^ It's this.Quoting Irish (view post)
See:
http://krebsonsecurity.com/2013/10/t...bulletin-hole/
You got caught in a zero day exploit. Most likely because you left /install or /core/install scripts running on the live web server. Because this is a default install & completely unmodified, this site easily shows up in Google searches as a target.
The only thing you can do now is assume your entire system is compromised (this includes the blog at artboiled.com). Check your log files. See if any new files were added in public facing directories. Check to see if any of vBullentin's .php files were modified in the last month; it's likely that code was appended to a public facing file that is part of the system.
Roll back the database to a point before November 13th [scratch that -- make it October 13th, before this exploit became known]. Wipe everything. Reinstall the server from the ground up. Notify your webhost. Make sure you're only using SSH to access the server, and that account does not have root access. Move SSH so it runs off a different port than 22. Turn on FTP only when you need it. Shut off everything else.
Once vBulletin is back up and running, modify all the templates & remove any mention in the HTML output of JelSoft, vBulletin, and softwarw version numbers.
If you skip any of these steps, you will be dealing with this problem for a long time to come. It won't go away on its own. (You will also eventually get flagged by Google as a malware infected site; this includes your blog, Ary).
Users should assume bad people have all their private data. They should change their passwords and email addresses, especially if they use the same address, or password/address combo, anywhere else.
Edit: The shorter solution is to say fuck it, grab a copy of the database from a local store you trust & move this entire site (including artboiled.com) to a different webhost & server entirely, update vBulletin & change the URL in the process.
Reply With Quote
forum