Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 19 Jul 2016, 08:08
tanzeelniazi tanzeelniazi is offline
 
Join Date: Apr 2012
Need Help about hacking

Hello all i have a problem today i got so many email about database errors
i think someone try to hack but fail not complete sure
i got this emails


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.



Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

and some other types of database errors
Some one try to hack me ?
Someone got my database ?
any help
Reply With Quote
  #2  
Old 19 Jul 2016, 10:13
Kane@airrifle's Avatar
Kane@airrifle Kane@airrifle is offline
 
Join Date: Jun 2011
Real name: Kane
You had better update and patch ASAP: http://www.vbulletin.com/forum/forum...or-vbulletin-4
Reply With Quote
  #3  
Old 19 Jul 2016, 11:59
z3r0's Avatar
z3r0 z3r0 is online now
 
Join Date: Apr 2005
Location: Lancashire, UK
Check for a new plugin added named "vbulletin" in the hook location "init_startup" containing a load of base64 encoded stuff, if it's there you have been hacked and you should disable/remove it and have a check for any files uploaded to your forum (left menu -> maintenance -> diagnostics -> suspect file versions)
Reply With Quote
  #4  
Old 19 Jul 2016, 13:58
tanzeelniazi tanzeelniazi is offline
 
Join Date: Apr 2012
how i check in "vbulletin" in the hook location "init_startup" containing a load of base64 encoded stuff ???
Reply With Quote
  #5  
Old 19 Jul 2016, 14:43
z3r0's Avatar
z3r0 z3r0 is online now
 
Join Date: Apr 2005
Location: Lancashire, UK
From the admincp go to plugin manager in the left column then check for a product titled "vbulletin" that has the hook location "init_startup", click edit and if in contains the word base64 and a load of random text then you need to disable it.
Reply With Quote
  #6  
Old 19 Jul 2016, 15:04
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Real name: Richie
If you need help let me know.. Definitely follow the above advice asap. Also disable forumrunner until you upodate.
__________________

Let us take care of your forum, seo, seo reports, maintenance, what ever you need.

Reply With Quote
  #7  
Old 19 Jul 2016, 15:14
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
Delete the forumrunner directory or rename it to something random asap in case you haven't patched it yet.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #8  
Old 19 Jul 2016, 18:53
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Real name: Paul M
Originally Posted by RichieBoy67 View Post
If you need help let me know.. Definitely follow the above advice asap. Also disable forumrunner until you upodate.
Disabling Forumrunner will have no effect on the issue, you must either patch it, or remove it.
__________________
Former vBulletin.org Staff Member


Cable Forum
Please do not PM me about custom work - I no longer undertake any.
Note: I will not answer support questions via e-mail or PM - please use the relevant thread or forum.
Reply With Quote
  #9  
Old 20 Jul 2016, 00:19
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Cool

Originally Posted by z3r0 View Post
Check for a new plugin added named "vbulletin" in the hook location "init_startup" containing a load of base64 encoded stuff, if it's there you have been hacked and you should disable/remove it and have a check for any files uploaded to your forum (left menu -> maintenance -> diagnostics -> suspect file versions)
Actually, it's best to check the datastore table, (Edit: well truth be told check regular plugins via admincp, the plugin table as well PLUS the datastore table, check them all!) then look in the pluginlist (there are two, pluginlist and pluginlistadmin so be sure to check both, typically malicious cade is only in pluginlist though) because code added to the bottom of this will not show in one single/particular "plugin" via the admincp because this contains all the plugins in one list not a single view per say . You can also scroll the entire contents of pluginlist to see a complete list of plugins installed on your site, be careful if editing out malicious code and once done go to your admincp then into plugin manager and save the active status (to reset datastore/plugins) otherwise changes may not show immediately and/or could cause display issues.

What some have been doing is injecting their base64 code at the very bottom (scroll to find, they add tons of white space so you won't notice right off the bat unless you scroll down, i.e. if a scrollbar exist when viewing via phpmyadmin, scroll scroll scroll ) and more so we see this with myfilestore than any other type of exploit (also if you're dealing with that in particular, myfilestore redirect then also check the file datastore_cache.php which is located in /includes/datastore/ for any mal code).
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!

Last edited by TheLastSuperman; 20 Jul 2016 at 00:25.
Reply With Quote
  #10  
Old 20 Jul 2016, 00:23
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Real name: Richie
There is a good chance that debase64 code was already added to all of the files as well at this point.

--------------- Added 20 Jul 2016 at 00:24 ---------------

Originally Posted by Paul M View Post
Disabling Forumrunner will have no effect on the issue, you must either patch it, or remove it.
Yes, correct. Thank you Paul for the correction. That is why you get the big bucks!
__________________

Let us take care of your forum, seo, seo reports, maintenance, what ever you need.

Reply With Quote
  #11  
Old 20 Jul 2016, 09:21
tanzeelniazi tanzeelniazi is offline
 
Join Date: Apr 2012
Originally Posted by z3r0 View Post
From the admincp go to plugin manager in the left column then check for a product titled "vbulletin" that has the hook location "init_startup", click edit and if in contains the word base64 and a load of random text then you need to disable it.
In Product Vbulletin i have no init_startup

@RichiBoy67'
Already disable Forumrunner can i delete all forumrunner files ?


--------------- Added 20 Jul 2016 at 09:34 ---------------

Superman, i really dont know what you say because you write so many words and my english is not good and i am little confuse please give me the perfect idea
Can i delete forumrunner files ? or install the patch because i dont want to upgrade my VB version at this time i have 4.2.0 and many addons working fine, if i update my VB after some addons are not working so need a help for my confusion
Reply With Quote
  #12  
Old 20 Jul 2016, 11:14
socialteenz's Avatar
socialteenz socialteenz is offline
 
Join Date: May 2011
Real name: Arun
@tanzeelniazi

Yes, you can go ahead & delete forumrunner directory. You won't break any add on by upgrading to 4.2.0 to the latest. Make sure your on php5.4.0 or greater.

Always have a backup before upgrading.
__________________
Reply With Quote
  #13  
Old 20 Jul 2016, 12:35
tanzeelniazi tanzeelniazi is offline
 
Join Date: Apr 2012
I see some addons are not update for 4.2.2 etc so i can not upgrade my VB.
If i remove forumrunner directory after my problem will be solved ?

--------------- Added 20 Jul 2016 at 13:07 ---------------

Now delete forumrunner dir
Now i safe ?
Reply With Quote
  #14  
Old 20 Jul 2016, 14:54
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Real name: Paul M
Originally Posted by tanzeelniazi View Post
Now delete forumrunner dir
Now i safe ?
Safe ? From that specific FR issue, yes.
However, since you are running vB 4.2.0, you are not safe, it has other security holes, patched in later versions.
__________________
Former vBulletin.org Staff Member


Cable Forum
Please do not PM me about custom work - I no longer undertake any.
Note: I will not answer support questions via e-mail or PM - please use the relevant thread or forum.
Reply With Quote
  #15  
Old 20 Jul 2016, 16:02
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Real name: Richie
You need to upgrade and if they added a plug in or injected any debase64 code into your files you still have an issue..
__________________

Let us take care of your forum, seo, seo reports, maintenance, what ever you need.

Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 10:02.

Layout Options | Width: Wide Color: