Register Members List Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools
  #46  
Old 09 Sep 2013, 20:39
CarolSEL CarolSEL is offline
 
Join Date: Aug 2010
This guy hacked our site with 3 usernames (administrator, z3ro and Th3H4ck), all admins, and with no record of them registering, no email confirmation to admin, so it had to be manually done. I deleted them, and the contents of the install folder (all were backup files). The site crashed, so I had our ISP restore web files from before the 3 stooges registered, run a malware scan, then verified the htaccess file. Meanwhile, within minutes of being back up, we had 2 more phoney admins, and ZAP! got a message saying, "This site has been hijacked by Frozen.Heart."

I also found at CPanel that all the access logs had been locked. Going thru File Manager, I found the files empty.

Neither the ISP nor we have any idea what to do to restore the site without starting over, but they're going thru the software now. What else could he have done to hijack the site??

(I'm not much more than a glorified Mod, so hopefully I'll catch on to whatever suggestions you've got!)

One other question: How does this guy find out who vB's clients are???
  #47  
Old 09 Sep 2013, 20:47
xenite xenite is offline
 
Join Date: Oct 2005
I would look at the raw server logs and identify the IP addresses he is using. You can buy yourself some time by blocking those in your .htaccess or firewall.
  #48  
Old 09 Sep 2013, 20:57
CarolSEL CarolSEL is offline
 
Join Date: Aug 2010
Thanks, Xenite, but first I need to figure out how to get the site back up, without any surprise easter eggs included. I suspended the account until we can get it fixed...we don't need to advertise his "expertise", since all you get at our URL is a flaming demon with music and his banner headline.

The ISP is asking me for any information available on what he does to the software.
  #49  
Old 09 Sep 2013, 21:01
xenite xenite is offline
 
Join Date: Oct 2005
This is a long, convoluted thread and I'm about to get offline to run some errands so I apologize if this is an unhelpful suggestion.

When my site was hacked this morning all they did (besides create the ADMIN account) was add a NOTICE through the ADMINCP that had HTML code embedded in it.

I found one SQL table entry for the notice and edited that but when I reactivated the forum the redirect still loaded. So then I just logged in to the ADMINCP and edited the notice.
  #50  
Old 09 Sep 2013, 21:12
CarolSEL CarolSEL is offline
 
Join Date: Aug 2010
Originally Posted by xenite View Post
This is a long, convoluted thread and I'm about to get offline to run some errands so I apologize if this is an unhelpful suggestion.

When my site was hacked this morning all they did (besides create the ADMIN account) was add a NOTICE through the ADMINCP that had HTML code embedded in it.

I found one SQL table entry for the notice and edited that but when I reactivated the forum the redirect still loaded. So then I just logged in to the ADMINCP and edited the notice.
Thanks. Will check it out.
  #51  
Old 09 Sep 2013, 23:31
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
__________________
Looking for ImpEx?
  #52  
Old 10 Sep 2013, 15:26
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Erm working on one now where they edited the master style, will update this post once I find out more.

Edit: If your reviewing plugin edits via the control panel log and notice anything similar to: template.php modify style id = 0 then place your site into debug mode then check the MASTER STYLE for any edits.

The one I located was in the Master Style included in the forumhome template:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

The code present on your site may vary and may or may not be a redirect to adlfy it could be anything else so be on the lookout .
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!

Last edited by TheLastSuperman; 10 Sep 2013 at 15:51.
  #53  
Old 10 Sep 2013, 15:33
obglobal.net obglobal.net is offline
 
Join Date: Jan 2013
I got got.

I'm bottom of the barrel level too, so I'm just bewildered. Lost about 30 posts by members after restoring to the previous day's backup via MySQL.

What's with these colon licking hackers?

--------------- Added 10 Sep 2013 at 15:44 ---------------

Originally Posted by Lynne View Post

DELETE YOUR INSTALL DIRECTORY!!!
Please give me as thorough a walk through as possible on this, Lynne/anyone.

Sorry.

never mind. I got it.

Last edited by obglobal.net; 10 Sep 2013 at 16:05.
  #54  
Old 10 Sep 2013, 16:05
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Basically you know how all those folder and files related to vBulletin must be uploaded to your server? You want to locate the folder /install/ and delete it entirely.

Attached Images
File Type: png deleteinstallfolder.png (14.0 KB, 152 views)
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
  #55  
Old 10 Sep 2013, 23:17
Edgespeeder06 Edgespeeder06 is offline
 
Join Date: Nov 2009
Someone send me a contact message about this issue. I've been so busy working on clients' sites that I didn't see it until today. Thankfully I deleted that user and the install folder....will that stop it for sure?
  #56  
Old 10 Sep 2013, 23:25
CarolSEL CarolSEL is offline
 
Join Date: Aug 2010
Originally Posted by Edgespeeder06 View Post
Someone send me a contact message about this issue. I've been so busy working on clients' sites that I didn't see it until today. Thankfully I deleted that user and the install folder....will that stop it for sure?
I don't know. I deleted the install folder, but the site got hijacked, and after reinstalling vB it's still not up.
  #57  
Old 10 Sep 2013, 23:43
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Originally Posted by Edgespeeder06 View Post
Someone send me a contact message about this issue. I've been so busy working on clients' sites that I didn't see it until today. Thankfully I deleted that user and the install folder....will that stop it for sure?
No, if you were hacked there is a high probability that the hacker uploaded a shell script and could have backdoors in various folders on your server. There is actually quite a bit you need to do in order to rid yourself of this. If you are not experienced in these matters contact your host and link them to this thread along with these links which have helpful info:

Originally Posted by CarolSEL View Post
I don't know. I deleted the install folder, but the site got hijacked, and after reinstalling vB it's still not up.
By that you mean what? That you dropped all tables in the database, deleted all the files then installed 100% from scratch using new files and a clean database and its still not working?
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
  #58  
Old 11 Sep 2013, 00:39
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
Btw, I updated my blog again, with some additional steps to help remove the exploits.
__________________
Looking for ImpEx?
  #59  
Old 11 Sep 2013, 13:07
CarolSEL CarolSEL is offline
 
Join Date: Aug 2010
Originally Posted by TheLastSuperman View Post

By that you mean what? That you dropped all tables in the database, deleted all the files then installed 100% from scratch using new files and a clean database and its still not working?
No.
1. My site went down with a server error message.
2. Host got it back up, but home page "wasn't right". I noticed that I had phoney "admins" in my usergroup who were "registered" minutes before the error and deleted them. I read this thread and deleted the install folder. (Obviously, the payload had already been delivered.)
3. Site got hijacked.
4. Via link to ACP I shut down the boards, stopped all plugins.
5. Host restored a web file backup from 2 days prior to hacker reg, ran malware checks; site crashed and I cannot access ACP.
6. Following instructions from this site, I downloaded a fresh copy of 4.2.1 and uploaded the files to the server, overwriting the old ones.
7. Site is still down.

So how do I know if the db is clean? If not, have I lost all the member data? Is there a way to delete all the files except the forum and membership?

I will give this link to host, and will check out all the cleanup suggestions you and Zachary give.
  #60  
Old 11 Sep 2013, 13:27
willy888 willy888 is offline
 
Join Date: Apr 2006
I had the same problem in 4.2.1 before some days someone register as admin ...... we delete him
Yesterday the same , we delete him
I read here to delete the install folder , I did it .
The site is down .... database error.
I Reupload all 4.2.1 and make Upgrade or install , I have this error


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Closed Thread



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 17:50.

Layout Options | Width: Wide Color: