Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 25 Apr 2015, 22:51
katie hunter's Avatar
katie hunter katie hunter is offline
 
Join Date: May 2007
A hacker doing - question

Hi everyone, if i was hacked, well i was and found the hacker messing with my plugin and i see in the logs he was modifying plugins via id, how can i tell which plugin did he modify ?

ex http://i.imgur.com/lLMwbRY.png
Reply With Quote
  #2  
Old 25 Apr 2015, 23:02
ForceHSS's Avatar
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
He might of installed some plugins so he can get back in. Go to your plugin manager and hover the mouse over each one it will show you the id. If you need help making your site secure pm me

Last edited by ForceHSS; 25 Apr 2015 at 23:10.
Reply With Quote
  #3  
Old 25 Apr 2015, 23:32
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Real name: Lynne
Go to: admincp/plugin.php?do=edit&pluginid=xxx

(change xxx to the plugin id)
__________________
Former vBulletin.org Staff Member

Try a search before posting for help. Many users won't, and don't, help if the question has been answered several times before.
W3Schools -
Online vBulletin Manual
If I post some CSS and don't say where it goes, put it in the additional.css template.
I will NOT help via PM (you will be directed to post in the forums for help.)
Reply With Quote
  #4  
Old 29 Apr 2015, 13:23
Princeton's Avatar
Princeton Princeton is offline
 
Join Date: Nov 2001
Real name: Joe Velez
I recommend hiring someone to look into your files and database for injected code. Editing a plugin could have been a way to get into the system as a whole (not just the primary area to inject malicious code).
__________________
Former vBulletin.org Staff Member

Latest Articles:
Liquid Layout = Less Ad Revenue?
How to Monetize Your Site
Improve Web Page Performance
How To Write For The Web


If it needs instructions, there's room for improvement.
Give users what they actually want, not what they say they want. And whatever you do, don't give them new features just because your competitors have them!
Reply With Quote
  #5  
Old 29 Apr 2015, 19:10
SaN-DeeP's Avatar
SaN-DeeP SaN-DeeP is offline
 
Join Date: Jun 2002
Arrow

Originally Posted by katie hunter View Post
Hi everyone, if i was hacked, well i was and found the hacker messing with my plugin and i see in the logs he was modifying plugins via id, how can i tell which plugin did he modify ?

ex http://i.imgur.com/lLMwbRY.png
As the administrator said above do needful.
If you are still finding anything suspicious (contact the developer who did those changes) and/or as others recommended.
Reply With Quote
  #6  
Old 19 May 2015, 16:31
thetechgenius's Avatar
thetechgenius thetechgenius is offline
 
Join Date: Jun 2014
Do you have a backup you can restore, a backup from before the hack? If you do, restore the backup, and ban that users IP, Email, and Account, and you can also blacklist his IP.
__________________
TheTechGenius.Net Official IRC Network (ONLINE)
Host: irc.thetechgenius.net
Port: 6667
TTG IRC Web Client - http://thetechgenius.net/irc.html
Reply With Quote
  #7  
Old 19 May 2015, 18:49
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
 
Join Date: Jun 2008
Real name: Joe D.
Unless you are skilled at looking through PHP code it is often easier to just re-run an upgrade of whatever version of VB you are running and then reinstall (overwriting original products) all the 3rd party products you have. Doing both will replace all the original and add-on VB files and plugins with their original/clean versions.

You also need to check Plugin Manager to see if you have any plugins listed at the top under the vBulletin product- if so treat these as suspicious and disable them unless you are absolutely sure what they do. VBulletin would not normally have any plugins listed under the vBulletin product.

Also you need to check your server for any additional files uploaded by hackers. Check especially for php files in image and/or attachment folders. There shouldn't be php files in these locations.
__________________
-Joe
Former vBulletin.org Staff Member

(@BirdOPrey5) Former vb.org Moderator. Fighting for a free & independent vb.org.
BirdOPrey5.com - Exclusive VB Mods! (Formerly Qapla.com) | Joe's Ultimate Off Topic
Note - I do not read my PMs often, do not expect quick replies.
Reply With Quote
  #8  
Old 20 May 2015, 11:42
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
There are always a few things I do when I do a security check:
1. I run the "Suspect File Versions" tool at AdminCP > Maintenance > Diagnostics to find most of the files on the server which do not have vBulletin's MD5 or do not belong to vBulletin at all. I then check the code of each file one by one to see if there's anything suspicious in it.
2. I go to AdminCP > Plugins & Products > Plugin Manager and I check all of the top plugins. Those are manually added and "hackers" usually add a backdoor that way. If those are fine then I check every single other plugin on that page.
3. When I get given SSH access, I can execute commands on the server to search through all the files for certain keywords. I typically look for: "system, shell_exec, exec, popen, file_put_contents, fwrite, phpinfo, base64" since most backdoors and shells make use of those functions.
4. I also check the access/error logs and try to find out what caused the hack.

I do a few more things, but the things listed above are the important ones.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 00:20.

Layout Options | Width: Wide Color: