Register Members List Search Today's Posts Mark Forums Read

Reply
 
Mod Options
Check If Your Forum Was Hacked Details »
Check If Your Forum Was Hacked
Mod Version: 1.00, by SEOvB (Member) SEOvB is offline
Developer Last Online: May 2015 I like it Show Printable Version Email this Page

vB Version: 4.x.x Rating: (4 votes - 2.50 average) Installs: 29
Released: 05 Nov 2013 Last Update: Never Downloads: 188
Not Supported Additional Files  

//////////////////////////////////
// This Script is Brought To You By: SEOvB | Affordable vBulletin Services
//////////////////////////////////

As most of us know, a vulnerability in the install directory was recently found in vBulletin. Due to this vulnerability, thousands of vBulletin-powered sites got hacked; hackers managed to gain access to the AdminCP to inject malicious content.

When a forum is first hacked, hackers create admin accounts for themselves, and that's actually the time where cleanup is most required, to fence off the hackers and enhance security. But, majority of forum owners don't even know they actually got hacked until Google puts a veil on their forum with malware warning page.

At that point, removing the install directory, the main point of entry for hackers, won't help because the forum has already been compromised, and a more thorough checkup is needed to ensure that no malicious code has been injected.


- What This Script Does ?
This script will scan forum templates, plugins, phrases, announcements and forum titles and descriptions to detect potential and confirmed malicious code. It will give you the information you need to determine whether or not your forum has been hacked, and a recommendation on what action to take next.

- Demo Link
You can view a live demo of the script here.

- How to Upload:
Upload SEOvB_Hack_Checker.php in root of forum files on server (Within public_html if forum is installed on root, upload in any other directory if forum is installed on /public_html/exampledirectory)

- How to Access the Script:
Point your browser's address bar to open http://www.YOURFORUMURL.com/forum/SE...ck_Checker.php (Case sensitive and suppose if forum is installed into /forum/ directory on server.)

- New Templates
None.

- Database Changes
None.

- Setup Instructions
No setup is needed.

- What does it do?
It tests for potential and confirmed malicious code in certain sections of your forum database, and it arranges the test results in an easy-to-read table.

If you receive a 'Warning' message, it means that the script detects some code or recent change to your forum that may be cause for concern, but isn't for certain a hack. The script scans for changes made within the last 3 months, so if you have made many changes to your forum skin or mod assortment within the past 3 months, there may be some false positives.

You can review the extra information in the test results section to determine whether or not your forum needs further cleaning. However, even with just one 'Warning', we highly recommend a full investigation and cleanup process to make sure that your forum is safe.

If you receive a 'Hacked' message, it means that your forum has definitely been compromised, and a thorough cleanup needs to be performed ASAP.

If you receive only 'All Clear' messages, it means that your forum has not been hacked.

- Requirements
Should work on all vBulletin versions of 4.x.x

- Uninstall Instructions
Delete SEOvB_Hack_Checker.php file from root of forum files.

- FAQs

- After I remove malicious items from my forum, what this script will do ?
It will say 'All Clear' for the cleared items.

- Some of the items are coming with 'All Clear' except 1, what does it mean ?
Your forum may require cleanup.

- Will it tell me which items are containing warning ?
Yes, it will. It will let you know, if templates are infected, with the template name and last modified by whom.

Download Now

Only licensed members can download files, Click Here for more information.

Screenshots

Click image for larger version

Name:	SEOvB_Hack_Checker Page.jpg
Views:	366
Size:	55.4 KB
ID:	147052  

Show Your Support

  • To receive notifications regarding updates -> Click to Mark as Installed.
  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Comments
  #2  
Old 05 Nov 2013, 15:03
ForceHSS's Avatar
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
I tested this on a fresh install test site that has only been up a day and have not logged into it from the time I installed it and that was only 20 hrs ago and it shows i have malicious code warnings. Sorry to say your code finds nothing
Reply With Quote
  #3  
Old 05 Nov 2013, 15:06
NarutoFTW NarutoFTW is offline
 
Join Date: Dec 2009
I have warning on every single one lol.
Reply With Quote
  #4  
Old 05 Nov 2013, 15:09
Disco_Dave's Avatar
Disco_Dave Disco_Dave is offline
 
Join Date: May 2011
Hi

I installed this on a test database just to see what it came up with, it is showing some errors. But this opens up a whole new ball game for me, because I/we use the things that where showing up as an error or warning.

Dave
__________________
www.nirc.co.uk
Reply With Quote
  #5  
Old 05 Nov 2013, 15:29
SEOvB's Avatar
SEOvB SEOvB is offline
 
Join Date: May 2007
Real name: Jarvis
Originally Posted by ForceHSS View Post
I tested this on a fresh install test site that has only been up a day and have not logged into it from the time I installed it and that was only 20 hrs ago and it shows i have malicious code warnings. Sorry to say your code finds nothing
Hello there,

Could you please send us the URL in private message where the script is uploaded ? We will look into it.

Originally Posted by Disco_Dave View Post
Hi

I installed this on a test database just to see what it came up with, it is showing some errors. But this opens up a whole new ball game for me, because I/we use the things that where showing up as an error or warning.

Dave
Hello Dave,

Please, send us the URL through private message where that script is uploaded. We will check the errors you are having.
__________________
vBulletin Services and vBulletin Hosting
Reply With Quote
  #6  
Old 05 Nov 2013, 15:33
ForceHSS's Avatar
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Originally Posted by SEOvB View Post
Hello there,

Could you please send us the URL in private message where the script is uploaded ? We will look into it.
.
Its a test site that has .htaccess to get into it as per vb rules of setting up a test site. Trust me the site is clean why don't you put a test site up yourself and test it u will see
Reply With Quote
  #7  
Old 05 Nov 2013, 16:43
puertoblack2003's Avatar
puertoblack2003 puertoblack2003 is offline
 
Join Date: Aug 2005
good concept. But every single one that was flagged is the one's i customized in template.
__________________
Android Custom Creations
Reply With Quote
  #8  
Old 05 Nov 2013, 16:45
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
I mean, this is a nice idea and all but how is it any more useful than the native vBulletin file and folder checker?
Reply With Quote
  #9  
Old 06 Nov 2013, 02:46
SEOvB's Avatar
SEOvB SEOvB is offline
 
Join Date: May 2007
Real name: Jarvis
Hey All,

The reason the script is spitting out so many warnings is because the searching criteria for some of the tests err on the side of caution, which is why we added all of the extra test information in the Details column, to give the user the ability to judge for himself what needs attention.

Basically, the script is not for use on a fresh install of vBulletin because some of the tests only check for changes made (e.g. templates) in the past 3 months, and freshly installed vB forums will have templates modified past that threshold.

Sorry for the confusion, we've modified the mod description to more accurately reflect what the script does.

Thanks,
Nick - Chief vB Developer @ SEOvB
__________________
vBulletin Services and vBulletin Hosting
Reply With Quote
  #10  
Old 06 Nov 2013, 02:48
SEOvB's Avatar
SEOvB SEOvB is offline
 
Join Date: May 2007
Real name: Jarvis
Originally Posted by Max Taxable View Post
I mean, this is a nice idea and all but how is it any more useful than the native vBulletin file and folder checker?
Hey Max,

This script is actually a perfect companion tool to the native vB file and folder checker. That tool addresses issues with the filesystem, while our script addresses issues with the database.

Thanks,
Nick - Chief vB Developer @ SEOvB
__________________
vBulletin Services and vBulletin Hosting
Reply With Quote
  #11  
Old 06 Nov 2013, 13:37
winky8300 winky8300 is offline
 
Join Date: May 2008
hello

thank you very much concerned about the safety of our forums
Reply With Quote
  #12  
Old 06 Nov 2013, 16:54
scottct1 scottct1 is offline
 
Join Date: Mar 2002
I try running it and I get the following message..

Access denied.
Reply With Quote
  #13  
Old 07 Nov 2013, 01:02
SEOvB's Avatar
SEOvB SEOvB is offline
 
Join Date: May 2007
Real name: Jarvis
Originally Posted by scottct1 View Post
I try running it and I get the following message..

Access denied.
Hi Scott,

Is that the entirety of the message? This may be an issue with the file permissions on the script or with your webserver configuration. Try to set the file permission on the script to 755 and run it again. If that doesn't solve the issue, please send us a PM with a link to the script on your site, and we can take a look.

Thanks
Nick - Chief vB Developer @ SEOvB
__________________
vBulletin Services and vBulletin Hosting
Reply With Quote
  #14  
Old 07 Nov 2013, 09:20
AK47- AK47- is offline
 
Join Date: Apr 2012
Malicous hooks to inject with are
Ajax_complete
init_startup
global_start
A new method which will remain private.

Hope i helped
Reply With Quote
  #15  
Old 07 Nov 2013, 11:10
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
IMO this seems to have potential. What I think would be the best way to see this workin is the following.

1. Change it from 3 months to 24 hrs. Due to the fact that the report will contain way to many false positives to try and sift through when you run it.

2. Create a table in the DB to store the report info.

3. Create a cron job that runs once a day. When it runs store the info in the previously created table. Maybe also add user id and IP info to the table, may make it easier to identify if it was a valid change to something, or from a hacker.

4. Set up a page in the acp that you can view the daily reports from. Have the ability to prune the entries in the table there by date.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Mod Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 03:38.

Layout Options | Width: Wide Color: