Register Members List Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools
  #31  
Old 07 Sep 2013, 04:02
nosmo nosmo is offline
 
Join Date: Nov 2012
ok, I was warned by someone via email my site had been exploited. Boooo.
flat4lv.com

I should know more about this, but I don't.

Anyway,
1. deleted user
2. Deleted install folder
3. Deleted user again (it had made a name again instantly)
4. Saw this thread http://www.vbulletin.org/forum/showt...=301892&page=3 but I don't have a Iframe, but do have a link on the bottom of my page. "something you've never seen"
5. Installed check 4 hack. (http://www.vbulletin.org/forum/showthread.php?t=265866) > Setup e-mail, enabled demo, ran task, got email with the demo (pluginlist) corrupt.

Now I'm at a loss. Am I still vulnerable? Am I currently still exploited? Should I just remove the link at the bottom of my page?

Thanks in advance for any advice.
  #32  
Old 07 Sep 2013, 05:14
dawges dawges is offline
 
Join Date: May 2007
Originally Posted by nosmo View Post
ok, I was warned by someone via email my site had been exploited. Boooo.
flat4lv.com

I should know more about this, but I don't.

Anyway,
1. deleted user
2. Deleted install folder
3. Deleted user again (it had made a name again instantly)
4. Saw this thread http://www.vbulletin.org/forum/showt...=301892&page=3 but I don't have a Iframe, but do have a link on the bottom of my page. "something you've never seen"
5. Installed check 4 hack. (http://www.vbulletin.org/forum/showthread.php?t=265866) > Setup e-mail, enabled demo, ran task, got email with the demo (pluginlist) corrupt.

Now I'm at a loss. Am I still vulnerable? Am I currently still exploited? Should I just remove the link at the bottom of my page?

Thanks in advance for any advice.
This is a great post at vb.com

http://www.vbulletin.com/forum/forum...35#post3993335

Last edited by dawges; 07 Sep 2013 at 05:43.
  #33  
Old 07 Sep 2013, 19:42
induslady induslady is offline
 
Join Date: Jul 2006
Hello,

I came to know of this exploit and looks like we too had this attack, we did the below:

1.Deleted install folder
2. Deleted suspicious admin user accounts
4. Refer thread - http://www.vbulletin.org/forum/showthread.php?t=301892 as mentioned there I didn't have any Iframe injection , but there was a line added in the "header" template of one of our custom style that reads as "Kindly delete "install" directory of your forums. Otherwise you will keep getting hacked" and the suspicious lines were removed.

Also we notice that few templates in the custom style has edit history that says "Edited by .." the suspicious admin accounts with time stamp in the past year 2010.

Is there any other precautions that need to be done. Am I currently still exploited? What are the other security measures that I need to do to protect my forums.
  #34  
Old 08 Sep 2013, 14:21
Toorak Times's Avatar
Toorak Times Toorak Times is offline
 
Join Date: Jan 2011
I have deleted my install directory and have been hit twice in 24 hours
  #35  
Old 08 Sep 2013, 14:23
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
Originally Posted by Toorak Times View Post
I have deleted my install directory and have been hit twice in 24 hours
Wait, the same user is still getting in after the install directory has been deleted?
  #36  
Old 08 Sep 2013, 14:39
KissOfDeath KissOfDeath is offline
 
Join Date: Dec 2008
Originally Posted by Toorak Times View Post
I have deleted my install directory and have been hit twice in 24 hours
I had the same thing, from the logs i saw that he created created a plugin then removed it and then created a user and removed that to,


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

what their doing is creating a backdoor to come back in later.

When i saw this i deleted the install folder as advised and restored my database to the 29th of august as this had been done on the 30th i figured that it would undo any database or template alterations,

Wrong, the next day the same user was back with admin access, i removed him again, and checked the admin logs and nothing had been done so i left it at that and just observed the site, the next day my templates had all been reverted to the originals so someone had access the admin cp again......

so then i figured it must be a file uploaded on the server because from what i've seen of the plugin being used gives them the ability to upload files to the server, so then i checked the file dates and found a suspicious "clock.php" file in the custom avatars folder that had been created the same day as the plugin above was installed so i removed that and restored another database backup from the 24th which is the day before the guy registered an account on my forums

I've changed admin, cpanel, & ftp passwords so i'll see where it goes from here, just removing the install folder is not enough,

here's an example of a file someone has uploaded as a backdoor back in to a forum http://www.paccin.org/deface.txt i guess their must be more files as well but this i all is could find on google

Last edited by KissOfDeath; 08 Sep 2013 at 14:48.
  #37  
Old 08 Sep 2013, 14:54
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
Did you try the following?

Run Suspect File Versions: > AdminCP > Maintenance > Diagnostics > Suspect File Versions > *Click Submit > Review the files listed, research and delete all files you suspect are malicious. *Also check your .htaccess file and config.php file for modified code, the suspect file versions script does not check config.php or .htaccess.
  #38  
Old 08 Sep 2013, 15:02
KissOfDeath KissOfDeath is offline
 
Join Date: Dec 2008
Originally Posted by ozzy47 View Post
Did you try the following?

Run Suspect File Versions: > AdminCP > Maintenance > Diagnostics > Suspect File Versions > *Click Submit > Review the files listed, research and delete all files you suspect are malicious. *Also check your .htaccess file and config.php file for modified code, the suspect file versions script does not check config.php or .htaccess.
yes did both the first time round, also if it had been modified the file dates would be different
  #39  
Old 08 Sep 2013, 15:04
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
OK cool, here is a interesting article TheLastSuperman wrote, it way help, http://www.vbulletin.com/forum/blogs...vbulletin-site
  #40  
Old 08 Sep 2013, 15:09
KissOfDeath KissOfDeath is offline
 
Join Date: Dec 2008
If you look at the options they have once they have installed the plugin you can see how much they can do

  #41  
Old 08 Sep 2013, 15:44
Toorak Times's Avatar
Toorak Times Toorak Times is offline
 
Join Date: Jan 2011
I've just restored twice over the last couple of days, my hosts are screaming...he is a clever bugger...I have a developer keeping an eye on my site until Sunday so I will update this thread...I am using Spam Hammer and to date it is brilliant, so I don't think it is flawed, but Steve is the expert in this stuff

--------------- Added 08 Sep 2013 at 15:48 ---------------

clock.php...interesting...I have clock on my home page header, hmmm
  #42  
Old 08 Sep 2013, 16:43
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
Hopefully with Steve watching the site, he can figure out everything they are doing and share with the community on how to put a stop to him.
  #43  
Old 09 Sep 2013, 06:03
induslady induslady is offline
 
Join Date: Jul 2006
Originally Posted by KissOfDeath View Post
what their doing is creating a backdoor to come back in later.

so then i figured it must be a file uploaded on the server because from what i've seen of the plugin being used gives them the ability to upload files to the server, so then i checked the file dates and found a suspicious "clock.php" file in the custom avatars folder that had been created the same day as the plugin above was installed so i removed that and restored another database backup from the 24th which is the day before the guy registered an account on my forums

I've changed admin, cpanel, & ftp passwords so i'll see where it goes from here, just removing the install folder is not enough,

here's an example of a file someone has uploaded as a backdoor back in to a forum http://www.paccin.org/deface.txt i guess their must be more files as well but this i all is could find on google
Hello,

Thank you for these details.

I was able to see these backdoor (php) files - about 4 in different names (gs.php, test.php, dyna_statistic.php) with exactly same content installed in the following folders:
customprofilepics
attachments
captcha
vba_dyna_modules


Deleted those files today.
Removed install directory the very next day of being hacked (6-Sep).
Changed cpanel/FTP, vbulletin database and admin account passwords.

I didn't find anything injected into the database, so should I restore it? Then the members posts will be lost!

What more should I do to keep the hacker away?
  #44  
Old 09 Sep 2013, 08:49
KissOfDeath KissOfDeath is offline
 
Join Date: Dec 2008
Well somethings still not right, i logged onto my site today and may account was using an un selectable style, the style options at the bottom were just showing a blank space, nothing in the control panel logs, no file edits on the server, no new admins......
  #45  
Old 09 Sep 2013, 11:25
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
Well, that is certainly a strange one. Surprised there was nothing in the logs.
Closed Thread



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 02:52.

Layout Options | Width: Wide Color: