[katie hunter]

Hi everyone, if i was hacked, well i was and found the hacker messing with my plugin and i see in the logs he was modifying plugins via id, how can i tell which plugin did he modify ?

ex http://i.imgur.com/lLMwbRY.png

[ForceHSS]

He might of installed some plugins so he can get back in. Go to your plugin manager and hover the mouse over each one it will show you the id. If you need help making your site secure pm me

[Lynne]

Go to: admincp/plugin.php?do=edit&pluginid=xxx

(change xxx to the plugin id)

[Princeton]

I recommend hiring someone to look into your files and database for injected code. Editing a plugin could have been a way to get into the system as a whole (not just the primary area to inject malicious code).

[SaN-DeeP]

Originally Posted by katie hunter

Hi everyone, if i was hacked, well i was and found the hacker messing with my plugin and i see in the logs he was modifying plugins via id, how can i tell which plugin did he modify ?

ex http://i.imgur.com/lLMwbRY.png

As the administrator said above do needful.
If you are still finding anything suspicious (contact the developer who did those changes) and/or as others recommended.

[thetechgenius]

Do you have a backup you can restore, a backup from before the hack? If you do, restore the backup, and ban that users IP, Email, and Account, and you can also blacklist his IP.

[BirdOPrey5]

Unless you are skilled at looking through PHP code it is often easier to just re-run an upgrade of whatever version of VB you are running and then reinstall (overwriting original products) all the 3rd party products you have. Doing both will replace all the original and add-on VB files and plugins with their original/clean versions.

You also need to check Plugin Manager to see if you have any plugins listed at the top under the vBulletin product- if so treat these as suspicious and disable them unless you are absolutely sure what they do. VBulletin would not normally have any plugins listed under the vBulletin product.

Also you need to check your server for any additional files uploaded by hackers. Check especially for php files in image and/or attachment folders. There shouldn't be php files in these locations.

[Dave]

There are always a few things I do when I do a security check:
1. I run the "Suspect File Versions" tool at AdminCP > Maintenance > Diagnostics to find most of the files on the server which do not have vBulletin's MD5 or do not belong to vBulletin at all. I then check the code of each file one by one to see if there's anything suspicious in it.
2. I go to AdminCP > Plugins & Products > Plugin Manager and I check all of the top plugins. Those are manually added and "hackers" usually add a backdoor that way. If those are fine then I check every single other plugin on that page.
3. When I get given SSH access, I can execute commands on the server to search through all the files for certain keywords. I typically look for: "system, shell_exec, exec, popen, file_put_contents, fwrite, phpinfo, base64" since most backdoors and shells make use of those functions.
4. I also check the access/error logs and try to find out what caused the hack.

I do a few more things, but the things listed above are the important ones.