Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #16  
Old 06 Nov 2014, 12:21
Muhammad Rahman Muhammad Rahman is offline
 
Join Date: Jun 2012
Originally Posted by Dave View Post
Check the FG, FGD, ghj and Lintas Agama Terbaru plugins because they have suspicious names which I never heard of. If unsure, post the contents of the plugins here.
that plugin its my make with unique name ..
__________________
none_
Reply With Quote
  #17  
Old 06 Nov 2014, 16:57
HM666's Avatar
HM666 HM666 is offline
 
Join Date: Jan 2014
Real name: Len Kaiser
Have you overwritten the files with the vBulletin files downloaded from the members area? This is what you need to do to get rid of this problem for now. To my knowledge there is no vblogin.php file in the official download, its called login.php if I remember correctly. So as said before they modified this to use that file.

To find how they got in is a different matter. If you are running your forum on a shared server then that is more and likely how. Shared servers and just that...shared and less secure than a VPS or dedicated server. You can try and speak with your web host and see if they have any way to tell where the attack came from. Most likely the hacker gained access to your FTP and changed/uploaded files to your site.
Reply With Quote
  #18  
Old 06 Nov 2014, 17:03
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Real name: Richie
Are you using any nulled plug ins? The nulled plug ins for Dbtech seo are known to do this. Be sure all your plug ins are licensed and up to date and that your file permissions are correct. Also that you have the latest patch for your Vbulletin version.

Once you find the hole you will need to change all server log ins, ftp, mysql, etc and admin logs.
__________________

Let us take care of your forum, seo, seo reports, maintenance, what ever you need.

Reply With Quote
  #19  
Old 06 Nov 2014, 18:00
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
I saw the name Plum, he's one of the known powersurge hackers.

- You could have been hacked into long ago, spare admin accounts present?
- Even if you have disabled a mod/plugin the files still have the vulnerabilities present so m,ods such as Tapatalk which had a recent security exploit found should always be updated to the most secure version or removed entirely.
- Do as HM666 mentioned and overwrite all files, after that review the back-end and see if there's any spare admin accounts (use usergroup manager check for accounts w/ secondary usergroups assigned as well) and then check the plugins via the plugin manager as they can edit plugins after gaining access then finally check all files that were not overwritten and do not skip checking your attachments folder if stored in filesystem I've seen them hide files there too.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #20  
Old 06 Nov 2014, 18:02
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Originally Posted by Muhammad Rahman View Post
that plugin its my make with unique name ..
You wrote it/them? If so check them again and be sure you coded them properly otherwise you could have a plethora of security issues that we'll never be aware of or able to offer assistance with and no do not post your code, if its a private mod/plugin all the better since code is not known I would review with another fellow coder or ask for assistance in the Private Coders Discussion forum.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #21  
Old 06 Nov 2014, 18:29
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Real name: Richie
Originally Posted by TheLastSuperman View Post
You wrote it/them? If so check them again and be sure you coded them properly otherwise you could have a plethora of security issues that we'll never be aware of or able to offer assistance with and no do not post your code, if its a private mod/plugin all the better since code is not known I would review with another fellow coder or ask for assistance in the Private Coders Discussion forum.
Ive seen the same hack embedded with hacked versions of Dbtechseo and Vbseo too.

I agree not to share the hack.
__________________

Let us take care of your forum, seo, seo reports, maintenance, what ever you need.

Reply With Quote
  #22  
Old 06 Nov 2014, 21:06
tbworld tbworld is offline
 
Join Date: Oct 2008
Bottom line, he is probably going to have to hire someone to clean it all up and then add some isolation code with some additional tracking. If he hires the right professional he will learn a ton during the process. I would suggest paying extra to the consultant with this in mind. Find a consultant with great communication skills. Sorry you were hacked! (-- Yes, I know I changed grammatical person. --)

FYI: I do not run a business that assists others in vbulletin problems, programming or maintenance. Therefore, I am not saying this for my own benefit.
Reply With Quote
  #23  
Old 06 Nov 2014, 21:55
Muhammad Rahman Muhammad Rahman is offline
 
Join Date: Jun 2012
Originally Posted by TheLastSuperman View Post
I saw the name Plum, he's one of the known powersurge hackers.

- You could have been hacked into long ago, spare admin accounts present?
- Even if you have disabled a mod/plugin the files still have the vulnerabilities present so m,ods such as Tapatalk which had a recent security exploit found should always be updated to the most secure version or removed entirely.
- Do as HM666 mentioned and overwrite all files, after that review the back-end and see if there's any spare admin accounts (use usergroup manager check for accounts w/ secondary usergroups assigned as well) and then check the plugins via the plugin manager as they can edit plugins after gaining access then finally check all files that were not overwritten and do not skip checking your attachments folder if stored in filesystem I've seen them hide files there too.
- no, this first time
- oh no! Tapatalk not Update
- attachment now i changed back to database system

hacker delete all .htaccess file to have access to open protected directory ..

--------------- Added 06 Nov 2014 at 22:00 ---------------

Originally Posted by RichieBoy67 View Post
Ive seen the same hack embedded with hacked versions of Dbtechseo and Vbseo too.

I agree not to share the hack.
so DBTech SEO not secure?
__________________
none_
Reply With Quote
  #24  
Old 06 Nov 2014, 22:16
tbworld tbworld is offline
 
Join Date: Oct 2008
Originally Posted by Muhammad Rahman View Post
so DBTech SEO not secure?
Once they have access to the root system they can hide whatever they want in the file system and the database. With a trained eye you can see how they hacked in via your logs - if you have a full set. You can sift through your logs to see what else they have changed, but depending on when you were hacked you could be at it for a while unless they used the same IP -- which they rarely do.

If you can rollback, then do so. Use a professional to add some isolation and tracking code in case you are hacked in the future and move on in your life. Plugins and modifications are always risky unless you know what you are doing. If you stay up-to-date with your modifications from Dbtech, you should be fairly safe. All software has the possibility to be hacked.
Reply With Quote
  #25  
Old 06 Nov 2014, 23:19
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Originally Posted by Muhammad Rahman View Post
so DBTech SEO not secure?
If it was a nulled mod sure it is not secure, if you got it from here or their site it should be fine.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #26  
Old 06 Nov 2014, 23:25
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Real name: Richie
yeah, Dbtech mods are great. I meant a hacked/nulled version that some people try to get online so they can use with out a license. That always is asking for trouble.

If you bought it from DBtech or downloaded it here then I am sure it is something else.
__________________

Let us take care of your forum, seo, seo reports, maintenance, what ever you need.

Reply With Quote
  #27  
Old 06 Nov 2014, 23:47
Muhammad Rahman Muhammad Rahman is offline
 
Join Date: Jun 2012
Originally Posted by ozzy47 View Post
If it was a nulled mod sure it is not secure, if you got it from here or their site it should be fine.
Originally Posted by RichieBoy67 View Post
yeah, Dbtech mods are great. I meant a hacked/nulled version that some people try to get online so they can use with out a license. That always is asking for trouble.

If you bought it from DBtech or downloaded it here then I am sure it is something else.
since use vBulletin License .. I never use nulled mod ...
my hosting say hacker inject via script/mod to upload msd.zip and try find config.php to see database username and password .. and then run msd script ..,
__________________
none_
Reply With Quote
  #28  
Old 06 Nov 2014, 23:53
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Well I would follow all the stuff in the blogs I linked you to in post #6 http://www.vbulletin.org/forum/showt...02#post2521602
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #29  
Old 07 Nov 2014, 00:05
HM666's Avatar
HM666 HM666 is offline
 
Join Date: Jan 2014
Real name: Len Kaiser
Muhammad when was your last back up of your site before this hack occurred? You may have to at the worst revert the site to that point when it was not hacked. That is a last ditch effort though and should only be done if nothing else can be, mainly because you would lose some data in that process so save that option for last but be prepared it might come down to that.

Steps you should take:

1. Go to members.vbulletin.com, login and download the same version that you are running on the site.

2. Unzip it and upload all the vbulletin core php files in binary only. You probably won't have to upload your images but you should check them just to be sure sometimes these hackers will change them. So download those from your web site and check them to be sure that they are not files that are hacked (or look like they are supposed to). If the images have been hacked them upload them as well but NOT in binary mode.

3. Go into your admincp and look on the left side column and find "Maintenance" click it to open if its not open and then go to "Diagnostics". Now on your right you will see "Suspect File Versions" click the "Submit" button under it. This will give you an idea of what files have been changed, are not part of vBulletin, or compromised. Just because it says that its not part of vBulletin does not mean that its a hacked file. It maybe a part of a mod you are using. But if there are weird ones or ones that really you do not remember uploading then download them to your PC desktop and check them in some thing like Dreamweaver or HTMLKit. You can check the code.

4. Go to "Usergroups>Usergroups Manager" Tick the drop down on the right and choose "Show All Primary Users" if you do not recognize an admin account try to delete it. If you cannot and it gives you a message about the account not being able to be changed then you will need to download your includes/config.php file and check the Undeletable Admin portion against the ID of that account in your admincp and take out the ID, save the file and upload it again. After you upload it again try to delete that admin account again.

5. Now still in the Usergroups Manager tick the drop down next to the Administrators and choose "Show All Secondary Users", again if you do not recognize the accounts delete them, if you cannot and get a error message then remove them from your config.php and try to delete them again.

6. Now go to "Styles & Templates" on the left side bar and click it to open if its not already open. Click on "Style Manager". Find the style you are using on the site. Click the drop down on the right and choose "Edit Templates". Click the first button next to "All Template Groups" it should look like this: << >> This will show all your templates. Scroll down and when you come across one that is in red open it and look to see if you see the hackers code in the template. If not cancel and move on to the next template in red. If you see the hackers code in your template then copy and paste all the template code into a notebook file and save it and then click on the template in the list and click the "Revert" button. You save the template in a notebook file just in case there is coding that has been changed and you need it. OR......you can just create a new skin and try working within it instead, but that would mean that any template modifications that have been done due to a mod or you have done personally would need to be redone. So that is up to you on that one which way you go. Once you have gone through all the templates and gotten rid of the hackers code if its there you should have been able to get rid of the hack by this point. If not...

Well if not then it might be in the database which is the worse case scenario I was discussing further up. This is where you might have to go to your last back up of the site before the hack happened.

After you get rid of the hack you will need to perform some basic things on the site to ensure that you are more secure in the future. You can find info on getting secure here: http://www.vbulletin.org/forum/showt...ghlight=hacked

Hope this helps and sorry if its was long winded or things you already knew to do.

--------------- Added 07 Nov 2014 at 00:06 ---------------

Originally Posted by Muhammad Rahman View Post
since use vBulletin License .. I never use nulled mod ...
my hosting say hacker inject via script/mod to upload msd.zip and try find config.php to see database username and password .. and then run msd script ..,
Find and delete msd.zip and everything it may have created in your files.

msd is MySQL Dumper its a script that will dump your entire database! Its used for backups or to physically change your database. This would need to be removed immediately.

Last edited by HM666; 07 Nov 2014 at 00:11.
Reply With Quote
  #30  
Old 07 Nov 2014, 01:06
Muhammad Rahman Muhammad Rahman is offline
 
Join Date: Jun 2012
thanks HM666 ..
all file ready restore to before site hacked and not found msd folder again
__________________
none_
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 01:11.

Layout Options | Width: Wide Color: