Announcement

Collapse
No announcement yet.

up to date vbulletin site getting re-hacked, what to do?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • up to date vbulletin site getting re-hacked, what to do?

    I have a couple of vbulletin 4.x forums.

    One was hacked a couple of months back and the hackers created some phishing mechanism on the site. We were alerted to this by Apple and we identified the files and removed them. We found the hacker had added a couple of extra admins which we deleted.

    On Sunday the site was hacked again. This time they deleted all the vbulletin files and put up their own home page up baring what looked like some jihadist message.

    The database was still there.

    We had a backup of the files from about two weeks ago so we uploaded them all, then immediately upgraded vbulletin to 4.2.2 (and deleted the install folder!). I also made sure there were no new admins.

    This morning the site files had been deleted again, by a different hacker.

    It seems therefore that there must be something in the database that is enabling them to get in again.

    At this stage we haven't bothered rebuilding the site.

    Of more urgency is our other larger vbulletin site which I also just upgraded from 4.1.x to 4.2.2 . This site hasn't been taken down but over the weekend we found that it had been compromised, so we upgraded it to 4.2.2.

    I am looking through the database table "adminlog" and I can see some IPs listed which indicate illegal access back in Sept. They were executing the plugin.php script with actions like "doimport" and "files".

    Of course I just upgraded the site, so many of the files and folders have the upgrade date and time.

    I am looking for some advice on what to do. I need to secure the existing forum and find and remove any backdoors, then I need to do the same of the site they took down before I restore it again.

    If I were to rebuild the site from scratch , including a new database, is there any way to transfer all the users and posts from the old database?

    Any ideas and suggestions are welcome

  • hurricane_sh
    replied
    The most helpful protection is to password-protect the admin directory, they can't do much damage even if your forum was hacked. I had two forums hacked due to the install folder problem, but the only changes were two extra admin accounts.

    This also applies to other software such as wordpress.

    Leave a comment:


  • Joe D.
    replied
    Great, thanks for the followup- sorry this happened but glad you have figured out the how and why.

    Also, if you haven't already done so we've had reports of backdoors being left in a few folders not scanned by our "suspect file" tool - this site has good advice on cleaning and securing these several directories - http://vbtechsupport.com/2355/10/

    Leave a comment:


  • kjh411
    replied
    Originally posted by Joe D. View Post
    Is it possible you were "hacked" back then but they didn't do anything to deface the forum or files until recently? That's the most likely source at this point- they either had an Admin account or plugin you didn't notice and were able to call upon it later when needed. Even if you upgraded sometime since it wouldn't have cleared a bad/rouge plugin.
    This is exactly what happened. We now know they hacked the sites on 8 Sept and inserted two rogue plugins. We removed the Install folder from the sites later in Sept. The hacking came to light on one of the sites in Oct at which point we found additional admin accounts had been added to both sites, which we deleted, but the plugins continued to give them access, not only to the vbulletin sites, but it allowed them to access the cpanel accounts without a password! They then uploaded more files to the server that gave them access and allowed them to turn off mod_security.

    I would encourage anyone who removed their install folder AFTER say beginning of August, to check for any plugins in the vBulletin section in the Plugin Manager, and of course for extra admin accounts.

    Leave a comment:


  • Joe D.
    replied
    The /includes/ folder can also be locked down via htaccess.

    I see your sites have been up for a while. Back in August/September an exploit was found that allowed users to create new Admin accounts- the solution was to delete the /install/ folder. Is it possible you were "hacked" back then but they didn't do anything to deface the forum or files until recently? That's the most likely source at this point- they either had an Admin account or plugin you didn't notice and were able to call upon it later when needed. Even if you upgraded sometime since it wouldn't have cleared a bad/rouge plugin.

    Leave a comment:


  • kjh411
    replied
    The thing that's really bugging me, is how did they manage to upload plugins in the first place? How could they access my vbulletin sites as admins?

    This is what I want to make sure they cannot do again, because it seems that was the beginning of this whole saga.

    In addition to locking down things like admincp and modcp with .htaccess files, what else can be done in terms of file and folder permissions?

    Leave a comment:


  • Joe D.
    replied
    Yeah, they were probably using your site to host phishing scams they would email people to look like legtimate emails from their banks. Glad you caught it. Those plugins basically allowed them free access to your server. .

    Leave a comment:


  • kjh411
    replied
    Thanks Joe. I found two plugins in the vbulletin section of Plugin Manager that are definitely bad, both called init_startup. Both of these plugins were comprised almost entirely of base64 code. I couldn't even run them through a decoder but it didn't work. But I could see that one had a reference to help.php and the other subscriptions.php.

    When looking through the server logs after we shut the site down we could see GET calls being made to admincp/help.php and admincp/subscriptions.php . I would hazard a guess that this is how they hackers were accessing the public_hmtl folder

    I am also guessing that the activity we saw in the admin log back in Sept (mentioned in my previous post) was the installation of these plugins.

    Also, on one of the hacked sites we found what was effectively another site (a banking scam site) hidden in the store_sitemap folder

    Leave a comment:


  • Joe D.
    replied
    Did you check your list of plugins to see if there are any plugins with bad code in them? Unfortunately there is no easy way to check every plugin qucikly. To truly be safe you need someone who knows what they are doing to manually look through every plugin. For those who don't know what they are doing you should re-install every modification you currently have installed (upgrade them if available, but re-import the product XML file for sure) - this will replace any altered plugins with the originals from the prodcut.

    Plus in plugin manager check if you have any plugins listed at top under the "vBulletin" product- none of these are there by default so check their code- if you didn't create them youself (or another site Admin) then they should be at the very least disabled, and then deleted if you are sure they serve no legitmate purpose.

    Leave a comment:


  • kjh411
    replied
    I'd like to add something that we found in our current investigations. We found that intruders from two different IP addresses had accessed our two vbulletin 4.2.0 sites as admin.

    You can check our particular scenario on your own site if you have access to phpMyadmin.

    In phpMyadin, search your adminlog table for "plugin.php" in the script column. Then look through the IP addresses for anything that doesn't belong to any of your administrators.

    If you're not sure, checking the IP on a site such as http://software77.net/geo-ip/ can help. For example we're in Australia so when we found IPs from Morocco and India we knew this wasn't good

    We found these two rogue IPs both gained admin access within a few minutes of each other (to decode the dateline in your database use http://www.epochconverter.com/ ). The actions they performed were "doimport" and "files". They did this on both of our vbulletin 4 sites within minutes of each other.

    What's interesting is that this happened in September, but they didn't do anything really obvious until last week (December). However, in November we were alerted to the fact that they had set up some sort of phishing system on one of our forums that we were completely unaware of. We thought we had cleaned it up, but I thing there was still a backdoor.

    Last week they took one of our vbulletin sites down completely (deleted all the files). They left the other site intact but put a spam mailer on it, which we were alerted to by our firewall.

    The moral of the story is that it's not necessarily obvious that you have been hacked.

    Leave a comment:


  • kjh411
    replied
    Originally posted by Zachery View Post
    If I had to guess, the last time you did fixes you missed something.
    I'm sure we did and we're still working on it.

    The list another user posted is the same we advise everyone with, its important to go though all of it and not skip anything.
    You advise everyone with this when? after they have been hacked?

    My point is, that the extra "hardening" you suggest such as protecting certain folders with .htaccess, is something that should be advised to ALL customers so that their level of protection is higher from the outset. But from what I have seen as a customer, the only proactive warning you issue is to delete the install folder.

    As we are discovering it is a much greater task to clean a site that has been hacked.

    Leave a comment:


  • Zachery
    replied
    If I had to guess, the last time you did fixes you missed something. The list another user posted is the same we advise everyone with, its important to go though all of it and not skip anything.

    Leave a comment:


  • kjh411
    replied
    Originally posted by donald1234 View Post

    You have to also consider the possibility that the hacker may have cracked your ftp password. Look at your server logs.
    We have. They didn't get in that way. In fact we haven't yet found any evidence how they got in.

    I'm talking about two vbulletin different sites being hacked on two different domains, with two different and strong FTP passwords (symbols, upper and lower case letters, and numbers)

    They are on a dedicated server which only has my sites on it, eight in all.

    We use CSF firewall which includes a Login Failure Daemon which blocks any IP that fails to log in more than a handful of times. So there is no way they could have cracked our FTP passwords, or the WHM/cpanel passwords.

    The domains/cpanel accounts that were hacked both only contain a vbulletin 4 site, there is no other software on there.

    In the adminlog in the database for each site we found four entries on 8 Sept from an unknown IP address in Morocco. They were accessing plugin.php

    Have you read this http://blog.sucuri.net/2013/11/steal...etin-hack.html ?

    Leave a comment:


  • donald1234
    replied
    By the way, how does someone hacking your vbulletin site end up being able to delete everything from your public_html folder and upload their own files?
    You have to also consider the possibility that the hacker may have cracked your ftp password. Look at your server logs.
    Last edited by Mark.B; Tue 17th Dec '13, 3:48am.

    Leave a comment:


  • Mark.B
    replied
    Originally posted by kjh411 View Post
    Thanks.

    So obviously there are a lot more vulnerabilities than leaving the Install folder in place,
    No there aren't, not sure where you've got that idea from.

    The advice posted is general advice for securing a forum installation.

    Leave a comment:

Related Topics

Collapse

Working...
X