Hacked but how?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • THe Slug
    Member
    • Sep 2011
    • 31
    • 4.1.x
    #1

    [Forum] Hacked but how?

    Yesterday my site was hacked, luckily for us our hosting company spotted the file and blocked it, but how did they gain access to my site?
    We had just changed password to another complex one. the admin account is not called admin. my ftp account is different to all the login account and so is the one for the hosting company.

    So how did they drop a id.php file on my root, create a new admin account and a new forum folder inside my files?

    Does 4.2.1 still have loop holes?
    Is my hosting company to blame?

    Or have I simply done something wrong with the security of my site?

    Would really like some answers as more and more vbulletin sites are being hacked daily..

    Thanks.
    Tags: None
    • Amaury
      Senior Member
      • Mar 2012
      • 1807
      • 4.2.X
      #2
      Remove your install directory. There's currently a known exploit.
      Former vBulletin user

        Comment

        • Zachery
          Former vBulletin Support
          • Jul 2002
          • 59097
          #3
          Please read the following two blog posts:
          Fixing your site after you have been hacked. - vBulletin Community Forum
          http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
          This guide is for what to do, after you’ve been hacked, exploited, and or defaced. Step 1, Change everything: If you believe, or think your site has


          Best practices for securing your vBulletin site. - vBulletin Community Forum
          http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site
          Getting Started This guide is intended to be a starting point for helping to keep your site safe and secure in the long run. It is not a be-all, end-all guide

            Comment

            • THe Slug
              Member
              • Sep 2011
              • 31
              • 4.1.x
              #4
              My install directory had been removed.

              Today at 04:03 I was hit again but this time with a re direct page, I have managed to get my home page back but when clicking on the forum I again get sent to this redirect page have a look if you like...www.stratosec.com/Forum

              Can someone tell me what the the site meant to do when you go to the above link so I can find where this re-direct is hiding as I have not the knowledge to find it at the moment.

              Thank you.
              Last edited by THe Slug; Wed 25 Sep '13, 2:15pm.

                Comment

                • THe Slug
                  Member
                  • Sep 2011
                  • 31
                  • 4.1.x
                  #5
                  I have just found 2 plugins.....1.called Indonesian Hacker the other called 2. vbulletin both are in the hook init_startup
                  Clearly No1 should not be there but should the 2nd one?

                    Comment

                    • cowudders14
                      Member
                      • Jul 2006
                      • 42
                      • 3.6.x
                      #6
                      I was also recently hacked using version 4.2.0, I've upgraded and checked my site throughout.

                      Some handy hints from what I found:
                      I had three new admin users created. How, I don't know, but they were there, with full access to everything. Check your control panel logs: ACP -> Statistics and logs -> Control panel log and see if you have any usernames you don't recognise. There should only be legit admins in here. root is not a legit admin.


                      I also found that my permissions had been changed and some templates had been modified.
                      This is a useful post: http://www.vbulletin.com/forum/blogs...ve-been-hacked

                      HTH

                        Comment

                        • Wayne Luke
                          vBulletin Technical Support Lead
                          • Aug 2000
                          • 74154
                          #7
                          As stated above, delete your install directory.
                          Translations provided by Google.

                          Wayne Luke
                          The Rabid Badger - a vBulletin Cloud demonstration site.
                          vBulletin 5 API

                            Comment

                            • markp_2000
                              Member
                              • Jul 2006
                              • 40
                              • 4.1.x
                              #8
                              They have install plugins that run a eval(gzinflate(base64_decode('bbblah'))); hack. It appears they use two plugins to execute the hack and both will common names. The two plugins were name 'vBulletin' and the other was 'use memcached instead of db for datastore items'. When I ran a decode on the eval scipt it basically created an myphpadmin shell that allowed full access to the backend database.
                              www.hotcouponworld.com
                              www.organicgrocerydeals.com
                              www.momsinthetrenches.com (still developing)

                                Comment

                                Previous template Next
                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...