Announcement

Collapse
No announcement yet.

Site hacked, can someone please help?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Steve Machol
    replied
    Originally posted by SneakyDave View Post
    So is it ok for support to encourage calling members' thoughts and questions "stupid"? Because if it is, oh here go hell come!

    http://www.youtube.com/watch?v=ax4IUgMq0Aw
    The idea and accusation that this hacking was the result of XF customers without any evidence whatsoever is, and was, stupid. I make no apologies for that. Sorry if you think that this allows you or anyone else the right to say or do whatever you want. I assure you that is not the case.

    Since this thread has gone off the rails, I am closing it. If anyone that needs help with their site being hacked, please feel free to start your own thread or send us a support ticket and we will be glad to help.

    Leave a comment:


  • Guest's Avatar
    Guest replied
    So is it ok for support to encourage calling members' thoughts and questions "stupid"? Because if it is, oh here go hell come!

    http://www.youtube.com/watch?v=ax4IUgMq0Aw

    Leave a comment:


  • Suiram
    replied
    Originally posted by Zachery View Post
    A root administrator account that cannot be removed is not possible.
    (i had some kip too shortly after you.)

    re: "root" account. i see. oh well... would it be safe to assume you guys looked at the possibility before? i'm just curious.

    so can you answer my pre-ticket questions? you do know i'm a customer right. (i mean that you can already see my details, right) ..because i almost get the feeling you don't want to "engage" me until after i submit that very sensitive info and i'd just like to know how things normally go down once submitted. like i said, i fixed everything, and in fact 3 minutes ago finished updating the forums to 3.8.7.
    as far as i can tell nothing further needs to be done. having said that i would have no issue at all if you did take a look-see. for example, can i pm you my admin username/pw to the forums so you can log in and do what you'd do? if not via pm i can send the forum info via the support ticket? or do i have to also send the domain/phpmyadmin user/pw et al?

    Leave a comment:


  • borbole
    replied
    Originally posted by blind-eddie View Post
    I couldn't agree more, and how was it suspected & by whom?

    One of my vb sites was hacked as well & yes I was running suspected addon but, that means nothing. And I had it back up and running within 45 mins with a backup.
    The question I have yet to see asked is how all the vb sites were hacked at the same time or how a script was set up and ran to do them all over a short period of time & where they got their info to know who all was running the suspected addon.

    [COLOR="#000000"]I do not believe it was Valters mod at all![/COLOR]

    We all know the staff changes vbulletin has gone through & the creation of xenforo and the bad blood between the two.
    Could this be a way to get people to dis-trust vbulletin and switch over? Just a thought. Think about it...
    How many sites reported they were hacked?
    I honestly believe this was an internal issue, (within vbulletin.com) I mean who else has access to know who is running what?

    I could go on with other conspiracy theorys....but, something just ain't right about this whole mess...
    Are you for real?

    Leave a comment:


  • Steve Machol
    replied
    Originally posted by Ohiosweetheart View Post
    and a stupid thought at that.
    Exactly.

    Leave a comment:


  • Ohiosweetheart
    replied
    Originally posted by blind-eddie View Post
    We all know the staff changes vbulletin has gone through; the creation of xenforo and the bad blood between the two.
    Could this be a way to get people to dis-trust vbulletin and switch over? Just a thought.
    and a stupid thought at that.
    Last edited by Ohiosweetheart; Tue 10 May '11, 2:25pm.

    Leave a comment:


  • Zachery
    replied
    A root administrator account that cannot be removed is not possible.

    Leave a comment:


  • Suiram
    replied
    Originally posted by Paul M View Post
    Note that this is mis-understood by many people.

    All this does is prevent you altering the account from within the normal user edit function in the ACP. It will not prevent the account from being altered by a direct SQL query - including via queries from the [other] relevant section of the ACP.
    i understood what it does. so then they did not access the admincp like we do. in fact if they did, vb should have their ip's logged. it may not have been their real ip but still something. i assumed the hackers were using the forum's admincp like we do. in that context, my concerns would have been valid. perhaps if it's technically possible vbulletin should look into making a built-in admin account, perhaps called Administrator as part of the forum software. it should be "hard-coded" so it could never be removed or modified - by anyone including the forum owner. the only thing the forum owner should be able to do is change it's password. that too should be made so that: it uses the maximum amount of characters possible including a mix of all characters (alpha-numeric, symbols etc) the password could be reset via the tools.php or such.

    i'd also like to know if in order for this hack to work they had to rely on the admiccp folder? does anyone know? because there was one guy who mentioned he changed the default name of both mod/admin folders to something else, and he was also hacked.

    Leave a comment:


  • Paul M
    replied
    Originally posted by Suiram View Post
    also they moved my admin account to regular registered members group. a few months ago i edited the config file to make it "protected".

    .....

    Sorry, this user is protected from being altered in the config.php file by the $config['SpecialUsers']['undeletableusers'] variable.
    Note that this is mis-understood by many people.

    All this does is prevent you altering the account from within the normal user edit function in the ACP. It will not prevent the account from being altered by a direct SQL query - including via queries from the [other] relevant section of the ACP.

    Leave a comment:


  • Suiram
    replied
    Originally posted by Zachery View Post
    FYI going to bed now, if you haven't put in a ticket yet the next person to be available would be trevor, then other staff as the day progresses.
    i was going to, but i re-read this thread and did the fix myself. it's really important because i want to learn. and i did some.
    like i said, i'm sure it was the mod as it's the only one i used. i now uninstalled it and will never use a third party mod again.

    * i fixed the userid so when someone new joins the next number is the correct one, and not 13371337 and above.
    * i changed all registered titles back to the default "Member" title and also any new users have it too. i created a couple new users to check this. both the userid went as expected and their title is Member.
    * i deleted the teamanimus admin account.

    all the above was using phpmyadmin and not much knowledge other than general computing experience and this thread.

    so do we know if the hackers actually had access to admincp at all? or was all their doing done via some "injecting" or whatever?
    does anyone have factual data to say that the teamanimus admin user actually was ever logged in to the forums once created?


    as for the ticket i can still submit one. perhaps it's a good idea. could you describe what happens in such a case? im mean will you or another vb employee log in and verify the forum software does not have exploits left over or what?
    will you check the database? if yes, for what? if things need to be changed do you do them or ask first? is there a chance that if/when this would happen we could be on the phone as well? i there a charge?

    in conclusion, i think i'm back to normal. i only have vb installed and will keep it that way. no more mods for me. lesson learned.

    Leave a comment:


  • Zachery
    replied
    FYI going to bed now, if you haven't put in a ticket yet the next person to be available would be trevor, then other staff as the day progresses.

    Leave a comment:


  • beishe8
    replied
    Originally posted by Suiram View Post
    i just logged in and am in the ticket screen. so you DO want that sensitive info like the passwords and such?
    Yes.
    if yes, does that mean you or someone will log in right now?
    Yes,when they have the time for your forum.

    Leave a comment:


  • Suiram
    replied
    Originally posted by Zachery View Post
    The config file only protects from editing a user via the admincp.
    Anything that can be done in vBulletin can be done via sql. They either could have dumped your user from the administrator table, or ran an sql query to update that table.
    Unless you're logging a lot of data you likely wont ever know.

    You also have no open support tickets on the account linked via the forums.
    i just logged in and am in the ticket screen. so you DO want that sensitive info like the passwords and such?
    if yes, does that mean you or someone will log in right now?
    should i log out from the admincp?
    what else should i know?

    Leave a comment:


  • Zachery
    replied
    The config file only protects from editing a user via the admincp.
    Anything that can be done in vBulletin can be done via sql. They either could have dumped your user from the administrator table, or ran an sql query to update that table.
    Unless you're logging a lot of data you likely wont ever know.

    You also have no open support tickets on the account linked via the forums.

    Leave a comment:


  • Suiram
    replied
    Originally posted by Zachery View Post
    For anyone who was hacked please start a support ticket with my attention, make sure to provide admincp, ftp, and phpmyadmin access.
    so i get no reply now? do i need to open a ticket? just tell me.
    please tell me how to do the 3 database things i asked.

    also, why can i NOT delete or even edit the TeamAnimus user from within admincp? i am now logged in with admin user i created when i first installed the forum. userid 1.

    edit: and what i mean is that the GO button does nothing when pressed for that user. all other users i can do stuff to. did they somehow make their user "read-only" via the database? if so, they seem to have done done a better job then you guys with the config.php file setting. i have also uploaded a backed up config.php where my main admin user is set to not be deleted/edited, as it was for months, so i still would like to know how they were able to demote it? (me)
    Last edited by Suiram; Mon 9 May '11, 9:01pm.

    Leave a comment:

Related Topics

Collapse

  • TsG XxGHOSTxX
    I need help
    by TsG XxGHOSTxX
    I just signed up for vbulletin. It is used in a lot of gaming communities. I am trying to build my own community and now have enough members to justify building a forum. So I know alot of the clans/gaming...
    Wed 7 Jun '17, 8:25am
Working...
X