I upgraded to the latest version 3.7.3 pl 1 on September 19th.
Then, on the 21st of October at 7:10 pm EST, my site was hacked. It was hacked by the same "group" that hacked another couple of sites that were posted on the forum here on the 18th of this month. (the Saudi Virus Team, though mine was done by a different hacker on their site)
I checked with my server, they scoured through my logs, and they are convinced the hack happened through vbulletin. They first hacked the index.php file in my vbulletin. LUCKILY, I immediately got a phone call from one of my moderators, who was online reading posts when it happened.
The first thing I did was go into my server, and changed my passwords for the server, the database, and the FTP.
I then went in and posted an index.html page saying the site was temporarily out of order.
In the time it took me to do that, the hack spread from the forum index.php to the main page of my site, which is a simple index.html file, and then on through to my store index.php.
I tried to reupload new files, and check for recent registrations in the database, and looking for any attachments or images they might have placed, but I could only get a good clean hour before the hack would show back up, again back at the forum first, then spreading to the other sections. I also did the tools.php suggestions for fixing, and reuploaded the style, and tried to revert to the "defaul" style. But all of these resulted in no fix.
FINALLY, I just deleted the whole forum from my site. Once I got rid of the forum, I put the rest of my site up (sans forum), and had no problems. I then, after waiting a couple days, making sure nothing else seemed to be affected, I put a new forum up, and dumped in my backup from 2 days prior to the hack.
I went through the "suggested" security steps to take, and implemented/made some changes, though I already had nearly all of them implemented. I also, should note here that I don't use any other hacks or plug-ins on my site. I run just a very simple set up of the vbulletin. The only changes I have are a different style than the default, which I have been using that style for 2 years now, and I have a PhotoPost Gallery attached to the same database as the forum. Note also that while I have the gallery, there is no evidence that it was affected.
I also changed my location of my admin cp and mod cp folders. And I had ALL moderators go in and change their passwords.
So, I have taken the steps....but here is why i'm posting.
I TRULY believe they are getting through a hole in the 3.7.3 PL 1 version of vbulletin. As there was nothing showing it was to my server, and my other sites that I host on the same server were not affected. (I have a dedicated server)
Then, on the 21st of October at 7:10 pm EST, my site was hacked. It was hacked by the same "group" that hacked another couple of sites that were posted on the forum here on the 18th of this month. (the Saudi Virus Team, though mine was done by a different hacker on their site)
I checked with my server, they scoured through my logs, and they are convinced the hack happened through vbulletin. They first hacked the index.php file in my vbulletin. LUCKILY, I immediately got a phone call from one of my moderators, who was online reading posts when it happened.
The first thing I did was go into my server, and changed my passwords for the server, the database, and the FTP.
I then went in and posted an index.html page saying the site was temporarily out of order.
In the time it took me to do that, the hack spread from the forum index.php to the main page of my site, which is a simple index.html file, and then on through to my store index.php.
I tried to reupload new files, and check for recent registrations in the database, and looking for any attachments or images they might have placed, but I could only get a good clean hour before the hack would show back up, again back at the forum first, then spreading to the other sections. I also did the tools.php suggestions for fixing, and reuploaded the style, and tried to revert to the "defaul" style. But all of these resulted in no fix.
FINALLY, I just deleted the whole forum from my site. Once I got rid of the forum, I put the rest of my site up (sans forum), and had no problems. I then, after waiting a couple days, making sure nothing else seemed to be affected, I put a new forum up, and dumped in my backup from 2 days prior to the hack.
I went through the "suggested" security steps to take, and implemented/made some changes, though I already had nearly all of them implemented. I also, should note here that I don't use any other hacks or plug-ins on my site. I run just a very simple set up of the vbulletin. The only changes I have are a different style than the default, which I have been using that style for 2 years now, and I have a PhotoPost Gallery attached to the same database as the forum. Note also that while I have the gallery, there is no evidence that it was affected.
I also changed my location of my admin cp and mod cp folders. And I had ALL moderators go in and change their passwords.
So, I have taken the steps....but here is why i'm posting.
I TRULY believe they are getting through a hole in the 3.7.3 PL 1 version of vbulletin. As there was nothing showing it was to my server, and my other sites that I host on the same server were not affected. (I have a dedicated server)
Comment