Register Members List Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools
  #1  
Old 08 Sep 2015, 06:00
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Forum hacked, restored, now showing bare index

Probably 10th time in 4 years, my forum has been hacked. This time Turkish hackers inserted "class.php" into the /includes directory, my provider (Webhostinghub) is adamant they came through some VB backdoor, which I doubt.

VB 4.2.3 all vanilla, no Mods.
Passwords for site and ftp different, 30-40 characters, free form text with blanks, uppercase, numbers.

Wiped the site out and restored from last good known backup.

All VB files are in ./public_html/forums, as in picture 1

Now it is showing bare index, as in picture 2.

When going into "forum", it does show the site is down and under maintenance.
But if anyone clicks on the pictures, it is free to look at them with no login.
(I have moved pictures to another directory since until this is resolved but picture 4 shows how it was).

Why is it going now into bare index not into the full site?
Attached Images
File Type: jpg 2015hacked01.jpg (84.3 KB, 23 views)
File Type: jpg 2015hacked02.jpg (29.1 KB, 18 views)
File Type: jpg 2015hacked03.jpg (84.0 KB, 23 views)
File Type: jpg 2015hacked04.jpg (70.0 KB, 13 views)
  #2  
Old 08 Sep 2015, 06:21
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Real name: Richie
Did you look under diagnostics to see what files are left and check your plug ins as well..

--------------- Added 08 Sep 2015 at 06:22 ---------------

If you were hacked many times then chances are they did leave a "door" on your site which was never patched.
__________________

Let us take care of your forum, seo, seo reports, maintenance, what ever you need.

  #3  
Old 08 Sep 2015, 06:28
loua_oz loua_oz is offline
 
Join Date: Dec 2010
I wiped out the site, removed directories and created them afresh this morning.

Maintenance - diagnostics shows nothing strange.
The site is vanilla, no plugins, nothing that did not come with VB.

Hacking my site is rather like farming web services users hosted by that provider, using them as bots. Wells Fargo sent me once to stop spamming from my site.

Only 2 out of 10 times they shut down the site with some message.
  #4  
Old 08 Sep 2015, 06:40
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Real name: Richie
Sounds like you have a ton of stuff on there still Go under maintenance and run the diagnostics. Check your plug ins as well.

I really do not know what you mean by you wiped everything out. you reinstalled Vbulletin fresh or just uploaded clean files? In that case you did not overwrite the hacked files which may not only have been Vbulletin.

There are many things you need to do even after you clean this to make sure it is secure but it looks like you have a long ways to go.
__________________

Let us take care of your forum, seo, seo reports, maintenance, what ever you need.

  #5  
Old 08 Sep 2015, 08:38
loua_oz loua_oz is offline
 
Join Date: Dec 2010
This is what it was:
.htaccess file was not in the root directory. After blasting the entire installation, it of course, did not come there from VB install. Dragged it from backup and all fine.

That file contains redirection to the home page, without it it defaults to bare index.
  #6  
Old 08 Sep 2015, 08:48
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Real name: Richie
Ok good. You installed a fresh copy of Vbulletin? I am a little confused but glad it is working anyways.
__________________

Let us take care of your forum, seo, seo reports, maintenance, what ever you need.

  #7  
Old 08 Sep 2015, 10:27
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Honestly, I don't know what is different this time. If the hacker who broke in yesterday is pleased to do again today, the same hole would be ready for him.

Whether they come through cPanel, site itself or through VB, nothing has changed, even if VB is fresh install. The hosting site said it was not through ftp. They also said password was not used to get in, how they know, through their logs probably.
  #8  
Old 08 Sep 2015, 11:40
HM666's Avatar
HM666 HM666 is offline
 
Join Date: Jan 2014
Real name: Len Kaiser
Are you on shared hosting? That is the most common way that hackers get in and it IS the hosts fault in most cases NOT vBulletin if its a fresh install with no mods added on. Shared hosting is famous for not being very secure. I suggest if you are that you either change hosts or get a VPS instead where you can control the security.
  #9  
Old 08 Sep 2015, 11:57
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Yes, possible.
Yes again, shared hosting, it may well be their problem. As I said, seems the hackers waltz in and farm the users and their sites without apparent problem with their sites. They (webhostinghub.com) applied some measures that alert me when (some, what their poor security can detect) it happens. They quarantine the malicious code but still - it comes through their lack of security.

Issues like this have a potential to drive a hosting company out of business.

If any, the luck is my site is not commercial, no money loss. But hours lost to restore by me for someone who had ruined my site for fun.

When I asked webhostinghub.com why don't they introduce 2 level login (with RSA dongle) they said it could fix cPanel only but not "3rd Party software", possibly implying VBulletin to be at fault.
They confirmed nobody had compromised my passwords and logged in.

I still believe it is cPanel, an independent vendor, who is at fault.
No offers for help (paid) from this site would fix it. It is not VB, I think.
  #10  
Old 08 Sep 2015, 14:21
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Real name: Richie
Well it could be hosting but my guess is that it is something you have missed.

Did you delete all the files on your server and reinstall fresh? Did you run the diagnostics to look for third party files?

Have you been with this same host all the other times you were hacked?
__________________

Let us take care of your forum, seo, seo reports, maintenance, what ever you need.

  #11  
Old 08 Sep 2015, 18:40
HM666's Avatar
HM666 HM666 is offline
 
Join Date: Jan 2014
Real name: Len Kaiser
Originally Posted by loua_oz View Post
Yes, possible.
Yes again, shared hosting, it may well be their problem. As I said, seems the hackers waltz in and farm the users and their sites without apparent problem with their sites. They (webhostinghub.com) applied some measures that alert me when (some, what their poor security can detect) it happens. They quarantine the malicious code but still - it comes through their lack of security.

Issues like this have a potential to drive a hosting company out of business.

If any, the luck is my site is not commercial, no money loss. But hours lost to restore by me for someone who had ruined my site for fun.

When I asked webhostinghub.com why don't they introduce 2 level login (with RSA dongle) they said it could fix cPanel only but not "3rd Party software", possibly implying VBulletin to be at fault.
They confirmed nobody had compromised my passwords and logged in.

I still believe it is cPanel, an independent vendor, who is at fault.
No offers for help (paid) from this site would fix it. It is not VB, I think.
Always try to have frequent backups. But I'm guessing you have already got that under control. Has the hosting company upgraded cPanel lately? Do you know? I know mine upgraded my cPanel WHM within the last month or two, so possibly its an old version. No idea.

Originally Posted by RichieBoy67 View Post
Well it could be hosting but my guess is that it is something you have missed.

Did you delete all the files on your server and reinstall fresh? Did you run the diagnostics to look for third party files?

Have you been with this same host all the other times you were hacked?
Yeah all good questions in trying to find the issue. Also are you sure that there is no portion of the hack in the vBulletin database itself? Since you keep on getting the same thing, that maybe possible as well.
  #12  
Old 08 Sep 2015, 21:54
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Whole this business is Mickey Mouse, I am not surprised it gets hacked, the surprise is it has ever worked at all.

The hosting company upgraded cPanel (another mickeymousepieceofsh1t) 2 months ago.

The day I changed my password into free text and as guessable as "Walked d0wn the str1t and heard d0g fart while black dog humped the white 0ne" they sprayed me with banners like "Hackers can guess your password and (must click): Accept the risk: Yes No".

That tells how helpless they are.

Should I change the provider? I could, just to see that new one is as clueless as the previous.
  #13  
Old 08 Sep 2015, 23:55
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Real name: Richie
Well we still do not know for sure it is your server. You have not answered my questions.

#1 - Did you wipe all the files off the server and resinstall Vbulletin fresh?

#2 - Did you run diagnostics and check for files that do not belong? Did you check those files and look for debase64 code?

#3 - Did you go into the plug in manager and look for plug ins that should not be there?
__________________

Let us take care of your forum, seo, seo reports, maintenance, what ever you need.

  #14  
Old 09 Sep 2015, 00:18
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Trivialities like that were done even before I posted here.

Whole root directory "rm -r", wiped out
Fresh install of VB 4.2.3
There are no plugins, all vanilla
Maintenance-Diagnostics shows nothing that should not be there

And then, I asked here why is it not going into the Forum home page and you went around and around (oferring paid service via PM) instead of (if you knew it) telling me there is
.htaccess
file missing and that does not come with fresh install.
  #15  
Old 09 Sep 2015, 01:37
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Ok so the folders and files were restored from your backup... was this a complete backup meaning - Did it contain the folders, files, AND all databases?

- If you restored the folders and files only, then the hacker apparently altered your database.
-- The reason we would speculate this to be the cause is; You stated you completely wiped the root directory therefor uploading 100% fresh files did not fix this. per your screenshot so one would be safe to assume (despite the saying regarding that lol) that they altered your actual database. I myself have seen sites where they altered all files and also inserted their webtemplate w/ all the hacker info and silly rubbish into all templates in the style, every single template so more than you think is going on here, could quite possibly be going on you never know until you really dig into it.
**Be careful wiping all files, most owners store their attachments in the actual filesystem and by simply deleting all "possibly" infected files you would in-turn be deleting all attachments - ACK! So always check settings first before blindly deleting folders and files. I would have moved all the contents of the forums root into a new folder, CHMOD it 000 to prevent anything from running that way if attachments were stored that way you could check and clean them later if need be then simply CHMOD back to correct permissions and restore the files to the correct location.

-If you restored a complete backup including all folders, files, and databases then something else must be "up" or wrong. They may or may not have uploaded a shell script or similar such as c99 madshellor a variant and went about modifying what they could and wanted to regarding the actual server.
-- Yes, a hacker can gain access to one site on a shared server and from there gain access to others, its not the hardest thing to do and happens all the time when people do not keep software up-to-date in regards to security and exploits. If your site is a VPS/Dedicated they can still modify the server to a certain degree if they have a shell script in place, of course depending on the sophistication of the script being used.

Check on vBulletin.com for posts and blog posts by myself and Zachery - we have useful info and queries to run that help you look for such things. Edit: Two links I included in my next post following this one.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!

Last edited by TheLastSuperman; 09 Sep 2015 at 02:32.
Closed Thread



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 02:35.

Layout Options | Width: Wide Color: