
        • Dec 2011
        • 36

        #5
        You expect better from a paid premium product tbh.. I was with phpbb previously and never had this problem.. Only moved to vbulletin as it looks better but to me seems less secure

        Comment

        • Jaxo
          Member
          • Dec 2011
          • 36

          #6
          Any idea how i can access paid subscriptions on the admin panel if I do not have the password? Is there any way to reset it?

          Comment

          • Jaxo
            Member
            • Dec 2011
            • 36

            #7
            From what i can see, they have tried to run scripts and have did something with paid subscription section of the admin panel... every tab I try to access it asks for a password (which I do not know, as I have never set up any paid subscriptions).. where in the files is this password located so I can change or remove it,.. Or is there a quiery I could run to remove it?

            What I have did so far is removed the rogue admin, checked config.php to see if any superadmin have been added (which they havent), upgraded my vbulletin to the latest version and renamed the admincp... As far as I am aware they got access through the vbulletin software and not through the server.

            Is their anything else I can check for or do ?

            Comment

            • Jaxo
              Member
              • Dec 2011
              • 36

              #8
              Here is a copy of my control panel log and what they have done...
              25618 N/A 16:06, 8th Sep 2013 subscriptions.php modify 37.130.224.22
              25617 N/A 16:06, 8th Sep 2013 subscriptions.php add 37.130.224.22
              25616 N/A 16:06, 8th Sep 2013 plugin.php modify 37.130.224.22
              25615 N/A 16:06, 8th Sep 2013 plugin.php add 37.130.224.22
              25614 N/A 16:06, 8th Sep 2013 plugin.php 37.130.224.22
              25613 N/A 16:06, 8th Sep 2013 plugin.php kill plugin id = 677 37.130.224.22
              25612 N/A 16:06, 8th Sep 2013 plugin.php delete plugin id = 677 37.130.224.22
              25611 N/A 16:06, 8th Sep 2013 plugin.php modify 37.130.224.22
              25610 N/A 16:06, 8th Sep 2013 plugin.php kill plugin id = 678 37.130.224.22
              25609 N/A 16:06, 8th Sep 2013 plugin.php delete plugin id = 678 37.130.224.22
              25608 N/A 16:06, 8th Sep 2013 plugin.php modify 37.130.224.22
              25607 N/A 16:06, 8th Sep 2013 plugin.php product 37.130.224.22
              25606 N/A 16:05, 8th Sep 2013 diagnostic.php payments 37.130.224.22
              25605 N/A 16:05, 8th Sep 2013 subscriptionpermission.php modify 37.130.224.22
              25604 N/A 16:05, 8th Sep 2013 plugin.php 37.130.224.22
              25603 N/A 16:05, 8th Sep 2013 plugin.php doimport 37.130.224.22
              25602 N/A 16:05, 8th Sep 2013 plugin.php files 37.130.224.22
              25601 N/A 16:05, 8th Sep 2013 plugin.php files 37.130.224.22
              25600 N/A 16:02, 8th Sep 2013 plugin.php modify 37.130.224.22
              25599 N/A 16:02, 8th Sep 2013 plugin.php product 37.130.224.22
              25598 N/A 16:02, 8th Sep 2013 plugin.php modify 37.130.224.22
              25597 N/A 16:02, 8th Sep 2013 plugin.php product 37.130.224.22
              25596 N/A 16:02, 8th Sep 2013 plugin.php modify 37.130.224.22
              25595 N/A 16:02, 8th Sep 2013 plugin.php add 37.130.224.22
              25594 N/A 16:02, 8th Sep 2013 plugin.php files 37.130.224.22
              25593 N/A 15:53, 8th Sep 2013 plugin.php 37.130.224.22
              25592 N/A 15:53, 8th Sep 2013 plugin.php doimport 37.130.224.22
              25591 N/A 15:52, 8th Sep 2013 plugin.php files 37.130.224.22
              25590 N/A 15:52, 8th Sep 2013 plugin.php updateactive 37.130.224.22
              25589 N/A 15:51, 8th Sep 2013 plugin.php 37.130.224.22
              25588 N/A 15:51, 8th Sep 2013 plugin.php update 37.130.224.22
              25587 N/A 15:51, 8th Sep 2013 plugin.php add 37.130.224.22
              25586 N/A 15:51, 8th Sep 2013 plugin.php add 37.130.224.22
              25585 N/A 15:50, 8th Sep 2013 plugin.php files 37.130.224.22
              25584 N/A 15:50, 8th Sep 2013 plugin.php modify 37.130.224.22
              25583 N/A 15:50, 8th Sep 2013 plugin.php product 37.130.224.22
              25582 N/A 15:50, 8th Sep 2013 subscriptions.php add 37.130.224.22
              25581 N/A 15:50, 8th Sep 2013 subscriptions.php modify 37.130.224.22

              Comment

              • Jaxo
                Member
                • Dec 2011
                • 36

                #9
                Can anyone help me or give me any advice ?

                Comment

                • Wayne Luke
                  vBulletin Technical Support Lead
                  • Aug 2000
                  • 73981

                  #10
                  Delete the plugins, delete the users, delete your install folder.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API

                  Comment

                  • Jaxo
                    Member
                    • Dec 2011
                    • 36

                    #11
                    I have deleted the users and install folders but there is no extra plugins there that i havent installed myself?

                    What have they tried to do?

                    Comment

                    • Wayne Luke
                      vBulletin Technical Support Lead
                      • Aug 2000
                      • 73981

                      #12
                      Delete the plugins and reinstall your addons from new downloads.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud demonstration site.
                      vBulletin 5 API

                      Comment

                      • Jaxo
                        Member
                        • Dec 2011
                        • 36

                        #13
                        Ok, will do this. Thanks for the help Wayne

                        Comment

                        • Jaxo
                          Member
                          • Dec 2011
                          • 36

                          #14
                          Sorry, one more thing.. any idea as to how to reset the password on paid subscriptions?

                          Comment

                          • Ion Saliu
                            Senior Member
                            • Sep 2010
                            • 172
                            • 4.2.X

                            #15
                            Jaxo:

                            You are not alone, axiomatic colleague of mine. Many, many administrators who run forums powered by vBulletin have been struck by these bunch of skumbullows (i.e. cyber criminals) located in China). I wrote about my headaches in this forum. I am posting now from a different computer and don't have my original Word documents. I showed in my thread two of the IP addresses of the skumbullows. I just found one more suspicious IP number located in Germany.

                            So, look at that repeated IP in your post: 37.130.224.22.
                            2582e016.rdns.100tb.com

                            Comment

                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                            Working...