Getting error on forum.php, suspect got hacked

**DemOnstar** · Sat 14 Sep '13, 6:17am

I presume that you have removed the install folder from your forum root?

I hear that they install plugins. Check your plugins and products/plugin manager to see if there is anything you don't recognize..
I also hear the Ranks are affected so check them too...
You could also look at your statistics and logs...?

It may be time for you to restore from a previous backup?

**theimforum** · Sat 14 Sep '13, 6:26am

Originally posted by DemOnstar

I presume that you have removed the install folder from your forum root?

I hear that they install plugins. Check your plugins and products/plugin manager to see if there is anything you don't recognize..
I also hear the Ranks are affected so check them too...
You could also look at your statistics and logs...?

It may be time for you to restore from a previous backup?

When it happens, the install folder is still there, I have since deleted it, from mod log I see plugin is uploaded by the person but from manager I cannot see anything different.
If I have no backup how to solve it?
Where can I check Ranks?

**DemOnstar** · Sat 14 Sep '13, 6:42am

Ranks are in the AdminCP. Scroll down until you reach User Ranks..

If you don't have a backup, maybe your host does? Not sure about that?
Also check to see if you have any new users registered as admin, (CP panel Users) if yes, delete....

For future reference to backups download this mod http://www.vbulletin.org/forum/showthread.php?t=231481

Also, check this thread http://www.vbulletin.com/forum/forum...pe-hack-method

**theimforum** · Sat 14 Sep '13, 6:52am

Originally posted by DemOnstar

Ranks are in the AdminCP. Scroll down until you reach User Ranks..

If you don't have a backup, maybe your host does? Not sure about that?
Also check to see if you have any new users registered as admin, (CP panel Users) if yes, delete....

For future reference to backups download this mod http://www.vbulletin.org/forum/showthread.php?t=231481

Also, check this thread http://www.vbulletin.com/forum/forum...pe-hack-method

I deleted the hacked admin, but he keep coming back, how he set himself as admin? is it through my admin login?

**DemOnstar** · Sat 14 Sep '13, 6:59am

Have you looked at your includes/config.php?

Maybe also you should protect the admincp folder and the modcp folder with a password... Do it now... They are in your forum root...

ht.access should also be considered but I don't know how to do that..

An alternative would be to place the following within an .htaccess file in your /install/ folder:

Code:

order deny,allow
deny from all

**theimforum** · Sat 14 Sep '13, 7:23am

Originally posted by DemOnstar

Have you looked at your includes/config.php?

Maybe also you should protect the admincp folder and the modcp folder with a password... Do it now... They are in your forum root...

ht.access should also be considered but I don't know how to do that..

Code:

order deny,allow
deny from all

I have these in my .htacess -

Code:

<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 122.173.128.202

**DemOnstar** · Sat 14 Sep '13, 7:29am

Well regarding the ht.access announcement at the top of this page it says

Code:

order deny,allow
deny from all

Yours reads

Code:

order allow,deny
allow from all

Perhaps you might be wise to consider the advice in the announcement and set to 'deny from all'?

**theimforum** · Sat 14 Sep '13, 7:40am

Originally posted by DemOnstar

Well regarding the ht.access announcement at the top of this page it says

Code:

order deny,allow
deny from all

Yours reads

Code:

order allow,deny
allow from all

Perhaps you might be wise to consider the advice in the announcement and set to 'deny from all'?

OK I have changed it, I have the CP log as follows, the N/A is the hacker that I already deleted, any clue on what file he uploaded?
[ATTACH=CONFIG]n61918[/ATTACH]

**DemOnstar** · Sat 14 Sep '13, 7:45am

Check your plugin manager for something you do not recognize...

Did you block his IP?

**theimforum** · Sat 14 Sep '13, 7:51am

Originally posted by DemOnstar

Check your plugin manager for something you do not recognize...

Did you block his IP?

There is one call VBulletin product with hook location: init_startup , should I delete it or disable it, I don't know whether this is the one though.

**theimforum** · Sat 14 Sep '13, 8:07am

I have replaced the forum.php and it came back ok again, how to stop being hacked again?

**DemOnstar** · Sat 14 Sep '13, 8:10am

I have seen this one before....
Now, if you can copy it, I would copy it to a text editor and then delete from plugins...

If after this you are getting no problems, I would assume it is done...
If you do get problems, you could always put it back from your text editor...

You have to understand that I am not sure here...I look at my plugin manager currently I have 3 instances of init_startup, they all seem to be attached to a product.

Example: Product : vBulletin Blog
Example: Product : vBulletin CMS
Example: Product : Spam Hammer 1-Series

Hope that helps.....
If you have a backup of the database that may also be a boon. (Useful)

Perhaps make a backup now? The guy will still be in there on restore but you will be well ahead of him.

Administrative and Maintenance Tools - vBulletin Cron Based Database Backup - vBulletin.org Forum

http://www.vbulletin.org/forum/showthread.php?t=231481

Administrative and Maintenance Tools - vBulletin Cron Based Database Backup Modification Graveyard

**theimforum** · Sat 14 Sep '13, 8:16am

Originally posted by DemOnstar

I have seen this one before....
Now, if you can copy it, I would copy it to a text editor and then delete from plugins...

If after this you are getting no problems, I would assume it is done...
If you do get problems, you could always put it back from your text editor...

You have to understand that I am not sure here...I look at my plugin manager currently I have 3 instances of init_startup, they all seem to be attached to a product.

Example: Product : vBulletin Blog
Example: Product : vBulletin CMS
Example: Product : Spam Hammer 1-Series

Hope that helps.....
If you have a backup of the database that may also be a boon. (Useful)

Perhaps make a backup now? The guy will still be in there on restore but you will be well ahead of him.

http://www.vbulletin.org/forum/showthread.php?t=231481

If you have read the previous post, I said that it's back online after I replace the forum.php, now all I need is to prevent such incident to happen again.

**DemOnstar** · Sat 14 Sep '13, 8:23am

The previous post was being composed as I was figuring out how to help you... We posted around the same time...

Anyway, aside... If your (entire) install folder has been deleted, that is allegedly the end of your concern...

Something to consider. You may want to look at your config.php?

Mine looks like this..

Code:

    //    ****** USERS WITH ADMIN LOG VIEWING PERMISSIONS ******
    //    The users specified here will be allowed to view the admin log in the control panel.
    //    Users must be specified by *ID number* here. To obtain a user's ID number,
    //    view their profile via the control panel. If this is a new installation, leave
    //    the first user created will have a user ID of 1. Seperate each userid with a comma.
$config['SpecialUsers']['canviewadminlog'] = '1';

    //    ****** USERS WITH ADMIN LOG PRUNING PERMISSIONS ******
    //    The users specified here will be allowed to remove ("prune") entries from the admin
    //    log. See the above entry for more information on the format.
$config['SpecialUsers']['canpruneadminlog'] = '1';

    //    ****** USERS WITH QUERY RUNNING PERMISSIONS ******
    //    The users specified here will be allowed to run queries from the control panel.
    //    See the above entries for more information on the format.
    //    Please note that the ability to run queries is quite powerful. You may wish
    //    to remove all user IDs from this list for security reasons.
$config['SpecialUsers']['canrunqueries'] = '1';

    //    ****** UNDELETABLE / UNALTERABLE USERS ******
    //    The users specified here will not be deletable or alterable from the control panel by any users.
    //    To specify more than one user, separate userids with commas.
$config['SpecialUsers']['undeletableusers'] = '1';

    //    ****** SUPER ADMINISTRATORS ******
    //    The users specified below will have permission to access the administrator permissions
    //    page, which controls the permissions of other administrators
$config['SpecialUsers']['superadministrators'] = '1';

Not sure if that is of any use but I have not been bothered by any hacker types so something is going my way...

Copy your database and copy your forum root....

Back it up.......................You never know..

vBulletin 4 End of Life

Getting error on forum.php, suspect got hacked

[Forum] Getting error on forum.php, suspect got hacked

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment