vBulletin Mods

The Official vBulletin Modifications Site

4.2.1 PL1 hacked, what to look for in logs
by ifitsmedia
10 Aug 2014 17:44

Recently I started finding new admin users that appear to be injected into my database. They don't have any associated IP addresses. So far they have not been able to do anything in admincp, presumably because I have the directory password protected. I did an extensive file check and nothing seems to be out of the ordinary.

What can I search for in raw access logs to determine how this is happening?

ozzy47 10 Aug 2014 17:48

Please read the following two blog posts:
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

ifitsmedia 10 Aug 2014 18:03

Thanks ozzy. I'm familiar with those (and also this) but didn't find (or maybe I missed) what to search for in the access logs.

I have already taken all steps in the guide "Fixing your site after you have been hacked" several times, but continue to get admin users injected in my database.

Any help with searching raw access logs to determine how it's being done would be appreciated.

tpearl5 10 Aug 2014 18:23

It sounds like there is still a backdoor somewhere. Remember that they probably can't access the admincp, but they can still insert data via whatever method they are using to get in. It could be something appended to a plugin or template. I would install the plugin search mod and search plugins and templates for things like base64 and display:none (which is actually used in some templates)

Make sure you look carefully at Maintenance > Diagnostics > Suspect file versions for unexpected contents.

You should update to 4.2.2 pl1.

Also, if you have wordpress installed - I recently restored a hacked vbulletin and found that their WP install even had things inserted into the files/templates. Make sure to take a close look at WP or any other software packages if you have them.

I'm assuming you already removed the install directory...

ifitsmedia 10 Aug 2014 18:40

Thanks tpearl5. Yes, install dir was already removed.

I also suspect there is a backdoor somewhere, or a file that is vulnerable to sql injection. I'm wondering if there are some strings I can search my apache raw access logs for to identify the culprit.

I thoroughly checked all files identified in Maintenance > Diagnostics > Suspect file versions. I found and removed a number of files that were left over from previous versions of VB and old/uninstalled mods. All the files left (current mods I am using) seem to be ok, I didn't see anything unusual in them. I replaced all VB core files with freshly downloaded copies.

VB 4.2.1 PL1 is not known to have security vulnerabilities as far as I am aware. I'll probably upgrade to 4.2.2 anyway, but I'm not sure it will fix this.

ozzy47 10 Aug 2014 18:43

If you have a backdoor somewhere, upgrading will not fix it.

Did you happen to check for any unknown plugins?

ifitsmedia 10 Aug 2014 18:47

I've been keeping an eye on plugins and don't see anything unusual.

ozzy47 10 Aug 2014 18:54

Then it has to be a file in the folders, a vulnerability in a mod, or a security issue on the server.

Do you happen to have vBSEO installed?

ifitsmedia 10 Aug 2014 18:57

I did have VBSEO installed the first time this happened. I suspected it might be the culprit so I switched to DBSEO and removed VBSEO and all it's files. Unfortunately it continued after removing VBSEO.

ozzy47 10 Aug 2014 19:00

Then there might be something lurking around from when you had vBSEO installed.

What other modifications have you got installed?
And are all the modifications from official vB sites?

ForceHSS 10 Aug 2014 19:02

Check admincp/Plugins & Products/Plugin Manager many people don't look in there so its always over loooked

ifitsmedia 10 Aug 2014 19:13

I installed Search Plugins and ran a few searches including base64, nothing turned up. Any other terms I should search for?

With the exception of Tapatalk, all mods I am using are from vbulletin.org and DB Tech. They are:



--------------- Added 10 Aug 2014 at 19:14 ---------------

Thanks ForceHSS, I did check in plugin manager and don't see anything unusual.

ozzy47 10 Aug 2014 19:15

Hmmm, none of those mods have any issues that I have ever heard of. :confused:

ozzy47 10 Aug 2014 19:17

Try installing this mod, and see if it turns up anything, http://www.vbulletin.org/forum/showthread.php?t=304190

ifitsmedia 10 Aug 2014 19:25


Originally Posted by ozzy47 (Post 2510708)
Try installing this mod, and see if it turns up anything, http://www.vbulletin.org/forum/showthread.php?t=304190

That does turn up a number of warnings, but they are not specific as to why.

It seems to check for anything modified within the past 3 months, which happens to be a lot because I have been doing updates recently.

All times are GMT. The time now is 13:51.

Powered by vBulletin® Version 3.8.12
Copyright © 2019, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.