Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 25 Oct 2013, 12:49
Skivey Skivey is offline
 
Join Date: Feb 2008
Cleaning after hack

Ive just deleted about 15 'new' administrators

Any idea what these are?

http://postimg.org/image/5fd9xpgu5/

Matt

--------------- Added 25 Oct 2013 at 12:51 ---------------

this is the contents

http://postimg.org/image/dlzo3jwc7/

--------------- Added 25 Oct 2013 at 14:28 ---------------

I cant seem to see administrator log?

Where should I find this? I can see Moderator Log but not administrator?
Reply With Quote
  #2  
Old 25 Oct 2013, 18:47
borbole's Avatar
borbole borbole is offline
 
Join Date: Jan 2010
Those that make use of the init_startup hook locations are all malicious. Delete them.
__________________
My mods.
Reply With Quote
  #3  
Old 25 Oct 2013, 19:40
ForceHSS's Avatar
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Delete all them and the hacker admins then check admin logs see what they have changed I have fixed many forums and have seen them change files in templates and in skimlinks as well
Reply With Quote
  #4  
Old 26 Oct 2013, 09:13
Skivey Skivey is offline
 
Join Date: Feb 2008
I reuploaded all the forum files so they are now original flles.

As well as this I have deleted all of the above hooks, deleted admins, changed the database name and password, changed the admin and mod cp links. Changed the ftp password, deleted anything 'install'.

Is there anything else I need to do? Do I need to reset users passwords? if so what is the query used to do this?

Regards

Matt

--------------- Added 26 Oct 2013 at 09:24 ---------------

I also notice a few php and html files that I dont recognise..... is there a way of checking all files and folders? Im going to keep the forum down till I get all this sorted....

--------------- Added 26 Oct 2013 at 09:30 ---------------

zdberr9cd964b2da2e416c43c2b2cc5d64ac18.dat
Reply With Quote
  #5  
Old 26 Oct 2013, 10:35
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
I would do the following, to ensure everything is clean.

First you need to follow our advisory about deleting the install folder off your forums.

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 02:57.

Layout Options | Width: Wide Color: