I have a couple of vbulletin 4.x forums.
One was hacked a couple of months back and the hackers created some phishing mechanism on the site. We were alerted to this by Apple and we identified the files and removed them. We found the hacker had added a couple of extra admins which we deleted.
On Sunday the site was hacked again. This time they deleted all the vbulletin files and put up their own home page up baring what looked like some jihadist message.
The database was still there.
We had a backup of the files from about two weeks ago so we uploaded them all, then immediately upgraded vbulletin to 4.2.2 (and deleted the install folder!). I also made sure there were no new admins.
This morning the site files had been deleted again, by a different hacker.
It seems therefore that there must be something in the database that is enabling them to get in again.
At this stage we haven't bothered rebuilding the site.
Of more urgency is our other larger vbulletin site which I also just upgraded from 4.1.x to 4.2.2 . This site hasn't been taken down but over the weekend we found that it had been compromised, so we upgraded it to 4.2.2.
I am looking through the database table "adminlog" and I can see some IPs listed which indicate illegal access back in Sept. They were executing the plugin.php script with actions like "doimport" and "files".
Of course I just upgraded the site, so many of the files and folders have the upgrade date and time.
I am looking for some advice on what to do. I need to secure the existing forum and find and remove any backdoors, then I need to do the same of the site they took down before I restore it again.
If I were to rebuild the site from scratch , including a new database, is there any way to transfer all the users and posts from the old database?
Any ideas and suggestions are welcome
One was hacked a couple of months back and the hackers created some phishing mechanism on the site. We were alerted to this by Apple and we identified the files and removed them. We found the hacker had added a couple of extra admins which we deleted.
On Sunday the site was hacked again. This time they deleted all the vbulletin files and put up their own home page up baring what looked like some jihadist message.
The database was still there.
We had a backup of the files from about two weeks ago so we uploaded them all, then immediately upgraded vbulletin to 4.2.2 (and deleted the install folder!). I also made sure there were no new admins.
This morning the site files had been deleted again, by a different hacker.
It seems therefore that there must be something in the database that is enabling them to get in again.
At this stage we haven't bothered rebuilding the site.
Of more urgency is our other larger vbulletin site which I also just upgraded from 4.1.x to 4.2.2 . This site hasn't been taken down but over the weekend we found that it had been compromised, so we upgraded it to 4.2.2.
I am looking through the database table "adminlog" and I can see some IPs listed which indicate illegal access back in Sept. They were executing the plugin.php script with actions like "doimport" and "files".
Of course I just upgraded the site, so many of the files and folders have the upgrade date and time.
I am looking for some advice on what to do. I need to secure the existing forum and find and remove any backdoors, then I need to do the same of the site they took down before I restore it again.
If I were to rebuild the site from scratch , including a new database, is there any way to transfer all the users and posts from the old database?
Any ideas and suggestions are welcome
Comment