Web Hosting Talk






PDA

View Full Version : VB hacked

murad052
06-21-2011, 10:01 PM
hi

i wonder if any one can help me here

my vb forum has been hacked for 3rd time .. first i thought it's from the vb it's self .. i bought licensed one but same as before the shell i think still patched in the vb

what i did .. i installed clamv and rookit and chrookit and do scan nothing detected

also i update the php to the last version

i need to know how i can know the file that's contain the shell

how to stop it and please tell what i have to install to protect the server .. i have 2 fourm in this server one of them is hacked and am fried the 2nd will be hacked as will


so please help me .. for who asking my server on VPS Cpneal last version ..openVZ

please help me
webhostmaniac
06-21-2011, 10:04 PM
i can take a look if you would like me to, have you removed the hacked files ? or did you leave them intact? if it gets hacked do not modify anything.
AH - George
06-22-2011, 03:09 AM
If I were you, I'd take the site offline to assess and work out the damage done, if the site is left online, which potentially infected files, you're vulnerable to more problems.

Are you sure the hack was made via VB? Do you have any software installed in /public_html such as blogging software, CMS suits, etc?
murad052
06-22-2011, 08:46 AM
it's from the VB .. am really sure ... i don't have any soft where .. i found the shell it's called " Sa-HaCKeR.CoM Bypassing SheLL "

some people said to me to upload new file of admin folder ... and that's what i really did last time .. but it's back again .. i want to close the back-door or what ever is that's make the hacker back again
Zixt
07-11-2011, 08:35 AM
What version of vBulletin do you use? I had a problem with mine where they could use SQL injection to get usernames, passwords and the vB salt on vB4.1.2 - If so, upgrade your vBulletin or delete/move/rename group.php
WinsNexus
07-25-2011, 06:14 PM
it's from the VB .. am really sure ... i don't have any soft where .. i found the shell it's called " Sa-HaCKeR.CoM Bypassing SheLL "

some people said to me to upload new file of admin folder ... and that's what i really did last time .. but it's back again .. i want to close the back-door or what ever is that's make the hacker back again

Grep your apache access logs and look for "GET" to the file that was uploaded, once you see the IP that is calling the file, go back a little more and find what file they did a "POST" to.