Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 30 Sep 2013, 12:30
seriousrat seriousrat is offline
 
Join Date: May 2012
Hacked Sites, How Many Recently?

Seems like everyone is getting hacked. Some threads say over 200 in the past month. Ours, http://www.seriousoffshore.com/forums/ , and one of our main members, http://www.donzi.org/ were both hacked the end of last week/over the weekend.

Has anyone been able to find out why so many recently?

Ours seems to have the hack code inserted the first part of September, then activated later. So, our recent backups are also infected which has created a major pain.

I hope this is the right place to ask the question.
Reply With Quote
  #2  
Old 30 Sep 2013, 12:53
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
I have not seen a list or a count on the number of sites, but they almost all have to due with the install directory not being deleted.

To recover, please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #3  
Old 30 Sep 2013, 15:08
seriousrat seriousrat is offline
 
Join Date: May 2012
Have you seen the redirect worm that is in the seriousoffshore.com/forums before (if you've looked)? They did get in through the install as you said, but then they created admin users, modified files in the admincp folder, the style templates, and the plugins. The admincp and database hacks are pretty severe. Plus, because of the delay for when it went active, our backups are infected. As our webmaster says, Every time he thinks he has everything, something else pops up.

Anyway, if anyone is familiar with the pain of this one, helpful hints are certainly appreciated.

Thanks for the input so far.
Reply With Quote
  #4  
Old 30 Sep 2013, 22:16
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
If you follow the two blog posts, thoroughly, and not skip any details at all, you should be ok.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #5  
Old 30 Sep 2013, 22:21
tbroush tbroush is offline
 
Join Date: Aug 2003
Originally Posted by ozzy47 View Post
If you follow the two blog posts, thoroughly, and not skip any details at all, you should be ok.
I wish that was as easy as that.
Reply With Quote
  #6  
Old 30 Sep 2013, 22:38
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
No one said it was easy, but there have been many successful sites to recover following the info provided in there.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #7  
Old 30 Sep 2013, 22:47
tbroush tbroush is offline
 
Join Date: Aug 2003
Well I guess mine has been one of the few that continues to have issues even after doing everything and more in all of those blogs.
Reply With Quote
  #8  
Old 30 Sep 2013, 22:51
tbworld tbworld is offline
 
Join Date: Oct 2008
Originally Posted by tbroush View Post
Well I guess mine has been one of the few that continues to have issues even after doing everything and more in all of those blogs.
It is not easy and it is time consuming, and I am sorry you were hacked. Keep at it and ask questions here, if you do not understand something.

Last edited by tbworld; 30 Sep 2013 at 23:12.
Reply With Quote
  #9  
Old 30 Sep 2013, 22:52
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
What is the things that keep popping up, always different, same thing, and what is the things?
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #10  
Old 30 Sep 2013, 23:18
tbroush tbroush is offline
 
Join Date: Aug 2003
well all he does now is when you go to the forum.php page it take you to an html page but not necessarily redirecting you anywhere. So I usually just run the upgrade script and is back to normal. So today I deleted all of the custom templates and uploaded new ones just in case the code was in there, but I have done everything else possible.
Reply With Quote
  #11  
Old 30 Sep 2013, 23:21
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
Hopefully that will work, if not report back, and let us know.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #12  
Old 01 Oct 2013, 00:14
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
Revert the forumhome template, chances are they modified that. The blog posts over on vBulletin.com cover fixing this stuff. Very well too.
__________________
Looking for ImpEx?
Reply With Quote
  #13  
Old 01 Oct 2013, 14:33
seriousrat seriousrat is offline
 
Join Date: May 2012
I don't know if this helps you guys in anyway, but here are a few of the comments from the two webmasters. Any comments about future protection? We believe we are clean at serious now. I hid their email addresses.

This is 'one' of the hacks we were infected with and the one that's caused the most trouble. They had access to all of our files AND databases and injected code throughout the databases.


http://www.derekfountain.org/security_c99madshell.php

On Mon, Sep 30, 2013 at 8:50 PM, *****wrote:

hmmm... we were told today the server house carried the infection to us,,, and thousands more

we locked our front door until the server is clean



In a message dated 9/30/2013 8:31:08 P.M. Eastern Daylight Time, *****writes:
It's not coming through the site files, I've cleaned all those...it's being injected from the database.



On Mon, Sep 30, 2013 at 8:21 PM, ******* wrote:

go to your .exe file and find this entry >>

1E161D6D.exe

see if you can delete it if it's there


In a message dated 9/30/2013 8:16:56 P.M. Eastern Daylight Time, *****writes:
Yeah....there's a redirect javascript buried in there somewhere. I'm chasing it now. Got rid of everything else though. I'd like to pummel the nerd that put this one together.


On Mon, Sep 30, 2013 at 8:09 PM, ********* wrote:

I just logged on SO and entered my password to look around
my MS virus blocker went apeshit as soon as I clicked on the forum header
8 pings in 3 minutes... quarantined every ping

wow, bad bad bad

btw, this same virus crashed the U of Colorado website and countless others
Reply With Quote
  #14  
Old 02 Oct 2013, 15:07
Cygnusstudios Cygnusstudios is offline
 
Join Date: Jan 2011
Mine got hacked on Monday. Everything was corrupted and the only option was pulling the site down completely.

However, I did manage to log the IP:

176.45.4.205
Reply With Quote
  #15  
Old 02 Oct 2013, 16:15
cellarius's Avatar
cellarius cellarius is offline
 
Join Date: Aug 2005
Real name: Sven
Cool. Now you only have to get SaudiNet to cooperate.
__________________
Please note that there will be no further updates to my addons, especially they will not be upgraded for vB5. I'm leaving vB, since IB choose to go the banana-way yet again.

http://www.roma-antiqua.de
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 17:33.

Layout Options | Width: Wide Color: