vBulletin Mods

The Official vBulletin Modifications Site
https://www.vbulletin.org/forum/showthread.php?t=318422

A hacker doing - question
by katie hunter
25 Apr 2015 21:51

Hi everyone, if i was hacked, well i was and found the hacker messing with my plugin and i see in the logs he was modifying plugins via id, how can i tell which plugin did he modify ?

ex http://i.imgur.com/lLMwbRY.png

ForceHSS 25 Apr 2015 22:02

He might of installed some plugins so he can get back in. Go to your plugin manager and hover the mouse over each one it will show you the id. If you need help making your site secure pm me

Lynne 25 Apr 2015 22:32

Go to: admincp/plugin.php?do=edit&pluginid=xxx

(change xxx to the plugin id)

Princeton 29 Apr 2015 12:23

I recommend hiring someone to look into your files and database for injected code. Editing a plugin could have been a way to get into the system as a whole (not just the primary area to inject malicious code).

SaN-DeeP 29 Apr 2015 18:10

Quote:

Originally Posted by katie hunter (Post 2544187)
Hi everyone, if i was hacked, well i was and found the hacker messing with my plugin and i see in the logs he was modifying plugins via id, how can i tell which plugin did he modify ?

ex http://i.imgur.com/lLMwbRY.png

As the administrator said above do needful.
If you are still finding anything suspicious (contact the developer who did those changes) and/or as others recommended.

thetechgenius 19 May 2015 15:31

Do you have a backup you can restore, a backup from before the hack? If you do, restore the backup, and ban that users IP, Email, and Account, and you can also blacklist his IP.

BirdOPrey5 19 May 2015 17:49

Unless you are skilled at looking through PHP code it is often easier to just re-run an upgrade of whatever version of VB you are running and then reinstall (overwriting original products) all the 3rd party products you have. Doing both will replace all the original and add-on VB files and plugins with their original/clean versions.

You also need to check Plugin Manager to see if you have any plugins listed at the top under the vBulletin product- if so treat these as suspicious and disable them unless you are absolutely sure what they do. VBulletin would not normally have any plugins listed under the vBulletin product.

Also you need to check your server for any additional files uploaded by hackers. Check especially for php files in image and/or attachment folders. There shouldn't be php files in these locations.

Dave 20 May 2015 10:42

There are always a few things I do when I do a security check:
1. I run the "Suspect File Versions" tool at AdminCP > Maintenance > Diagnostics to find most of the files on the server which do not have vBulletin's MD5 or do not belong to vBulletin at all. I then check the code of each file one by one to see if there's anything suspicious in it.
2. I go to AdminCP > Plugins & Products > Plugin Manager and I check all of the top plugins. Those are manually added and "hackers" usually add a backdoor that way. If those are fine then I check every single other plugin on that page.
3. When I get given SSH access, I can execute commands on the server to search through all the files for certain keywords. I typically look for: "system, shell_exec, exec, popen, file_put_contents, fwrite, phpinfo, base64" since most backdoors and shells make use of those functions.
4. I also check the access/error logs and try to find out what caused the hack.

I do a few more things, but the things listed above are the important ones.


All times are GMT. The time now is 08:23.

Powered by vBulletin® Version 3.8.14
Copyright © 2020, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.