A new user account appeared in my database and somehow made himself an admin through the control panel. I'm assuming he used some exploit but I can't figure out what or how. The only clue I have is a handful of actions that appear in the Control Panel Log (image attached). Is there any way of telling what he did or what plugin he exploited? I deleted the user account, BTW, which is why it appears as N/A.
New user made himself an admin
Collapse
X
-
-
Best Regards
roStyles Design LLC
CEO & Founder (Design and Support)
Romanian Translator
Teascu DorinComment
-
First you need to follow our advisory about deleting the install folder off your forums.
Then please read the following two blog posts:
This guide is for what to do, after youÂ’ve been hacked, exploited, and or defaced. Step 1, Change everything: If you believe, or think your site has
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-siteGetting Started This guide is intended to be a starting point for helping to keep your site safe and secure in the long run. It is not a be-all, end-all guide
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
👍 1Comment
-
Ironically, I have just noticed 3 users who have done the same on my forum within the last week or two. The issue was the fact that I had failed to delete the install folder. I've corrected this now, and I've deleted the other Admin accounts, but is it too late? Have I shut the barn door after the cows got out? What could they have done? What should I look for?Comment
-
-
Thanks. I uninstalled Skimlinks and Postrelease. I now notice that I'm getting the following warning: "Warning: Plugins are currently globally disabled via config.php." in the Plugins page. Is this normal, or should I go check that out? It seems like that's a good thing, except that I had previously had Forum Runner working correctly for the forum. I assume for Forum Runner to be working correctly in the past, I plugins must not have been globally disabled. Why would a hacker install plugins and then disable plugins?Comment
-
No real need to remove Skimlinks and Forum Runner...your rogue plugins are probably under the "vBulletin" product.
The message you are receiving is because plugins are ALL disabled, which is normal.
In this instance I would suggest raising a support ticket so we can get your login credentials and take a quick look around.
Please include AdminCP login and FTP credentials in the "Sensitive Data" field.MARK.B
vBulletin Support
------------
My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
My Unofficial vBulletin Cloud Demo: https://www.adminammo.comComment
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment