Register Members List Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools
  #61  
Old 11 Sep 2013, 12:38
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Cool

Originally Posted by CarolSEL View Post
5. Host restored a web file backup from 2 days prior to hacker reg, ran malware checks; site crashed and I cannot access ACP.
When I refer to backups I always say database backup and filesystem backup, one being a copy of your database at the time the backup was made and the other being the actual folders with files.

When you say they restored a web backup do you mean they had a full database(1)
AND filesystem(2) backup and restored both(3)?

1 If the host restored then they know to drop the tables in fact the entire database depending on restore method. The issue here for some site owners who attempt this themselves is the fact they tend to import a backup onto a populated database i.e. overwriting newer data with older data and that can cause issues. The proper way to do it is to drop all tables from the database then import the backup into the now empty database thereby restoring it.

2 If the host restored a filesystem backup, it must be BOTH filesystem AND database because the two must match each other i.e. timeframe, if the database backup was made at 5pm your time then the filesystem backup should be from that same time and by disabling the forum before a backup you ensure no activity is taking place i.e. avatar/image uploads so the two will in fact match what the database knows is within the filesystem.

3 If only one was done, as I said above in note #2 it must be both. Now is there an exception? Yes! The inability to access the admincp could be modification related, if you restored fresh files only and forgot to upload all the missing plugin files then that can cause inability to access, if you feel that is the case locate the missing modification files and upload them (you can still access the database via phpmyadmin so check the product and plugin tables). If you have issues tracking down the files OR truly believe this is the issue then start disabling each plugin one by one using this article until you find the culprit as not all plugins disable when you disable mods via the config file, I've seen some odd situations and scenarios with certain third-party modifications/plugins.

Originally Posted by CarolSEL View Post
6. Following instructions from this site, I downloaded a fresh copy of 4.2.1 and uploaded the files to the server, overwriting the old ones.
Was the version you were running at the time of the hacking in fact 4.2.1? If you were lets say for example running 4.2.0 and then overwrote those files with 4.2.1 files without running the upgrade script then issues can occur and if that is the case simply run the upgrade script to resolve (and on that note, when you uploaded those 4.2.1 files you did delete the /install/ folder before uploading the contents of the .zip correct? See where I'm headed with this ).

Originally Posted by CarolSEL View Post
So how do I know if the db is clean? If not, have I lost all the member data? Is there a way to delete all the files except the forum and membership?
You need to manually inspect it, there are queries listed in some of the articles and blog entries we linked you to prior in this thread, you can modify those queries i.e. for example you can search in the database for http://adf.ly/VRrrp as mentioned in this post. Edit: Removed some info I was mistaken and needed to clarify.

Your site is more than likely intact, other than one site where they edited the master style I have only seen defacement no thread or post deletions but make sure to check regardless.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!

Last edited by TheLastSuperman; 11 Sep 2013 at 12:55. Reason: remembered order of operation wrong per say... basically i went into debug mode to check master style not phpmyadmin etc.
  #62  
Old 11 Sep 2013, 12:39
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
Deleting your install folder had nothing to do with your new error:

'max_connections_per_hour'

Your MySQL user has used all of the queries they're allowed to be hour.
__________________
Looking for ImpEx?
  #63  
Old 11 Sep 2013, 13:55
CarolSEL CarolSEL is offline
 
Join Date: Aug 2010
Originally Posted by TheLastSuperman View Post
When you say they restored a web backup do you mean they had a full database(1)
AND filesystem(2) backup and restored both(3)?
Host had a full database and filesystem backup, and (as I understand) restored filesystem, when I asked if new data entered between the last good backup (3 days prior) and restore could be salvaged. Host's reply was
We can restore the web files without restoring the mysql databases. If that's okay with you, just let us know and we'll start on that.
Originally Posted by TheLastSuperman View Post
Was the version you were running at the time of the hacking in fact 4.2.1? If you were lets say for example running 4.2.0 and then overwrote those files with 4.2.1 files without running the upgrade script then issues can occur and if that is the case simply run the upgrade script to resolve (and on that note, when you uploaded those 4.2.1 files you did delete the /install/ folder before uploading the contents of the .zip correct? See where I'm headed with this ).
I see, and we were running 4.1.x, patch level 3), but the upgrade instructions said different:
After an upgrade or installation, it is important that you delete the /install/ folder. This is necessary to provide proper security to your installation.
I'm understanding that the install.php prompts the upgrade script, correct? The instructions with the download said:
1. Close your board via the Admin Control Panel.
2. Delete install/install.php from your upload directory
3. Upload all remaining files from the 'upload/' folder in the zip.
Since the site is inaccessible via browser, I followed these instructions:
http://www.vbulletin.com/vbcms/conte...to-vBulletin-4 and transferred files via FTP. (To complicate it more, the FTP manager showed I was in the web root directory, but it turns out my ftp account directs the files to "my" folder, so they were moved by host.) I obviously blew it somewhere...so how do I fix it now? Is it smarter to simply do another db restore (and can that be done without losing the interim data), then redo the upgrade?
  #64  
Old 11 Sep 2013, 14:07
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Originally Posted by CarolSEL View Post
Host had a full database and filesystem backup, and (as I understand) restored filesystem, when I asked if new data entered between the last good backup (3 days prior) and restore could be salvaged. Host's reply was



I see, and we were running 4.1.x, patch level 3), but the upgrade instructions said different:

I'm understanding that the install.php prompts the upgrade script, correct? The instructions with the download said:


Since the site is inaccessible via browser, I followed these instructions:
http://www.vbulletin.com/vbcms/conte...to-vBulletin-4 and transferred files via FTP. (To complicate it more, the FTP manager showed I was in the web root directory, but it turns out my ftp account directs the files to "my" folder, so they were moved by host.) I obviously blew it somewhere...so how do I fix it now? Is it smarter to simply do another db restore (and can that be done without losing the interim data), then redo the upgrade?
Oye... this is making me want more coffee lol...

Let me re-phrase:
  • Never restore one, restore both database and files at the same time.
  • The upgrade instructions did not say differently, you misinterpreted what I meant. You either download the vbulletin.zip to your pc and extract then upload or you upload the .zip and extract it on your server - if you saved to pc then delete the /install/ folder before uploading all of the files.
  • Actually install.php prompts the installation script, upgrade.php processes the upgrade respectively.

The best way to fix this now is to ask you host to restore the database AND the files from three days prior at the same time however you will lose all data from the time of the backup to date. Unless you have a custom script written and possible edits to the database to merge in the data taking into account new data from the time you start using the forum after the restore then the data is lost forever after restoration.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
  #65  
Old 11 Sep 2013, 14:16
CarolSEL CarolSEL is offline
 
Join Date: Aug 2010
OK, thanks.

--------------- Added 11 Sep 2013 at 16:54 ---------------

Does this sound correct, please?

From host:

Sorry for delay in my response, we have finished up backing up your account in it's current state.

We will be unable to restore the account to it's state on September 3rd or 4th. However, since there is a backup of the database from Sep. 3rd we recommend installing a fresh vBulletin. We have created the subdirectory [/home/catho11/public_html/vb/] for you to install vBulletin to. Once you have installed a fresh copy we can attempt to import the database from September 3rd.

It would be best to install the version of vBulletin that you were using previously to avoid issues. Please let us know if you have any questions.
Sept. 5 was when the site was hijacked, and the 4th was when the exploit occurred. Apparently, the full system backups through 9/4 have been overwritten on the server.
  #66  
Old 11 Sep 2013, 17:21
Divvy Divvy is offline
 
Join Date: Nov 2008
Hello guys,

Here is my feedback running vBulletin 4.2.0 Patch Level 3

Today I received a phone call of a moderator of mine saying that the forum was hacked.
Immediately I logged as admin and turn the forum off.

I have vBa CMPS installed in the root of the forum and the index is working fine, only when we go to forum.php is redirecting to this page:
http://i.imgur.com/JingJTM.png

Showing a Brazilian message:
Desculpe o transtorno estamos invadindo seu site
Sabe por que? porque eu quis.

@Nega_cabelo_duro
The source code of that page is:
http://paste2.org/YeFAjz9m

I have found this in my forumhome template:
http://paste2.org/Mw7snpxK

I also have found a new admin in the administrators group:
ID: 136733
username: polter
email: [email protected]
join and last activity date: 11-09-2013

Does someone know exactly what the hacker changed?
Until now only found:

1- a new admin (already deleted)
2- forumhome templatechanged (already reverted)

I already deleted the install folder also like Wayne Luke said here:
http://www.vbulletin.com/forum/forum...-1-vbulletin-5

Just a quick note. I saw the logs on
And found what he did:
http://i.imgur.com/pJRBdfi.png

So, If I am right, he only modified template files right?
Is possible to know if was only forumhome or more?

UPDATE: I have checked all template files one by one in the Last edited information and the only template file that was edit by the hacker was FORUMHOME in all templates that I have installed.
It says: Last edited September 11 2013 at 05:51 by polter

UPDATE2: I notice a new template file that was edit today (the day that my vb was hacked) and the file was bbcode_video
It says: Last edited September 11 2013 at 05:49 by
Note that don't appear the username, but the file was edit today and 2 minutes before he change FORUMHOME
My bbcode_video file code: http://paste2.org/5bP0w05b

UPDATE3: Just cant find the template file that he inserted on style 2 (default):
http://i.imgur.com/pJRBdfi.png
I saw the files one by one and cant find the today date...

Anymore changes that anyone have notice?

Thanks!
  #67  
Old 15 Sep 2013, 08:20
hsoen hsoen is offline
 
Join Date: May 2010
My vBulletin forum was also hacked via Symlink. My forum was on shared hosting server.

This tutorial article (http://www.securitygeeks.net/2012/08...-tutorial.html ) shows how easy it is for hacker to hack into your vBulletin forum.

The hacker installed symlink plugin into my forum and use it to access other accounts configuration information in the shared server.

Now, I have a hard time to clean up the symlink plugin software and any files that were installed and modified by the hacker.

Anybody can help me or provide advice on how to clean up the software installed/modified by the hacker?

Last edited by hsoen; 15 Sep 2013 at 12:49.
  #68  
Old 15 Sep 2013, 16:39
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Real name: Paul M
Originally Posted by Divvy View Post
UPDATE2: I notice a new template file that was edit today (the day that my vb was hacked) and the file was bbcode_video
It says: Last edited September 11 2013 at 05:49 by
Note that don't appear the username, but the file was edit today and 2 minutes before he change FORUMHOME
bbcode_video is built (and rebuilt) by a function, its not likely they changed it, esp as there is no username, but rather they triggered a rebuild of it (no idea why they would bother).
__________________
Former vBulletin.org Staff Member


Cable Forum
Please do not PM me about custom work - I no longer undertake any.
Note: I will not answer support questions via e-mail or PM - please use the relevant thread or forum.
  #69  
Old 15 Sep 2013, 18:38
bremereric's Avatar
bremereric bremereric is offline
 
Join Date: Aug 2011
Real name: Eric Bremer
Originally Posted by hsoen View Post
My vBulletin forum was also hacked via Symlink. My forum was on shared hosting server.

This tutorial article (http://www.securitygeeks.net/2012/08...-tutorial.html ) shows how easy it is for hacker to hack into your vBulletin forum.

The hacker installed symlink plugin into my forum and use it to access other accounts configuration information in the shared server.

Now, I have a hard time to clean up the symlink plugin software and any files that were installed and modified by the hacker.

Anybody can help me or provide advice on how to clean up the software installed/modified by the hacker?
Two things I had to do yesterday. No roll back required. I know the two hackers were in Friday night. I saw what they changed and it only had to do with the forumhome template. Easy to roll back the database from a prior backup. I just copied the good code from another style and pasted it in the hacked one. This fixed the forum redirect. Then if I would hit the home tab it would also do a redirect. This time I restored the program files from a backup from early Friday morning, this corrected that. Hope it helps you. I also bought a month of SiteLock firewall. Will probably keep on using it.
__________________
F Body Mopar Lover &
VB4.1.3 Newbie

  #70  
Old 16 Sep 2013, 22:03
sd_slim sd_slim is offline
 
Join Date: Sep 2010
This thread was very useful. Thank you to everyone that has contributed. We also were breached and I found about 7 new admin accounts from the past three weeks but only three of them had bothered to do anything. I had several new plugins and some Base64 encoded PHP tied to the subscriptions.php. I tried to decode the php but it is a file within a file, within a file and my day is only so long. I haven't seen others mentioning this. Has anyone seen this or can speculate on why this php file would be targeted?

UPDATE: after 10 rounds of decode we found a hacker tool called c99madshell.php was what the plugin was. A description of what it does is here: http://www.derekfountain.org/security_c99madshell.php

We are digging deeper into what may have been accessed in the DB.

Last edited by sd_slim; 16 Sep 2013 at 22:59.
  #71  
Old 17 Sep 2013, 06:40
loua_oz loua_oz is offline
 
Join Date: Dec 2010
My (4.2.1) forum was hacked but interestingly, it appears to be working. Only when I try to access "Admin" account (there are 2) it plays music spot and says "Hacked by pScript".

Can not access CP through VB. Went to my provider CPanel, saw files like index.php changed.

User with no Admin rights I think would notice nothing wrong.

/install directory was present when the hack occurred. Instructions before were saying to remove only install.php and tools.php.
Looks like the hacker had used upgrade.php.


How to regain access to VB Admin CP? Can go through the provider and edit individual files.
Appears he had not touched post but whatever user he came in as he can still do that.

--------------- Added 17 Sep 2013 at 07:27 ---------------

If I try to log in as a Mod, it is OK. But no sufficient rights to run what is being suggested.

Search for user "admin" shows data and activity of the real one.
No right to change his password.

10 days ago I noticed another user, test (from test.com) that had administartor title without any email and confirmation. Upon registration, there is a question to answer that robots can not and only people of a specific nationality can. It did not go through that.

Looks like this is a separate one or different damage to different forums on the shared server.
  #72  
Old 17 Sep 2013, 09:19
New Joe's Avatar
New Joe New Joe is offline
 
Join Date: May 2009
I've been reading about all these hacking for the past week.

I knew about the /install folder exploit by being an everyday reader both here and vb com
So i instantly did the delete, actually a few of my Forums already had the folder deleted as I know there's no real need for it.

What did surprise me however, was the e mail about the /install exploit around (i am guessing here but I think it's about right) one week later after reading about it on vb org

So why did it take a huge company like vb so long to send out this very important e mail.

I haven't been happy with vb for a long time now, I keep saying to myself one day I will move all my Forums over to x en foro and after this it's now pushed me even more to do so.

I've known a lot of guys from here (vb org) have made the move already and other are doing so too.
I think the vB company has lost what it once had and is not thought of the way it used to be.

This is just my option and either people agree or disagree, that's life.
Just thought I'd share a few of my thoughts though.
  #73  
Old 17 Sep 2013, 11:12
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Yes, there was no email.

Before, new things were in red in admin CP, as soon as I enter it, telling about new versions and dangers.

Yahoo mail (used for communication) is blocked by my company, can't see it but VB Admin CP I can access and do that several times a day. Nothing was in there.

Can't believe VB staff watched all the hacks and did nothing.

Deleted suspicious files, doing new load of VB. Will tell later how it went and what it was...if I have success.

--------------- Added 17 Sep 2013 at 11:21 ---------------

now, upgrade.php says:


Database error in vBulletin :

mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: Access denied for user 'root'@'localhost' (using password: NO)
/home/mysitedb/public_html/includes/class_core.php on line 317

MySQL Error :
Error Number :
Request Date : Tuesday, September 17th 2013 @ 07:19:41 AM
Error Date : Tuesday, September 17th 2013 @ 07:19:41 AM
Script : http://www.example.com/install/upgrade.php
Referrer :
IP Address : 114.161.74.125
Username :
Classname : vB_Database
MySQL Version :

--------------- Added 17 Sep 2013 at 11:28 ---------------

No access to VB CPanel, could not stop the board.

It appears to be working (no new posts).

--------------- Added 17 Sep 2013 at 11:30 ---------------

removed the "install" directory.

Any ideas what else I could try?

--------------- Added 17 Sep 2013 at 11:42 ---------------

Before attempting to reinstall VB, in the /forums directory found recently created files and deleted them:

phpinfo.php

piejcpii.php

testiramo.php

vb.php

zdbeerr66e4 (contained only ascii characters: 13785372610)

lamershell.php

bekap.php (it knew the original password when my Forum was initially installed)

--------------- Added 17 Sep 2013 at 12:05 ---------------

Posting is still possible. Just posted with pictures, looks ok. Users may not see anything unusual.

But Admin thing in VB does not work. Somebody else may have his finger on the light switch and it's his will for how long.

--------------- Added 17 Sep 2013 at 12:14 ---------------

On April 21. 2013. I upgraded to VB 4.2.1

The instructions said:

1.
Close your board via the Admin Control Panel.

2.
Delete install/install.php from your upload directory

3.
Upload all remaining files from the 'upload/' folder in the zip.

4.
Open your browser and point the URL to your forums, e.g. http://www.example.com/install/upgrade.php (where www.example.com/ is the URL of your vBulletin). Make sure to upload the files into your previous installation directory as appropriate (e.g. /forums/). The Upgrade Wizard will determine your vBulletin version and jump forward to the appropriate upgrade step.
Note:
Some steps can take a long time to process. Please be patient.


Not a word about removing the /install directory

Not a word about removing the upgrade.php script.

Hundreds of sites hacked, what a shame for the company.

VB should form a crisis team (if they can or tell us to move to another software if they can't) and help all their customers, with free support.

Last edited by loua_oz; 17 Sep 2013 at 12:17.
  #74  
Old 17 Sep 2013, 14:14
xenite xenite is offline
 
Join Date: Oct 2005
Originally Posted by Zachery View Post
Deleting your install folder had nothing to do with your new error:

'max_connections_per_hour'

Your MySQL user has used all of the queries they're allowed to be hour.
A common cause for this kind of error is massive crawler/robot activity on a site. It could be a search engine gone nuts but more likely is someone trying to create spam accounts or hack into the server.

That's not the only reason this happens but it's a common one. There are a LOT of rogue crawlers out there now and they can account for 1/2 to 1/3 of many sites' bandwidth usage.
  #75  
Old 17 Sep 2013, 19:59
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Regained access to VB Admin CP.

Restored vanilla (from installation) , just one file, not full install/upgrade?

/public_html/forums/admincp/index.php

Once in Admin CP, found a user, as Administrators, "pscript", deleted him.

Now, seems (with what was done few posts above) the Forum is OK, with access to Admin CP.

What I did:
- Deleted "install" directory
- Removed suspicious files from /forums directory:

phpinfo.php

piejcpii.php

testiramo.php

vb.php

zdbeerr66e4 (contained only ascii characters: 13785372610)

lamershell.php

bekap.php (it knew the original password when my Forum was initially installed)

- Restored index.php from installation kit into /forums/admincp/index.php

Last edited by loua_oz; 17 Sep 2013 at 20:09.
Closed Thread



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 02:33.

Layout Options | Width: Wide Color: