VB hacked into

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • myu1
    New Member
    • Mar 2009
    • 21

    VB hacked into

    VB Version 4.2.2

    Hi, hope someone can help.

    I was asked the following question.

    Hi,

    Looks like the forum was hacked, date and time of hacking still unknown. Working on this!

    Looks like the forum was hacked by someone making POST requests to the following page:

    /forum/admincp/subscriptions.php
    /forum/admincp/subscriptions.php?do=modifi

    This has been used to create files on the website, which have then been used to make further changes including making alterations in other directories.

    Luckilly the scope of the attack seems to have been mitigated by the fact I limit many high level administrative pages to certain IP addresses.

    Please contact VB and see if there is some kind of unknown security flaw, or if they can shed any light...
  • donald1234
    Senior Member
    • Oct 2011
    • 1953
    • 4.1.x

    #2
    Who asked you about this, you should be aware of scammers (wanting paid to clear up a ficticious hack) unless you have evidence of being hacked.

    Comment

    • myu1
      New Member
      • Mar 2009
      • 21

      #3
      I have managed hosting.

      One of my members started a thread on my forum saying the following yesterday:

      website trouble?


      I am unable to access this site from my PC. All I get is loan for investment adverts. Even if I click on help I get info on citifinancial title loans. I can use the website via my phone. I've run a virus scan which came up clear. Anyone else having problems?
      Thanks
      I'm using IE 10. Had no probs up to now. There is only the register button on the homepage and when I click that I get info about approved military loans! Even when I google WATRB and enter via the search engine the same problem exists.
      When I go to website it flags up adverts that were mentioned above and does not allow me into the forum. If I click my profile I can open threads I have commented in and see what else has been added but cannot see the norm al forum and posts I have not contributed in
      I've had this today via google chrome but fine via iphone


      Other members have also reported problems, so I asked for a screen shot.

      It's something posted by a spammer which I removed and deleted a few months ago, I also deleted the username, however some of the members are being taken to this page which looks all broken, and I can find no trace to these adverts.

      The company who manage host the site for me asked this question, he has closed the forum for now.

      I have not made any changes to the site since 20th Jan, that was getting Adsense back on the site after an appeal.

      Comment

      • donald1234
        Senior Member
        • Oct 2011
        • 1953
        • 4.1.x

        #4
        If you can't recreate the issue yourself, a screenshot would be a good idea.

        Comment

        • Lynne
          Former vBulletin Support
          • Oct 2004
          • 26255

          #5
          You have a bad plugin under Plugins & Products > Plugin Manager that is causing the post issue with subscriptions. You need to remove it. vBulletin supplies *NO* plugins under the heading "Product : vBulletin" on that page. Please follow the advice here:

          There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.

          Close the hole...
          This has three subparts in this instance.
          1. Delete your install folder
          2. Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
          3. Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.

          Fill the Hole...
          There are seven subparts in this instance.
          1. Review your files for changes. You can do this under Maintenance -> Diagnostics.
          2. Delete any Suspect Files.
          3. Replace any files marked as "Does not contain expected contents"
          4. Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
          5. Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
          6. Update your Addon Products.
          7. Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.

          Secure the Hole
          Parts of this were done by closing the hole but there are still things to do here.
          1. Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
          2. Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
          3. Create a lower permission Administrator for every day use.
          4. Review your permissions in the system.
          5. Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
          6. Move your attachments outside the forum root directory.
          7. Create a complete backup of your site. Make database backups weekly.

          Vigilance
          You need to keep active on the security of the site.
          1. Give out the fewest permissions necessary for anyone to do their job
          2. Make sure your hosting provider updates the software.
          3. Update to the latest vBulletin when it is released.
          4. Make sure your addons are always up to date.

          Please don't PM or VM me for support - I only help out in the threads.
          vBulletin Manual & vBulletin 4.0 Code Documentation (API)
          Want help modifying your vbulletin forum? Head on over to vbulletin.org
          If I post CSS and you don't know where it goes, throw it into the additional.css template.

          W3Schools <- awesome site for html/css help

          Comment

          • myu1
            New Member
            • Mar 2009
            • 21

            #6
            Thank you for the information, we got it sorted and I'll remove the plugins.

            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...