I got hacked, I fixed it. Here is my story to help others.

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Bae
    Member
    • Oct 2009
    • 63
    • 3.8.x

    I got hacked, I fixed it. Here is my story to help others.

    Deleted..... 2nd post below is what I did.
    Last edited by Bae; Mon 16 Sep '13, 5:32pm.
  • garthivers
    New Member
    • Jan 2010
    • 1
    • 4.0.0

    #2
    DELETE YOUR INSTALL DIRECTORY IN FULL

    This is how they are accessing your site. Taken from elsewhere on the web.



    Last edited by Zachery; Mon 16 Sep '13, 4:52pm. Reason: Never post exploit details

    Comment

    • Zachery
      Former vBulletin Support
      • Jul 2002
      • 59097

      #3
      Never post how to use an exploit on this site, or links to how tos on how to take advantage of them.

      Please see these blog posts:

      Please read the following two blog posts:
      This guide is for what to do, after youÂ’ve been hacked, exploited, and or defaced. Step 1, Change everything: If you believe, or think your site has


      Getting Started This guide is intended to be a starting point for helping to keep your site safe and secure in the long run. It is not a be-all, end-all guide


      Also please see these recent security announcements:

      vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
      vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

      Comment

      • Bae
        Member
        • Oct 2009
        • 63
        • 3.8.x

        #4
        Thanks for the heads up guys. I deleted my post

        Comment

        • Eternal_
          Senior Member
          • Mar 2007
          • 398
          • 3.6.x

          #5
          My site was hacked on Sept 11, like many, and I've paid my host to remove the malware, but they want me to upgrade to the latest vbulletin first. Does that make sense? Shouldn't they remove the malware first, then I update the vbulletin to the latest version? I'm concerned that if I try to upgrade the vbulletin when they haven't fixed the malware, then I could lose everything. Should I tell my host to remove the malware first?

          The homepage of my vbulletin doesn't work - the hackers message appears instead. Also the login.php page doesn't work. However I can access the forum and post by going to specific post pages. I feel like it's risky to upgrade to the latest version of 4.x under these circumstances. Should I be worried?

          Comment

          • Bae
            Member
            • Oct 2009
            • 63
            • 3.8.x

            #6
            what version are you running now Eternal??

            Comment

            • Eternal_
              Senior Member
              • Mar 2007
              • 398
              • 3.6.x

              #7
              Originally posted by Bae
              what version are you running now Eternal??
              I'm running vBulletin 4.1.0 Patch Level 2

              Comment

              • Eternal_
                Senior Member
                • Mar 2007
                • 398
                • 3.6.x

                #8
                So, does anyone know what I should do? I deleted the install folder. Should I have my host remove the malware before I upgrade vbulletin to the latest version, or should I upgrade to the latest version then get my host to remove the malware?

                Comment

                • Wayne Luke
                  vBulletin Technical Support Lead
                  • Aug 2000
                  • 73976

                  #9
                  Originally posted by Eternal_

                  I'm running vBulletin 4.1.0 Patch Level 2
                  This is a very out of date version. There have been 14 releases since then. All fixing bugs and issues that can make your site more secure. Even then vBulletin 4.1.0 is on Patch level 9.

                  You need to delete the malware before upgrading. Remove any plugins you didn't install. Delete any suspect files.

                  Then upgrade.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API

                  Comment

                  • skeetgunner
                    New Member
                    • Mar 2006
                    • 5
                    • 4.0.0

                    #10
                    Originally posted by Wayne Luke
                    You need to delete the malware before upgrading. Remove any plugins you didn't install. Delete any suspect files..
                    In addition to this advice, I would suggest compromised sites begin deleting any recently created admin accounts or user accounts that are flagged by the upgrade process as having customized key templates. Protecting the real admin accounts with edit restrictions in the config.php file is probably a good idea too.

                    Comment

                    • Eternal_
                      Senior Member
                      • Mar 2007
                      • 398
                      • 3.6.x

                      #11
                      Originally posted by Wayne Luke
                      This is a very out of date version. There have been 14 releases since then. All fixing bugs and issues that can make your site more secure. Even then vBulletin 4.1.0 is on Patch level 9.

                      You need to delete the malware before upgrading. Remove any plugins you didn't install. Delete any suspect files.

                      Then upgrade.
                      Thank you, I will tell my hosting provider to remove malware.

                      I didn't update that version because it was good. Every time I would visit the vbulletin forum here people were complaining that there were bugs in the upgrade, so I figured if there are so many bugs why would I want to upgrade and screw up my site and try to fix it. It seemed that every time I turned around the latest release had major issues so I didn't want to risk it and put myself through all the fixing every time I turned around since the version I was running was working fine.

                      Originally posted by skeetgunner

                      In addition to this advice, I would suggest compromised sites begin deleting any recently created admin accounts or user accounts that are flagged by the upgrade process as having customized key templates. Protecting the real admin accounts with edit restrictions in the config.php file is probably a good idea too.
                      Thank you. I saw that there were 3 new admin accounts, which I have deleted.

                      I'm wondering - if I change the cpanel password will anything need to be changed in vbulletin backend or in the config file. In other words, if I change the password for cpanel/ftp access will the vbulletin lock me out or will it still work properly?
                      Last edited by Eternal_; Sun 22 Sep '13, 8:42am.

                      Comment

                      • donald1234
                        Senior Member
                        • Oct 2011
                        • 1953
                        • 4.1.x

                        #12
                        Not sure if you mean admincp or whm cpanel or both but in both cases it's no, your admincp pass is encrypted and stored in the database not config.php and whm cpanel has nothing to do with vbulletin but wise to change its password periodiclly as if an attacker gets in there he can delete everything inc your backups.

                        Comment

                        Related Topics

                        Collapse

                        Working...