vBulletin Forum Hack
December 27, 2009 Posted by KP
My vBulletin forum was hacked, the gate was vBseo according to this thread,
I always upgrade as soon as I receive their update email, later I realized vBSEO has two different versions for version 3.2.2?! Have you ever seen anything like this:
vBSEO 3.3.2
Release date: October 27, 2009
Last Updated: November 17, 2009
I upgraded to the first 3.3.2 but missed the second.
Anyway, I found the following changes:
- Two PHP files in attachments directory - backdoor, powerful web shell.
- Two gif files (PHP content) in attachments directory.
- Several .js files in clientscript. (I made some JS files global writable when moving server last time, very bad)
- Template change.
I probably missed something.
Two helpful find commands to locate files:
Search all files changed in the last 3 days:
> find . -mtime -3
After I found the malicious PHP file, use a unique string from it to search possible backup:
> find . -exec grep sometext {} \;
Related Posts:
- phpBB Hack
- Named: the working directory is not writable
- Official FreeBSD Forum
- Easy Bind Configuration
- Another Hack on Third-party Script
Filed Under: FreeBSD General