Security Vulnerability?

  • Time
  • Show
Clear All
new posts
  • Queue
    New Member
    • Nov 2009
    • 1
    • 3.8.x

    Security Vulnerability?


    A forum I host has over the last few weeks been getting attacked by Indonesia H4ck3rs. Or initially it seemed like it.

    Originally the server had DirectAdmin installed, and the user of the domain I'm hosting ( had been hacked with his databases and files completely wiped. Notably they didn't touch any of the other domains I host. So I took time and switched to cpanel with a fresh installation of the server (CentOS). As I brought the site back online on the 4th of Oct, someone had gone into my vb account (on the site) and progressively changed the style over 5 or so days to redirect to a porno site and that h4ck3rs image in the header.

    Then I thought, I will install a firewall (csf) and lock out cpanel, ssh, ftp, and all other ports but 80 to specific IP addresses of my clients (most have static IP addresses anyways). All the Admins but the main one changed their passwords and bam, the forum was hacked again this time via that Admin's account. So they may have been using a database backup to access our passwords. The third restore (most recent one), I locked out the admincp to specific hostnames (via htaccess), changed the folder name to something random and all seemed well. They attacked again, but could only do damage through the modcp with the same Admin's account, even though he changed his passwords. His email, which he changed the password for was also broken into.

    I'm alittle annoyed because I told the Admin to add 'deny from all' to the root htaccess to lock out all the hostnames but mine and 2 other Admins but instead he nuked the database so I couldn't look at access logs (questionable, but he's a friend). We also had several anti-proxy mods installed that appeared to work very successfully (would mean if they were using VPNs, we could progressively ban those IPs).

    I have some theories surrounding this because it all branched off originally from this Admin's account(s):
    -The Admin has a keylogger on his computer because he's changed both his forum password several times and email password (strong passwords apparently) and they've still been able to get through with his account.
    -They bruteforced the DirectAdmin/cPanel password. Unlikely according to the DA forums. And cPanel is only whitelisted for defined IP addresses that I set.
    -They bruteforced the Admin's account in vbulletin. Also unlikely because the csf firewall will pickup that there're too many connections from the 3 proxies they're using.
    -There's a fault in the software somewhere (doubt it).

    mod_security appears to be a clever cookie and detects if XSS or SQL Injections are performed and tells CSF to perma bans those IPs. This is the only site (out of 4) that appears to be getting "hacked".

    Our plan is to restore the forum but have the main Admin's permissions stripped and sit and wait for these people to make an attempt again. If nothing happens (and they just access his account), then we'll know that he's somehow at fault and not the server. I just have a lot of people questioning my ability as a webmaster when it comes to security and it's pretty daunting especially when the security looks pretty unbreakable.

    Any opinions / help would be appreciated.
    Last edited by Queue; Tue 12 Oct '10, 3:14pm.
  • Black Tiger
    Senior Member
    • Mar 2001
    • 668

    They should not be able to bruteforce the admin's account in vBulletin in the first place.
    I always protect my admincp directory with a .htaccess file which points to a .htpasswd file. So you have to start to use a username and password to even get to the Admincp. Do the same for the modcp.
    Second to that, I have CSF/LFD firewall check the htaccess failures. If 5 failures are done, ip address is blocked permanently.
    If you're sure the hackers are from Indonesia, block all of their ip addresses. CSF has a possibility to do that but with a good configured firewall and admincp protected by htaccess and htpasswd there should be almost no problem.

    Warn your admins that their pc's should be clean, let them run malwarebytes and combofix just to be sure.
    If the same admins account keeps getting hacked, get him out and get yourself a decent responsible admin.

    Good luck!
    Greetings, Black Tiger


    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.