4.1.1 Forum HACKED by Syrian Sympathizers

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • NHTourGuide
    Member
    • Feb 2011
    • 61
    • 4.1.x

    4.1.1 Forum HACKED by Syrian Sympathizers

    When you enter my forum at: http://www.nhtourguide.com/forums/forum.php after the page load a user is transferred to this site: http://www.cadiroig.cat/ - Some sort of a Syrian Sympathizer Hack page called SECURITY LION H4CK3RS T34M

    I found there were some new admins added in the last week that I knew nothing about. 4 of them actually. I deleted them and I deleted the /install folder that I am now seeing is an exploit. But now I still have the forward in the forum. Anyone have any ideas how to get rid of it?
    Last edited by NHTourGuide; Mon 9 Sep '13, 9:49am.
    NHTourGuide.com
  • Wayne Luke
    vBulletin Technical Support Lead
    • Aug 2000
    • 73981

    #2
    First you should upgrade to 4.2.1 as the supported version.

    When done upgrading delete your install directory.

    Next read this: http://www.vbulletin.com/forum/blogs...vbulletin-site
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment

    • NHTourGuide
      Member
      • Feb 2011
      • 61
      • 4.1.x

      #3
      Thanks but right now I just want to remove the forwarding that was installed by the hackers. I read this section of the link you posted:

      Help, I’ve been hacked!

      If you’ve already been exploited, we’d suggest taking a look at this guide on helping to clean up your site. (coming shortly)

      But it just says "coming shortly"

      I don't mind upgrading but I just want this removed asap first.
      NHTourGuide.com

      Comment

      • fmckinnon
        Member
        • May 2007
        • 40

        #4
        We;re in the same boat - have uploaded all new files, upgraded, removed the /install directory, there are no additional admins that should't be there, but did delete a suspeicious regular user .. still have the exploit forward ... hope someone can help.

        Comment

        • NHTourGuide
          Member
          • Feb 2011
          • 61
          • 4.1.x

          #5
          Im sure there will be more of us that got hacked, just a matter of time.

          I did find this in the control panel log...

          5541 N/A 07:00, 9th Sep 2013 notice.php modify 91.144.37.48
          5540 N/A 06:59, 9th Sep 2013 notice.php update 91.144.37.48
          5539 N/A 06:59, 9th Sep 2013 notice.php add 91.144.37.48
          NHTourGuide.com

          Comment

          • NHTourGuide
            Member
            • Feb 2011
            • 61
            • 4.1.x

            #6
            Look under "notices" in your Control panel... Delete the one that was added by the hacker. My problem is solved (I think)
            NHTourGuide.com

            Comment

            • Wayne Luke
              vBulletin Technical Support Lead
              • Aug 2000
              • 73981

              #7
              This guide is for what to do, after youÂ’ve been hacked, exploited, and or defaced. Step 1, Change everything: If you believe, or think your site has


              Delete the install folder, delete any extra files, delete any extra admins, delete any extra plugins.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

              Comment

              • celios
                New Member
                • Jul 2010
                • 16

                #8
                This has just happened to me - it is a problem with a vulnerability the /install directory on 4.x (or /core/install on 5.x). You need to remove the /install directory from your server, remove the additional admin accounts that have been created and remove the notice added.

                The vBulletin team just posted a pre-disclosure warning on their announcements forum about a possible exploit in versions 4.1+ and 5+ of vBulletin. They don’t…

                Comment

                • One-Take
                  Member
                  • Mar 2002
                  • 69

                  #9
                  Did they need to be a member to achieve this ? I've had to put my board in an email request for membership only because of repeated fake signups that just take too much time to deal with.. I've had several recently that I've added.. would like to know, do they have to be members to use this exploit?

                  Comment

                  • Paul M
                    Former Lead Developer
                    vB.Com & vB.Org
                    • Sep 2004
                    • 9886

                    #10
                    Originally posted by One-Take
                    would like to know, do they have to be members to use this exploit?
                    No they do not, they just need access to your install folder. Remove that and the exploit is gone.

                    You should also protect your admin cp folder with an htaceess user/password, so even if they create an admin account, they cannot get into the ACP.
                    Baby, I was born this way

                    Comment

                    • helal_ph
                      Member
                      • Mar 2008
                      • 80

                      #11
                      Originally posted by Paul M
                      No they do not, they just need access to your install folder. Remove that and the exploit is gone.
                      You should also protect your admin cp folder with an htaceess user/password, so even if they create an admin account, they cannot get into the ACP.
                      I was hacked also yesterday and today! The hacker replaced (index.php and forum.ph and activity.php) by his own
                      I solved the issue by:
                      1- re-uploading the original files again, re-writing the hackers files
                      2- I deleted also the install folder
                      3- I changed my passwords

                      Now I have some questions:
                      1- How can some reach the install folder , without knowing my ftp username and pass?
                      2- If they can reach the admincp, can they reach this install folder?
                      3- If install folder has no value,why vbulletin team did not instruct to delete it after installation. They instruct to delet only the install.php

                      thank you

                      Comment

                      • netguard
                        New Member
                        • Sep 2007
                        • 2
                        • 3.6.x

                        #12
                        In my case they added 3 admins and one of the new admins posted a notice.

                        I deleted the extra admins and took down the notice and now my forum looks normal again.

                        I am now upgrading to the latest version...

                        Comment

                        • Eternal_
                          Senior Member
                          • Mar 2007
                          • 398
                          • 3.6.x

                          #13
                          I've been hacked as well, but I also run a wordpress on the main directory while the forum is at .com/forum and it seems like the entire site (both wordpress and vbulletin) were affected. The hackers message is showing on the home page and the forum home page. My hosting provider also said that their weekly backups for the site are also corrupted and that I'll have to pay for them to do a malware scan! - does that make any sense? If both wordpress and vbulletin are hacked, doesn't that mean the hackers got into the server?

                          Comment

                          • Phat Phreddy
                            New Member
                            • Apr 2013
                            • 22
                            • 4.2.X

                            #14
                            I have followed all the steps outlined..

                            Removed admins added
                            Removed noticed and plugins
                            Full file restore of pre hacked flesystem
                            removed install directory
                            Changed ALL passwords.., admin, ftp, mysql, etc

                            And still they are back in 4 times in 2 days..

                            Comment

                            • hurricane_sh
                              Senior Member
                              • Mar 2005
                              • 171

                              #15
                              Maybe the backdoor file was placed elsewhere. If you have ssh access, use "find" command to examine recently changed/added files.

                              Comment

                              Related Topics

                              Collapse

                              Working...