Announcement

Collapse
No announcement yet.

My vBulletin has been hacked?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • My vBulletin has been hacked?

    I'm not sure how this happened. I went to my vBulletin board today and I noticed I was not logged in. Odd, but not a problem I thought. I went to my admin page and tried to log in. Invalid password it said. That can't be right I thought, I tried again, same error. I tried logging in from the forum home page - same error.

    I gave up and tried a "forgot your password" thing. It said it had no record of my email address. Now I was getting scared. I checked out the user table in phpmyadmin, my email address had been changed to [email protected] and my password changed.

    I've since changed my email back and edited the password.

    But I am really unsure what has happened. I have two layers of security for my admin CP, both a .htaccess check with a random username of 8 letters and numbers, with a password of 15 characters, random letters, numbers and special characters.

    My password is (or was) another 15 character password - random letter, numbers and special characters.

    Yet this was somehow cracked?

    I have my server email me as soon as someone tries to access my admin cp with the time/date and IP of the person doing so. Last Monday I got an email saying that someone from the IP 82.129.178.228 was trying to access the CP. I couldn't see a problem and didn't think anything further about it.

    Again I got emails saying someone was trying to access the CP on Friday, from 212.138.47.12 (cache2-2.ruh.isu.net.sa), 212.138.47.13 (cache3-2.ruh.isu.net.sa) and 212.138.47.17 (cache7-4.ruh.isu.net.sa).

    As an extra security feature I had the email script to detect if the IP was a proxy one, and if so, try and work out the person's real IP. That access attempt on Friday showed the real IP to be 212.46.48.163.

    As far as I can tell, nothing has happened. Forum hasn't obviously defaced, no large amount of spam emails have been sent (to the best of my knowledge, I'm sure a few people would be complaining if it did).

    A quick google search of this guy's email address gives me: http://www.lacehh.org/forums/ Or, the Google cache (with his email address): http://www.google.com.au/search?q=ca...mail.com&hl=en

    Looks like he tried to deface that too maybe? Script kiddie?

    I would like the satisfaction of knowing that this idiot has been arrested and thrown in jail, or at least have his ISP kill his connection, but as I can't see anything changed (except my email address and password), I don't suppose there is much I can do.

    Any ideas what may have caused this or what I can do to get back at this guy?

  • #2
    You're running an old version of vbulletin which is vulnerable. You should upgrade to 2.35 or 3.02.
    Admins Zone - Resources for Forum Administrators

    Comment


    • #3
      Do what AWS has said and upgrade asap. That bob muppet haxed about 7 forums. I would give up personaly on trying to get him in trouble with his isp over it as it take you a long time and more than likely won't get anywhere.
      Doom3.co.uk - The Defitive Doom 3 Source

      Comment


      • #4
        We did send out an eBulletin very recently alerting people to this hacker's actions and warning customers to upgrade to a more recent version as soon as possible.

        This security hole was identified a long time ago and a new version was released to nullify the vulnerability, but it has to be up to customers to make sure that they remain up-to-date with security fixes.

        Comment


        • #5
          hmmmm, tis true, I am running an oldish version - but I have an owned license with no money to upgrade

          As far as I know, I've updated all security fixes posted in the Announcement forum. Was there one I missed?

          Comment


          • #6
            Originally posted by DWZ
            hmmmm, tis true, I am running an oldish version - but I have an owned license with no money to upgrade

            As far as I know, I've updated all security fixes posted in the Announcement forum. Was there one I missed?
            Make sure you install this patch:

            http://www.vbulletin.com/forum/showthread.php?t=108741

            Comment


            • #7
              Judging by that vBulletin forum, he is arabic and judging by his actions, he is a terrorist. Anyone want to report him to the CIA?

              Edit: Judging by:

              http://www.lacehh.org/

              He is illegally using someone else's server.

              Comment


              • #8
                I also posted this sticky thread the other day if that is of any help to you.

                Comment


                • #9
                  Ahh, thanks Brad.loo. I actually installed that fix on Friday, but obviously he got to my forum before that.

                  Looks like it was lucky I used .htaccess protection, otherwise he would have got access to my admin cp and deleted everything... which would be... bad.

                  Comment


                  • #10
                    Originally posted by DWZ
                    Ahh, thanks Brad.loo. I actually installed that fix on Friday, but obviously he got to my forum before that.

                    Looks like it was lucky I used .htaccess protection, otherwise he would have got access to my admin cp and deleted everything... which would be... bad.
                    And make sure to backup your database often, just in case
                    Webmaster / Administrator
                    www.MegaGames.com
                    www.MGForums.com

                    Comment


                    • #11
                      Originally posted by Shining Arcanine
                      Judging by that vBulletin forum, he is arabic and judging by his actions, he is a terrorist. Anyone want to report him to the CIA?

                      Edit: Judging by:

                      http://www.lacehh.org/

                      He is illegally using someone else's server.
                      Hello

                      This idiot took our website down aswell

                      him being arabic i dont know? Because the site i have is a Muslim Website..and that got taken down too..

                      What this guy did was Hacked my Forums..replaced it with Bin Laden Pictures on the header of my forums and deleted the Forums and all the posts in it 1000s of it and left it like that!

                      I figured that he did this via admin panel and removed all the forums..cos i checked my sql file and private messages was still intact and other things..and he also renamed my forums directory

                      we were running vb 2.3.2 or something

                      luckily we had a backup
                      Last edited by mpadc; Mon 5 Jul '04, 4:06am.
                      MPADC

                      Comment


                      • #12
                        Well, now I'm feeling paranoid and downloading backups of databases from a few of my sites...

                        I've done a .htaccess block on the IPs ranges in my above post, hopefully that may help...

                        Comment


                        • #13
                          Originally posted by DWZ
                          Well, now I'm feeling paranoid and downloading backups of databases from a few of my sites...

                          I've done a .htaccess block on the IPs ranges in my above post, hopefully that may help...
                          Did you upgrade your vBulletin already? vB3 should be safe
                          That's the end of that!

                          Comment


                          • #14
                            Nope - I have no money to do so

                            Comment


                            • #15
                              This is the exact reason why security updates shouldn't require you to renew your members access.

                              Paying to get security fixes, which are a dev slipup, is bordering extortion.
                              Raz - KMC Forums

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X