No announcement yet.

Site has just been hacked (again) by Mr.HAiL & Spyhail - HELP!!!

  • Filter
  • Time
  • Show
Clear All
new posts

  • #16

    The only help I'm getting are from good folks like yourself here on and from my web host.


    • #17

      Just a quick update on what's been going on with my site.

      Going with a suggestion by my web host's support personnel, I modified the .htaccess file in my public_html directory to block all IP addresses except my own. This way, any changes I made to the site can only be made by me. Unfortunately, my IP address is dynamic so I have to edit the .htaccess file every time I try to access the site, but that's a very minor inconvenience.

      After modifying the .htacces file, I had my web host restore the site's database(s) from a previous backup. Once that was done, I was able to access the site and the admin control panel (this is good news!). I then proceeded to disable all the site's plug-ins (which weren't many: vBAdvanced, vBStopforumspam, vBProGarage and it's database of vehicles, and the native photo album plug-in that comes with vBulletin) and reverted all the templates to their as-installed state just in case there were any malicious scripts within the templates themselves. I verified that these changes didn't affect the basic functionality of the site, then modified the .htaccess file to deny all IP addresses access to the site while I plan my next steps.

      My plan is to go ahead and update the vBulletin software to the latest 3.8.x version later today (I can't do it while I'm at work). That way I will be running the latest and greatest 3.8 vB, with all it's out-of-the-box security provisions. My intentions are to upgrade to the latest 4.x version of vB once the 3.8 upgrade is done.

      However, before I perform any updates (either to 3.x or 4.x) I wanted to ask the experts here if I should do anything else FIRST??? My concern is that this hacker may have planted some malicious code in the databases themselves which will lay dormant (even after vB is updated) until activated by some external trigger once the site goes live again. Is this possible? And if so, how can I find and eliminate this potential threat? Is there anything else I can/should do to ensure my site will be "clean" once it goes live again?

      Thank you all very much for all your support up to this point. I'm not much of a php expert, nor am I much of a vBulletin expert either (this is fairly obvious at this point) but with everyone's suggestions it appears I'm slowly getting my site back up and running again. As such, I just want to ensure I'm taking the correct steps moving foward to ensure a smooth transition when the site goes live and to prevent such an attack from happening again.


      • #18
        How did it go?


        • #19
          You did clear all files on your server inside public_html yea?
          I mean i assume this hacker left a shell somewhere and thats gotta be discovered or he will likely return again and again.
          Sure the vulnerability has to be determined also but i would have a guess there is a shell somewhere in your pubic_html directory.
          I guess if you can find the ip of the one that hacked you then you can check the logs and see where he entered from. More than likely the shells address.
          Hey good luck with this man. Hate to hear a VB user getting hacked.
          FTW Forum <- Home of the damned!


          • #20
            Well, do you thank have security?

            Fu**ing hackers. I've only had my server hacked once in 10 years but it's a huge pain in the ass when it happens and you pray that your backups will work.
            I wish you the best.
            Can you believe this? The developers overlooked one of the most important features of a forum!
            VOTE HERE FOR:
            Alert/Notification when being quoted


            • #21
              Originally posted by motowebmaster View Post
              How did it go?
              Hi Shawn,

              Thanks for the concern.

              So far, so good. After modifying the .htaccess file in the public_html directory to deny everyone access except my IP address and logging into the site's vBulletin Admin Control Panel, I uninstalled vBadvanced (I don't think I'll need it once I step up to vB 4.x), and vBStopForumSpam (which I'll install later, just before going live with the site again). I've left the remaining plug-ins disabled; I've paid for vBProGarage and I don't want to uninstall it as I don't know what will happen to all the data/photos the forum's members have uploaded to the site.

              I think performed an upgrade to 3.8.7 Patch Level 2, which is the latest version of vB 3.8.x. Once the update was complete, I was able to log back into the Admin Control Panel and the update looks to have taken affect successfully.

              I've been looking through the upgrade documentation for the latest version of 4.x, and before updating I want to contact my web host about backing up my database(s) prior to performing the upgrade. I am able to download a backup copy of my databases through the server's cPanel, however I want to ask them how I would go about restoring the databases (and the site as a whole) from these downloadable backups. The instructions to download these backups are straight forward, but restoring the site isn't so straight forward... at least, not for me. Once that's done, I plan to perform the update to vB4.

              From what I've read in the upgrade documentation, the templates between 3.x and 4.x aren't compatible; old templates are replaced with new ones for vB4 during the update. So if this hacker has planted any script in the site's templates, they *shouldn't* be a problem after the update. Of course, if there's any information in the databases themselves then I'm afraid the templates update won't help.

              I'm going to perform the update to vB4 some time this weekend. I'll definitely keep everyone here posted once the upgrade is done.


              • #22
                Using a web-based tool like phpmyadmin or cpanel is great for minor tasks, but shouldn't be used for database dumps. If you can get access to the command line, via ssh, that would be best. Your host may do this for you.

                If you delete your site's custom template, or at least revert the templates that are shown in the admin panel, that will remove any customizations. Your site may not look as intended, but in some styles the css is the key factor. If that is maintained at least your skin will have the basic "appearance" from which you can manually edit.

                If you decide to go to vb4, then be prepared for some work with your style. The vb4 stylevar system is one of the reasons I haven't migrated to vb4 yet. If you get hacked again, give vbulletin access to your site first before taking additional steps. I can't say their involvement will solve all of your issues, but it seems that more vb4 sites are being compromised these days, they should be given the opportunity to determine what happened.

                Did you check for suspect files?

                vbulletin maintains a thread on this site of the key steps to securing your forums. I think some sites are hacked through exploits in their hosts' servers, and not through vbulletin, but you might want to consider reviewing vbulletin's recommendations.

                Feel free to keep posting here, or send out a PM.


                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.