Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 20 Nov 2014, 12:06
Buzzle Buzzle is offline
 
Join Date: Apr 2012
I've been hacked?

Hi, I logged onto today to see a random account i've never seen before with administrator. This is what he did



Can someone tell me how he got access or what he was doing once he was in.

Thank you.

Edit: /install directory has been deleted already.

Edit: Version 4.1.5 (Latest version)
Reply With Quote
  #2  
Old 20 Nov 2014, 12:07
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
Please post all of your active add-ons here.
We also need to know which vBulletin version you're using.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #3  
Old 20 Nov 2014, 12:08
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

What version of vB4 are you running?
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #4  
Old 20 Nov 2014, 12:09
Buzzle Buzzle is offline
 
Join Date: Apr 2012
Originally Posted by Dave View Post
Please post all of your active add-ons here.
We also need to know which vBulletin version you're using.
I'm using version 4.1.5 (Latest version)

By add-ons are you referring to products? If so

Reply With Quote
  #5  
Old 20 Nov 2014, 12:13
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Well first off, that version is outdated, and has unpatched security issues, you should be running the latest 4.2.2 at a minimum, or 4.2.3

Inferno shout is outdated, and most likely did not come from this site, I would ditch that and get a different shout, such as it's newer version, http://www.vbulletin.org/forum/showthread.php?t=236970
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #6  
Old 20 Nov 2014, 12:14
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
Alright, that looks fine.
Now:

- Be sure the /install folder is not present on your vBulletin installation.
- Check all of your active plugins, there shouldn't be any fishy plugins with odd names.
- In your ACP go to Maintenance > Diagnostics > Suspect File Versions. Check if there are any weird files which were created recently on your server.
- Change the password of all administrator/moderator accounts.
- Protect your ACP with a plugin like this: http://www.vbulletin.org/forum/showthread.php?t=296383

Edit: vBulletin version is very outdated, update to the latest.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #7  
Old 20 Nov 2014, 12:15
Buzzle Buzzle is offline
 
Join Date: Apr 2012
Originally Posted by ozzy47 View Post
Well first off, that version is outdated, and has unpatched security issues, you should be running the latest 4.2.2 at a minimum, or 4.2.3

Inferno shout is outdated, and most likely did not come from this site, I would ditch that and get a different shout, such as it's newer version, http://www.vbulletin.org/forum/showthread.php?t=236970
Do you have any idea how the hacker got access to begin with?
Reply With Quote
  #8  
Old 20 Nov 2014, 12:15
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Also check your plugins, ACP --> Plugins & Products --> Plugin Manager and see it there are any unknown plugins running under vBulletin
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #9  
Old 20 Nov 2014, 12:16
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Originally Posted by Buzzle View Post
Do you have any idea how the hacker got access to begin with?
Well it could have been any of the security issues in the version you are running, or through Inferno shout.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #10  
Old 20 Nov 2014, 12:17
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Originally Posted by Dave View Post
Alright, that looks fine.
Now:

- Be sure the /install folder is not present on your vBulletin installation.
- Check all of your active plugins, there shouldn't be any fishy plugins with odd names.
- In your ACP go to Maintenance > Diagnostics > Suspect File Versions. Check if there are any weird files which were created recently on your server.
- Change the password of all administrator/moderator accounts.
- Protect your ACP with a plugin like this: http://www.vbulletin.org/forum/showthread.php?t=296383

Edit: vBulletin version is very outdated, update to the latest.
Only one I would ditch Dave is Inferno shout.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #11  
Old 20 Nov 2014, 12:17
Buzzle Buzzle is offline
 
Join Date: Apr 2012
Originally Posted by Dave View Post
Alright, that looks fine.
Now:

- Be sure the /install folder is not present on your vBulletin installation.
- Check all of your active plugins, there shouldn't be any fishy plugins with odd names.
- In your ACP go to Maintenance > Diagnostics > Suspect File Versions. Check if there are any weird files which were created recently on your server.
- Change the password of all administrator/moderator accounts.
- Protect your ACP with a plugin like this: http://www.vbulletin.org/forum/showthread.php?t=296383

Edit: vBulletin version is very outdated, update to the latest.
I've ran the scan and the only thing that it couldn't recognize were the plugins I added. I want to back my forums up but couldn't it just happen again?

Also, i've searched the plugin manager. Everything seems to be normal.
Reply With Quote
  #12  
Old 20 Nov 2014, 12:18
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
As I said in post #2, you need to follow the links.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

Make sure you do not skip over any steps.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #13  
Old 20 Nov 2014, 12:21
Buzzle Buzzle is offline
 
Join Date: Apr 2012
Originally Posted by ozzy47 View Post
As I said in post #2, you need to follow the links.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

Make sure you do not skip over any steps.
So if I ditch inferno, back it up from a safer time, add ACP protection there would be no way he could access it again?
Reply With Quote
  #14  
Old 20 Nov 2014, 12:23
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
Without having access to your ACP and access logs, we don't know how the person accessed your ACP.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #15  
Old 20 Nov 2014, 12:23
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
There might, that is why you need to follow all the instructions in the blog posts, as well as ditch inferno.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 14:22.

Layout Options | Width: Wide Color: