Defaced By Exploit - How To Restore?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • dog-tag
    Member
    • Jan 2012
    • 52
    • 4.1.x
    #1

    Defaced By Exploit - How To Restore?

    Hey guys,

    Have spent the day trying to fix my site. Hackers attacked my installation 4.2.0 PL3
    I have asked Sucuri to fix my site but they haven't bothered doing a single thing, total waste of time and money.

    The hackers created 5/6 admin accounts and defaced the site with a crappy looking welcome page.

    What have I done about it?
    • I have upgraded the site to VB 4.2.1 and removed the install folder and the rotten admin accounts.
    • I have restored my default theme and tried to display it, but the hack is over riding it regardless.
    • I have checked my .htaccess file and it's perfect.
    • I have checked the admincp logs and from what I can see they just made template changes and created admins.
    • I have also disabled the plugin system by admincp + config file but nothing changes, so it's not a hook creating the trouble.

    Any advice or help would be a massive help as this is going on too long now.

    Thanks alot, and I hope I've given enough info.

    G
    Tags: None
    • Richard Tafoya
      Member
      • Apr 2000
      • 72
      #2
      I just went through this last weekend, and your steps look identical to mine, though in my case, I went through the Edit Templates area and could see that they hit the Footer and Forum Home templates. Once I reverted those two, my original layout came back.
        👍 1

        Comment

        • dog-tag
          #2.1
          dog-tag commented
          Wed 11 Sep '13, 2:14pm
          Editing a comment
          You've single handedly got my site back online, thanks from the bottom of my heart!

          I've noticed some new directories on the server that I don't recognise. Looks like a fresh installation of cPanel, perhaps a back door into the server for another attack, I'm phoning my host now to investigate.
          • Richard Tafoya
            #2.2
            Richard Tafoya commented
            Wed 11 Sep '13, 2:28pm
            Editing a comment
            Let me know what you find out. I run suphp on my VPS and I'm hoping that helped contain this to just the public_html file system. If you find something squirelly outside the foum files, please share, so I can look for the same.
          • dog-tag
            Member
            • Jan 2012
            • 52
            • 4.1.x
            #3
            The hackers have setup a root kit. A folder inside the main forum folder contained tonnes of cPanel, WHM, Drupal and 100's of more scripts to host attacks, to root back in and to do god only knows what more. There was some stray scripts also which looked liked hooks, just one and two letter names.

            Sucuri have finally gotten back (must have seen the above) and told me they suspect these guys have done some real damage. According to my logs they first broke cover 12 days ago when they first created an admin account. Then every second day they added more admin accounts (probably their friends).

            They messed around with some of my plugin settings like Spam-O-Matic, gave my site a redesign late last night and installed a motherload of scripts. If you would like to talk in private Richard just PM me, I don't want to give these guys any credit, but I also want to protect other vBulletin members..

            These same guys have been trying to access my WHM panel for about 2 months now, the failed attempts and IPs are emailed to me daily and I recognised one of them as admins. Don't know why they wanted my site so bad, they even screwed up my WP installation too.

              Comment

              Previous template Next
              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
              Working...