Tweet
Hi All, though i do a quick share of my experiences in the last few days as to what i've experienced. I help run a small car club forum that i've only recently taken over. On tuesday we had the site defaced and a couple of admin accounts created. After reading the thread on what to do after being hacked, (http://www.vbulletin.com/forum/blogs...ve-been-hacked)
I followed the steps as mentioned in the thred. In our Case the hackers created 2 Admin accounts that i removed, I've check all the accounts with admin rights and i was left with what i was expecting.
I checked the logs and found the following:
11196 N/A 08:05, 16th Sep 2013 plugin.php edit plugin id = 201 198.7.58.98
11195 N/A 08:04, 16th Sep 2013 plugin.php update 198.7.58.98
11194 N/A 08:04, 16th Sep 2013 plugin.php add 198.7.58.98
11219 N/A 10:44, 16th Sep 2013 plugin.php 180.149.0.249
11218 N/A 10:44, 16th Sep 2013 plugin.php doimport 180.149.0.249
11217 N/A 10:43, 16th Sep 2013 subscriptions.php modify 180.149.0.249
11216 N/A 10:43, 16th Sep 2013 plugin.php files 180.149.0.249
11215 N/A 10:43, 16th Sep 2013 plugin.php edit plugin id = 202 180.149.0.249
11214 N/A 10:43, 16th Sep 2013 plugin.php update 180.149.0.249
11213 N/A 10:42, 16th Sep 2013 plugin.php add 180.149.0.249
I checked the plugins 201 and 202 and found 1 called Hell and another called something else. I removed these plugins. I then ran an update on the forum and deleted / install directory to stop the current know exploit.
The next day i had found that the site was once again defaced. I checked the admin logs, no admin accounts but yet the hackers seems to still have control of my forum. I've been trailing though database to find the following:
The Call seems to be ( (strpos($_SERVER['PHP_SELF'],"subscriptions.php...) It then has a baseEncoded64 script after it. I'm not a php programer, but a quick google seem to suggest that this function will output a php file (subscription.php) that can be later called upon. ( thus creating another back door once this plugin has fired Up)
Unfortunately I don't have a really recent backup of my forum database so i can afford to revert back to one from a few months back as a result.
Question is to you guys, Is there somewhere i can check what plugins are legitimate and what are not? Also the tables created after this one, Can i presume these have been created by the hacker or have they been created by me updating Vbulletin?
Any help is appreciated!
Cheers,
Andrew
I followed the steps as mentioned in the thred. In our Case the hackers created 2 Admin accounts that i removed, I've check all the accounts with admin rights and i was left with what i was expecting.
I checked the logs and found the following:
11196 N/A 08:05, 16th Sep 2013 plugin.php edit plugin id = 201 198.7.58.98
11195 N/A 08:04, 16th Sep 2013 plugin.php update 198.7.58.98
11194 N/A 08:04, 16th Sep 2013 plugin.php add 198.7.58.98
11219 N/A 10:44, 16th Sep 2013 plugin.php 180.149.0.249
11218 N/A 10:44, 16th Sep 2013 plugin.php doimport 180.149.0.249
11217 N/A 10:43, 16th Sep 2013 subscriptions.php modify 180.149.0.249
11216 N/A 10:43, 16th Sep 2013 plugin.php files 180.149.0.249
11215 N/A 10:43, 16th Sep 2013 plugin.php edit plugin id = 202 180.149.0.249
11214 N/A 10:43, 16th Sep 2013 plugin.php update 180.149.0.249
11213 N/A 10:42, 16th Sep 2013 plugin.php add 180.149.0.249
I checked the plugins 201 and 202 and found 1 called Hell and another called something else. I removed these plugins. I then ran an update on the forum and deleted / install directory to stop the current know exploit.
The next day i had found that the site was once again defaced. I checked the admin logs, no admin accounts but yet the hackers seems to still have control of my forum. I've been trailing though database to find the following:
Unfortunately I don't have a really recent backup of my forum database so i can afford to revert back to one from a few months back as a result.
Question is to you guys, Is there somewhere i can check what plugins are legitimate and what are not? Also the tables created after this one, Can i presume these have been created by the hacker or have they been created by me updating Vbulletin?
Any help is appreciated!
Cheers,
Andrew
Comment