Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 09 Sep 2013, 15:17
jaxo jaxo is offline
 
Join Date: Dec 2011
Help - my forum has been hacked

Hi, sorry I`m not even sure if I should be posting here or on .com,. however my site has been hacked and I am unsure what to do.

I logged in today and just by concidence noticed an administrator by the name of h311-c0d3 was online,.. I checked admin permissions and logs and there where about 6-7 admin there who should not have been.

I check logs and deleted the admin. Most had no logs but a couple had been running scripts which seems to be to do with paid subscriptions. When I tried to access this section of the admin panel it asked for a password.. (something I have never set, as I have no paid subs)

I`m at a bit of a loss,.. what should I do? How did they get in etc?

I`d be greatful for any advice,.. The site is http://cccam-exchange.com and its running Version 4.2.0

Thanks invance

Jack
Reply With Quote
  #2  
Old 09 Sep 2013, 15:25
ForceHSS's Avatar
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
http://www.vbulletin.com/forum/blogs...vbulletin-site
Reply With Quote
  #3  
Old 09 Sep 2013, 15:46
jaxo jaxo is offline
 
Join Date: Dec 2011
Thanks for that link. Will have a read and see what I can do.. Thanks

--------------- Added 09 Sep 2013 at 18:46 ---------------

From what i can see, they have tried to run scripts and have did something with paid subscription section of the admin panel... every tab I try to access it asks for a password (which I do not know, as I have never set up any paid subscriptions).. where in the files is this password located so I can change or remove it,.. Or is there a quiery I could run to remove it?

What I have did so far is removed the rogue admin, checked config.php to see if any superadmin have been added (which they havent), upgraded my vbulletin to the latest version and renamed the admincp... As far as I am aware they got access through the vbulletin software and not through the server.

Is their anything else I can check for or do ?

--------------- Added 09 Sep 2013 at 19:11 ---------------

Here is a copy of my admin log and what they have done..

25618 N/A 16:06, 8th Sep 2013 subscriptions.php modify 37.130.224.22
25617 N/A 16:06, 8th Sep 2013 subscriptions.php add 37.130.224.22
25616 N/A 16:06, 8th Sep 2013 plugin.php modify 37.130.224.22
25615 N/A 16:06, 8th Sep 2013 plugin.php add 37.130.224.22
25614 N/A 16:06, 8th Sep 2013 plugin.php 37.130.224.22
25613 N/A 16:06, 8th Sep 2013 plugin.php kill plugin id = 677 37.130.224.22
25612 N/A 16:06, 8th Sep 2013 plugin.php delete plugin id = 677 37.130.224.22
25611 N/A 16:06, 8th Sep 2013 plugin.php modify 37.130.224.22
25610 N/A 16:06, 8th Sep 2013 plugin.php kill plugin id = 678 37.130.224.22
25609 N/A 16:06, 8th Sep 2013 plugin.php delete plugin id = 678 37.130.224.22
25608 N/A 16:06, 8th Sep 2013 plugin.php modify 37.130.224.22
25607 N/A 16:06, 8th Sep 2013 plugin.php product 37.130.224.22
25606 N/A 16:05, 8th Sep 2013 diagnostic.php payments 37.130.224.22
25605 N/A 16:05, 8th Sep 2013 subscriptionpermission.php modify 37.130.224.22
25604 N/A 16:05, 8th Sep 2013 plugin.php 37.130.224.22
25603 N/A 16:05, 8th Sep 2013 plugin.php doimport 37.130.224.22
25602 N/A 16:05, 8th Sep 2013 plugin.php files 37.130.224.22
25601 N/A 16:05, 8th Sep 2013 plugin.php files 37.130.224.22
25600 N/A 16:02, 8th Sep 2013 plugin.php modify 37.130.224.22
25599 N/A 16:02, 8th Sep 2013 plugin.php product 37.130.224.22
25598 N/A 16:02, 8th Sep 2013 plugin.php modify 37.130.224.22
25597 N/A 16:02, 8th Sep 2013 plugin.php product 37.130.224.22
25596 N/A 16:02, 8th Sep 2013 plugin.php modify 37.130.224.22
25595 N/A 16:02, 8th Sep 2013 plugin.php add 37.130.224.22
25594 N/A 16:02, 8th Sep 2013 plugin.php files 37.130.224.22
25593 N/A 15:53, 8th Sep 2013 plugin.php 37.130.224.22
25592 N/A 15:53, 8th Sep 2013 plugin.php doimport 37.130.224.22
25591 N/A 15:52, 8th Sep 2013 plugin.php files 37.130.224.22
25590 N/A 15:52, 8th Sep 2013 plugin.php updateactive 37.130.224.22
25589 N/A 15:51, 8th Sep 2013 plugin.php 37.130.224.22
25588 N/A 15:51, 8th Sep 2013 plugin.php update 37.130.224.22
25587 N/A 15:51, 8th Sep 2013 plugin.php add 37.130.224.22
25586 N/A 15:51, 8th Sep 2013 plugin.php add 37.130.224.22
25585 N/A 15:50, 8th Sep 2013 plugin.php files 37.130.224.22
25584 N/A 15:50, 8th Sep 2013 plugin.php modify 37.130.224.22
25583 N/A 15:50, 8th Sep 2013 plugin.php product 37.130.224.22
25582 N/A 15:50, 8th Sep 2013 subscriptions.php add 37.130.224.22
25581 N/A 15:50, 8th Sep 2013 subscriptions.php modify 37.130.224.22
Reply With Quote
  #4  
Old 09 Sep 2013, 21:40
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Ohh now I like that link... wonder why?

Moved thread from vB5 General Discussion to vB4 General Discussion.

Seems eerily familiar to this - http://www.vbulletin.org/forum/showthread.php?t=301904

The doimport is what includes their backdoor scripts.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #5  
Old 09 Sep 2013, 22:30
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
__________________
Looking for ImpEx?
Reply With Quote
  #6  
Old 19 Oct 2013, 13:07
XrayHead's Avatar
XrayHead XrayHead is offline
 
Join Date: Oct 2002
Subscribed, going to keep an eye on this thread! Let me know how you get on as my site got hacked yesterday as well!!

Just out of interest what was the username that did all the damage? The one on my site that run the scripts via the plugin.php and subscriptions.php was "optima"




Xray
Reply With Quote
  #7  
Old 19 Oct 2013, 13:32
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
I guess you did not delete your install directory.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #8  
Old 19 Oct 2013, 13:37
borbole's Avatar
borbole borbole is offline
 
Join Date: Jan 2010
It looks like no matter what you do, all seems pointless. You close one door and many more are opened. vB should start to take security more seriously as it has more leaks than the Titanic for crying out loud.
__________________
My mods.
Reply With Quote
  #9  
Old 19 Oct 2013, 13:46
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
All knows security issues have been addressed, only reason the last user was compromised, is because they did not delete their install directory, as they were instructed to do so many times.

No matter what you think you do with security with the software, hackers will always attempt to find holes, so best bet is to take measures to protect your site, rather than relying on the software to do it.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #10  
Old 19 Oct 2013, 14:18
XrayHead's Avatar
XrayHead XrayHead is offline
 
Join Date: Oct 2002
I think it would be more productive to help people fix this issue rather than fill the thread with useless post's! I personally never got any update from vBulletin as I've been changing email addresses for the past 2 months (that's another Yahoo mess in its self)..

Anyway this seems to be a very common hack that has hit hundreds of boards! Surely someone must have a fix for any database changes this attack applies??
Reply With Quote
  #11  
Old 19 Oct 2013, 14:27
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
It was also posted in your ACP, in the News Section.

If you follow the two links that Zachery posted, and follow them thoroughly, you should be able to recover from the hacking.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #12  
Old 19 Oct 2013, 14:51
XrayHead's Avatar
XrayHead XrayHead is offline
 
Join Date: Oct 2002
Originally Posted by ozzy47 View Post
It was also posted in your ACP, in the News Section.

If you follow the two links that Zachery posted, and follow them thoroughly, you should be able to recover from the hacking.
I don't see any news in my ACP!

http://i38.photobucket.com/albums/e1...psa8c78472.png

Reply With Quote
  #13  
Old 19 Oct 2013, 15:06
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Then you have a mod which is hiding the news, perhaps from this mod, http://www.vbulletin.org/forum/showthread.php?t=294673
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #14  
Old 19 Oct 2013, 16:54
dizzynation's Avatar
dizzynation dizzynation is offline
 
Join Date: Jun 2011
Originally Posted by ozzy47 View Post
All knows security issues have been addressed
Thats what they keep saying, until it happens again. Then they say do "this" and when members who don't go to vbulletin everyday don't do it, VB says "why didn't you do "this" yet"

Its always secure, until it isn't
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 01:35.

Layout Options | Width: Wide Color: