Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 11 Sep 2013, 15:39
Divvy Divvy is offline
 
Join Date: Nov 2008
HACKED vBulletin 4.2.0 Patch Level 3

Hello guys,

Maybe someone can help me...
Today morning my vBulletin 4.2.0 Patch Level 3 was hacked by what it seems a brasilian hacker that leaved this message:

Desculpe o transtorno estamos invadindo seu site
Sabe por que? porque eu quis.

@Nega_cabelo_duro
Im trying to discover how to solve the problem, but cant find the file that he modified. Can someone please help me or give a clue?

I have vBa CMPS installed in the root of the forum and the index is working fine, only when we go to forum.php is redirecting to this page:
http://i.imgur.com/JingJTM.png

The source code of that page is:
http://paste2.org/YeFAjz9m

Any ideas guys? Please?

Thanks!

Best regards,
Tim

--------------- Added 11 Sep 2013 at 15:45 ---------------

Ok, I have found this in my forumhome template:
http://paste2.org/Mw7snpxK

I also have found a new admin in the administrators group:
ID: 136733
username: polter
email: pulodentrodurio@hotmail.com
join and last activity date: 11-09-2013

Could he modified anything more?

Last edited by Divvy; 11 Sep 2013 at 16:06.
Reply With Quote
  #2  
Old 11 Sep 2013, 16:05
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
__________________
Looking for ImpEx?
Reply With Quote
  #3  
Old 11 Sep 2013, 16:09
Brandon Sheley's Avatar
Brandon Sheley Brandon Sheley is offline
 
Join Date: Mar 2005
Real name: Brandon
Did you have the install folder in place?

Remove it, remove the new admins, remove or revert the compromised templates, enjoy a cold beer.
__________________

Email me for website help: brandon[at]sheley[dot]org
Reply With Quote
  #4  
Old 11 Sep 2013, 16:15
squidsk's Avatar
squidsk squidsk is offline
 
Join Date: Nov 2010
See http://www.vbulletin.org/forum/showthread.php?t=301904
Reply With Quote
  #5  
Old 11 Sep 2013, 16:16
Divvy Divvy is offline
 
Join Date: Nov 2008
Thank you guys for your help!

Does someone know exactly what the hacker changed?
Until now only found:

1- a new admin (already deleted)
2- forumhome templatechanged (already reverted)

I already deleted the install folder also like Wayne Luke said here:
http://www.vbulletin.com/forum/forum...-1-vbulletin-5

Anymore changes that anyone have notice?

Best regards
Reply With Quote
  #6  
Old 11 Sep 2013, 16:19
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
Did you read over: http://www.vbulletin.com/forum/blogs...ve-been-hacked ?
__________________
Looking for ImpEx?
Reply With Quote
  #7  
Old 11 Sep 2013, 16:21
Divvy Divvy is offline
 
Join Date: Nov 2008
Thank you squidsk,

Just a quick note. I saw the logs on
And found what he did:
http://i.imgur.com/pJRBdfi.png

So, If I am right, he only modified template files right?
Is possible to know if was only forumhome or more?

Thanks!

--------------- Added 11 Sep 2013 at 17:05 ---------------

UPDATE: I have checked all template files one by one in the Last edited information and the only template file that was edit by the hacker was FORUMHOME in all templates that I have installed.
It says: Last edited September 11 2013 at 05:51 by polter

UPDATE2: I notice a new template file that was edit today (the day that my vb was hacked) and the file was bbcode_video
It says: Last edited September 11 2013 at 05:49 by
Note that don't appear the username, but the file was edit today and 2 minutes before he change FORUMHOME
My bbcode_video file code: http://paste2.org/5bP0w05b

UPDATE3: Just cant find the template file that he inserted on style 2 (default):
http://i.imgur.com/pJRBdfi.png
I saw the files one by one and cant find the today date...

Last edited by Divvy; 11 Sep 2013 at 18:10.
Reply With Quote
  #8  
Old 11 Sep 2013, 19:31
dimobr dimobr is offline
 
Join Date: Mar 2012
Same problem here!
To resolve I did a restore from my DB (earliest possible before the attack)
Also deleted the install folder.

Now everything seems to be ok!
... It is advisable to change passwords ..
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 08:53.

Layout Options | Width: Wide Color: