One of my vbulletin websites was hacked and infected with the file2store.info redirection malware - and the shared VPS I was on got compromised so at least one other site was affected.
I am well on the way towards cleaning-up the site, but the conversations related to "how to clean up a hacked vbulletin website" are scattered across here (and other sites) so much so that I found pieces of good information across maybe 75 threads in 500+ posts. I'd like to get focused in this thread if we can so people running vbulletin 4.1.x can get help in 2012 on how to clean up their hacked site.
CLEAN UP
So the question is - how do I go about cleaning up the site of all malware and how can I know when I'm done?
So I've identified that I was hacked. I saw the redirection happen on the site, I saw the code added to my server and I had my web host scan the entire server to check for compromised files (and they found some).
SCOPE: I assume this means that I will have to deal with:
PROCESS: what's the first thing to focus on? Where do I start?
CHECKING FOR HACKS: Once the obvious stuff is fixed, how do I work through potentially compromised files?
How can I tell what all of these mean? There are just simply too many of them (200+?) for me to quickly go through.
I assume most of them are remnants from old versions of vb or plug-ins that didn't get removed properly. Some could be hacks though.
Should I just upload a new copy of vbulletin and nuke the old one?
- Should I just start over with a new copy of the vb files (4.1.11 - the latest version as of this writing)?
- Move over the images that are related to the site (attachments, avatars, etc - what should I look for?)
- Put my plug-ins back one at a time
- anything else that needs to be done if I do this? I assume I would look at the config.php file pretty hard to make sure that it's not compromised.
What about the Database?
- I ran the steps that include database checks, and it did come back with a few results -- but are they normal or not?
- The SQL statement for steps 4&5 came back with 3 results.
- The SQL statement for step 7 came back with nearly 30 results.
- How can I know if these are clearly hacks or if they are normal? I don't really want to upload chunks of code, but I don't know for sure that they are hacks so I don't want to delete them (and I don't want to ignore them either).
ANYTHING ELSE?
- I'm pretty familar with all of this, but like a lot of people I'm stuck where I'm not sure if I need a server management companies to do all of this for me ($300/month - although it would have been worth it for sure) or if I can take care of it myself and be 99.5% confident that I won't get hacked again.
Thanks! I look forward to hearing from people on how I can work through
I am well on the way towards cleaning-up the site, but the conversations related to "how to clean up a hacked vbulletin website" are scattered across here (and other sites) so much so that I found pieces of good information across maybe 75 threads in 500+ posts. I'd like to get focused in this thread if we can so people running vbulletin 4.1.x can get help in 2012 on how to clean up their hacked site.
CLEAN UP
So the question is - how do I go about cleaning up the site of all malware and how can I know when I'm done?
So I've identified that I was hacked. I saw the redirection happen on the site, I saw the code added to my server and I had my web host scan the entire server to check for compromised files (and they found some).
SCOPE: I assume this means that I will have to deal with:
- vBulletin website files
- vBulletin plug-ins
- database content
- Server files not related to vbulletin.
PROCESS: what's the first thing to focus on? Where do I start?
- I removed the compromised .htaccess file and replaced it with a backup.
- The robots.txt file was changed so I pretty much cut that down to nothing.
- I got so freaked out that I moved from a VPS to a dedicated server
- I had my host install a new firewall and antivirus/malware software that runs nightly
CHECKING FOR HACKS: Once the obvious stuff is fixed, how do I work through potentially compromised files?
- This post on "Steps to check for hacks" gives a lot of the steps, but it doesn't tell me what to do with the information that I find.
- I ran Maintenance > Diagnostics > Suspect File Versions and at least 200 total files that show me notes like this:
- README.txt - File not recognized as part of vBulletin
- blog_subscription.php - File does not contain expected contents
- blog_search.php - File version mismatch: found 4.0.8 Patch Level 2, expected 2.0.0
How can I tell what all of these mean? There are just simply too many of them (200+?) for me to quickly go through.
I assume most of them are remnants from old versions of vb or plug-ins that didn't get removed properly. Some could be hacks though.
Should I just upload a new copy of vbulletin and nuke the old one?
- Should I just start over with a new copy of the vb files (4.1.11 - the latest version as of this writing)?
- Move over the images that are related to the site (attachments, avatars, etc - what should I look for?)
- Put my plug-ins back one at a time
- anything else that needs to be done if I do this? I assume I would look at the config.php file pretty hard to make sure that it's not compromised.
What about the Database?
- I ran the steps that include database checks, and it did come back with a few results -- but are they normal or not?
- The SQL statement for steps 4&5 came back with 3 results.
- The SQL statement for step 7 came back with nearly 30 results.
- How can I know if these are clearly hacks or if they are normal? I don't really want to upload chunks of code, but I don't know for sure that they are hacks so I don't want to delete them (and I don't want to ignore them either).
ANYTHING ELSE?
- I'm pretty familar with all of this, but like a lot of people I'm stuck where I'm not sure if I need a server management companies to do all of this for me ($300/month - although it would have been worth it for sure) or if I can take care of it myself and be 99.5% confident that I won't get hacked again.
Thanks! I look forward to hearing from people on how I can work through
Comment