Forum Hacked

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Bone Head
    Member
    • Sep 2000
    • 71

    Forum Hacked

    Hi
    This morning our site was hacked. When you click on the forum link the window shrinks and moves around in circles before going full screen and it has a message saying:

    Sorry admin protection was skipped
    Nacked by Saudi injector.

    Im using 4.2.1 and there was a new admin user created too.

    I had deleted the install directory.

    Can anyone help me with what to do please?
    Batter Late than ....... pregnant
  • beishe8
    Senior Member
    • Oct 2005
    • 6782
    • 4.2.X

    #2
    Originally posted by Bone Head
    I had deleted the install directory.
    What about the new admin?



    vB5 is unequivocally the best forum software, but not yet...

    Comment

    • Bone Head
      Member
      • Sep 2000
      • 71

      #3
      It was a user called I so I deleted it.
      Batter Late than ....... pregnant

      Comment

      • Bone Head
        Member
        • Sep 2000
        • 71

        #4
        I found 3 files in the root of the attachments directory cp.php injector.php and php.ini
        Batter Late than ....... pregnant

        Comment

        • Scottt
          New Member
          • Feb 2010
          • 13
          • 4.0.0

          #5
          This had happened to our site twice within a few days.

          They gained access to admin by logging in to one of the 3 admin accounts and created a new one. Then they installed a Subscription through the add on which did a bunch of stuff. It can also be done through attachments and plugins. You need to make sure your admins are changing their passwords regularly and that they are good. My site had 5 additional Admins listed. I banned them rather than deleted. 2 of my admins are listed in the Config.php file so those no one can change. Yours will be set up the same way. Your admin url you should know so you can get in if they totally take over the site.

          The quickest fix is to ftp your root directory back up to your server. You don't have to do your database generally and if you keep backups there don't do those or it will take too long. Once it is back up ban the extra admins and change your passwords.
          Last edited by Scottt; Fri 20 Sep '13, 2:57am.

          Comment

          • Zachery
            Former vBulletin Support
            • Jul 2002
            • 59097

            #6
            ~Please read the following two blog posts:
            This guide is for what to do, after youÂ’ve been hacked, exploited, and or defaced. Step 1, Change everything: If you believe, or think your site has

            Getting Started This guide is intended to be a starting point for helping to keep your site safe and secure in the long run. It is not a be-all, end-all guide

            Also please see these recent security announcements:
            vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
            vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

            Comment

            • Bone Head
              Member
              • Sep 2000
              • 71

              #7
              Hi
              I deleted the \install directory ages ago when I upgraded, so any idea how this has happened?
              Batter Late than ....... pregnant

              Comment

              • Bone Head
                Member
                • Sep 2000
                • 71

                #8
                Thre were only ever 2 admin accounts too, mine and the one you guys set up years ago to work on our forums in the early days (we have been using your products since day one almost)
                Batter Late than ....... pregnant

                Comment

                • Bone Head
                  Member
                  • Sep 2000
                  • 71

                  #9
                  I think I have fixed my forum.

                  Just to confirm, I had removed my install directory, when I upgraded which must have been a couple of months ago. There are only 2 admins on my forums (one now as I have removed the vbulletin account that they used to fix something years ago).

                  I would like to know how they managed to hack my site?
                  Batter Late than ....... pregnant

                  Comment

                  • donald1234
                    Senior Member
                    • Oct 2011
                    • 1953
                    • 4.1.x

                    #10
                    If they never got in through the install directory, it must be a completly different hack, mabye a plugin or something.

                    Comment

                    • kat00
                      Senior Member
                      • Dec 2006
                      • 259
                      • 4.0.0

                      #11
                      Yeah, we got hacked too, in the last 48 hours Indonesian Defacer.
                      Re installed the files. DB seems OK.
                      Even when the re installation was done I could see the forum and see the threads but when I clicked on the thread the only thing I could see on the screen was "Choose File- No File Chosen"
                      Turn the plugin/hook system off and regained control of the site.
                      There was nothing in the manage products but in plugin manager there was a plugin called "Indonesian Defacer" Deleted that plugin, turned the Hook/plugin system back on and all seems well.
                      Not 100% certain I'm out of the woods yet but fingers Xed.
                      Was running 4.2.0 Now running 4.2.1
                      ttttt

                      Comment

                      • abinadi
                        New Member
                        • Jul 2006
                        • 2
                        • 3.5.x

                        #12
                        well the INSTALL directory if deleted does NOT stop these people. I had vb staf do an upgrade (yes I paid for one) they removed the install directory - two days later the hackers do there trash. SO I preform an upgrade (no changes other than redo the templates) - and all works fine - and Yes I DELETED the install folder, and removed the Admin they added - changed the PWD on every account from root up to the domain account (and all db accounts, admin accounts, etc.). ONE day later they are back and the forum.php is redirected tho there paid advertising. Suggestions?

                        Comment

                        • hurricane_sh
                          Senior Member
                          • Mar 2005
                          • 171

                          #13
                          I'm wondering if you protected your admincp and modcp directories, if yes, I have something to worry about also.

                          Comment

                          • Bone Head
                            Member
                            • Sep 2000
                            • 71

                            #14
                            I think we all have something to worry about.
                            Batter Late than ....... pregnant

                            Comment

                            • Bone Head
                              Member
                              • Sep 2000
                              • 71

                              #15
                              Although my forum seems to be running OK I still get suspect file versions when I check them via the admin CP
                              Namely index.php and forums.php
                              I have uploaded a complete new install again and nothing has changed.
                              Any help from anyone (not least the VB team) would be greatly appreciated
                              Batter Late than ....... pregnant

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...