Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 05 May 2011, 15:02
Valter Valter is offline
 
Join Date: Aug 2005
Hacked by Team Animus?

If your forums has been hacked by "Team Animus", please read this to get helped to remove hacking traces and make your forums secure.

NOTE: Please be careful when removing any data. Make sure you have backups of your important files and databases!

What they did:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Here is what I have done:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


If you have any questions, feel free to ask.

And again: Make sure you have backups of your important files and databases before you delete anything!

Last edited by Valter; 06 May 2011 at 07:52.
Reply With Quote
  #2  
Old 05 May 2011, 15:15
RCKSTR RCKSTR is offline
 
Join Date: Jun 2010
ok, so I went to

user>operations>changed the user number to be correct>hit "go"

And it reverts right back to the 13371341

Any ideas?
Reply With Quote
  #3  
Old 05 May 2011, 15:19
Valter Valter is offline
 
Join Date: Aug 2005
It should be {LatestUserID} + 1.

Check user ID of your latest regular user (sort rows by user id desc). Let's say its 456.
Go to USER table > Operations > change AUTO_INCREMENT to 457.
Reply With Quote
  #4  
Old 05 May 2011, 15:22
RCKSTR RCKSTR is offline
 
Join Date: Jun 2010
nevermind, I missed 3 new registrants.
Reply With Quote
  #5  
Old 05 May 2011, 15:43
Valter Valter is offline
 
Join Date: Aug 2005
I'm still wondering how they added files.

There must be something more than Forum Rules add-on.
Reply With Quote
  #6  
Old 05 May 2011, 16:54
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Real name: Rob
If they breached the db because of the exploit it would be nothing to get to the server from there, I would think.

Oh, and this is legit:

08. ACP > Removed "Skimlinks Plugin" (who installed this? hacker?)

It was added in 4.1.3, I think.
Reply With Quote
  #7  
Old 05 May 2011, 17:08
Eplexx Eplexx is offline
 
Join Date: Nov 2010
Location: Toronto
Real name: Kyle
Great share, I wasn't attacked thank god.
Reply With Quote
  #8  
Old 05 May 2011, 18:23
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
Not every site had the same things done to it honestly. Having cleaned a number of them, lots of different things were done to different sites, not all steps were done to all of the sites. It would be in your best intrests to RESTORE A BACKUP, or contact vBulletin support for help.
__________________
Looking for ImpEx?
Reply With Quote
  #9  
Old 05 May 2011, 21:45
wraggster wraggster is offline
 
Join Date: Mar 2005
my forum has also been hacked by 2 different groups, one just did a quick and simple redirect, the other has for the moment taken control and somehow they are redirecting everything to their server, my server admin isnt around at the moment so im totally at a loss how to kill them off

ive been hacked by http://pro2leet.net/forum.php and http://belegit.net/forum/ and both these sites use vbulletin software

Last edited by wraggster; 05 May 2011 at 22:09.
Reply With Quote
  #10  
Old 05 May 2011, 23:35
AusPhotography's Avatar
AusPhotography AusPhotography is offline
 
Join Date: Nov 2007
Real name: Rick-owner, Kym-admin
We were lucky in that (Australian time) the hack attack occurred in the early morning but after our daily 3am backup.

I changed passwords, I deleted all the newly updated files, I replaced them from original source, restored from the 3am backup - all good.
We only lost a handful of threads and posts, but it was the safest option IMHO.

Lessons?
1. Have a daily backup!
2. Have all the source code safe somewhere else.
3. Take more time to eyeball add-on code

Note: Valter's code has been around for years. NO ONE noticed the problem until now.

It's very easy to visually check all form fields and SQL in an addon; checking that vB cleaning and escape_string have been applied.
We (Admins) all need to be vigilant, no point blaming anyone, TeamAnimus have done us a favour by making us take security seriously.
Not that I would object to tasking Seal Team 6 onto TeamAnimus


Kym

--------------- Added 05 May 2011 at 23:44 ---------------

Originally Posted by wraggster View Post
my forum has also been hacked by 2 different groups, one just did a quick and simple redirect, the other has for the moment taken control and somehow they are redirecting everything to their server, my server admin isnt around at the moment so im totally at a loss how to kill them off

ive been hacked by http://pro2leet.net/forum.php and http://belegit.net/forum/ and both these sites use vbulletin software
Once the vba.php trojan is there, anyone can use it to hack your system.
Sounds like a piggy back attack to me.
__________________
www.AusPhotography.net.au a.k.a. AP is a photography forum where members share their photography, photo editing skills and techniques. We run regular photographic competitions; Rick (site owner) and Kym (site tech) using this account
*** Home of the AP fully comprehensive vb4 photographic competition management solution ***

Last edited by AusPhotography; 05 May 2011 at 23:44. Reason: Auto-Merged DoublePost
Reply With Quote
  #11  
Old 06 May 2011, 04:16
EuroBeat2's Avatar
EuroBeat2 EuroBeat2 is offline
 
Join Date: Feb 2008
I've got hacked. I hope I got it back, but for some reason my "user titles" are gone. Like "junior fellow" "senior fellow" etc. Any suggestion? I tried to repair tables etc, but not to avail.

Tx

EB
Reply With Quote
  #12  
Old 06 May 2011, 04:22
Frosty Frosty is offline
 
Join Date: Apr 2011
Originally Posted by Valter View Post
I'm still wondering how they added files.

There must be something more than Forum Rules add-on.
After they got into the Admin Panel they could have easily add a plugin which would allow them to upload something on the site, i.e php shell for modifying of the current files, or uploading of the newer files.
Reply With Quote
  #13  
Old 06 May 2011, 06:13
SilentSleeper SilentSleeper is offline
 
Join Date: Nov 2007
Originally Posted by EuroBeat2 View Post
I've got hacked. I hope I got it back, but for some reason my "user titles" are gone. Like "junior fellow" "senior fellow" etc. Any suggestion? I tried to repair tables etc, but not to avail.

Tx

EB
1. Go in (phpMyAdmin) or SSH connecting
2. Open table user
3. Run SQL query

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

4. Then: Update the counters - Update User Titles and Ranks
Reply With Quote
  #14  
Old 08 May 2011, 04:33
Kangaroo666 Kangaroo666 is offline
 
Join Date: Feb 2008
Thanks for all your help Valter.
Reply With Quote
  #15  
Old 09 May 2011, 02:42
0ptima 0ptima is offline
 
Join Date: Feb 2002
Was everyone who got hacked using the Advanced Forum Rules?\
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 18:38.

Layout Options | Width: Wide Color: