View Single Post
  #8  
Old 20 May 2015, 10:42
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
There are always a few things I do when I do a security check:
1. I run the "Suspect File Versions" tool at AdminCP > Maintenance > Diagnostics to find most of the files on the server which do not have vBulletin's MD5 or do not belong to vBulletin at all. I then check the code of each file one by one to see if there's anything suspicious in it.
2. I go to AdminCP > Plugins & Products > Plugin Manager and I check all of the top plugins. Those are manually added and "hackers" usually add a backdoor that way. If those are fine then I check every single other plugin on that page.
3. When I get given SSH access, I can execute commands on the server to search through all the files for certain keywords. I typically look for: "system, shell_exec, exec, popen, file_put_contents, fwrite, phpinfo, base64" since most backdoors and shells make use of those functions.
4. I also check the access/error logs and try to find out what caused the hack.

I do a few more things, but the things listed above are the important ones.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote