Announcement

Collapse
No announcement yet.

Site hacked twice in a month. Any solutions to prevent this ??

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [CMS] Site hacked twice in a month. Any solutions to prevent this ??

    My site just got hacked for the second time in two months. The first time they got into the VB admin area and deleted my forums. I tracked this back to an individual who may have somehow gotten the log in details. To prevent that I changed everything and gave it to no one.

    This time around the hacker doesn't seem to have messed with the database but changed the index.php file and who knows what else. I can log in via FTP still under the old password and saw the index file was new. I added in the old one from the VB 4.0.6 install to see if the site would come up but on my request the host had already put this on lock for me and changed it to a generic site down for work page.

    The first thing the HOST stated the other week when I was hacked, VB is having some issues with their security. Today the first thing he said was , VB has several issues going on right now and others have been dealing with this same thing.

    I don't know how people do this stuff but since being hacked the first time I have heard more and more issues with VB's security. None of it being good. I love VB and even took the leap to go to 4.0 when others did nothing but complain. Recently though I am considering making a change as this is getting out of hand.

    I know nothing is 100% but in comparing VB to others I am not seeing the same type of constant discussion about security flaws.

    Does anyone have a better suggestion ?
    Gamers socializing and having fun 24/7.
    www.crosseyedgamer.com

  • #2
    I'm unaware of any vb vulnerability right now. But you didn't say if you're using the latest version. Hosts blame software all the time to take the heat off themselves.

    Comment


    • #3
      Try changing your Admin CP, FTP and MYSQL passwords. (Don't forget to change the config file to match your new passwords)
      vBulletin Rules!

      Comment


      • #4
        Apparently, we are having problems with hacking. Perhaps you saw my thread:

        http://www.vbulletin.com/forum/showt...topped-working

        Let’s hope hacking won’t repeat…

        Best of luck!

        Ion Saliu

        Comment


        • #5
          Hosts lie, and blame anyone but themselves.

          I suggest you ask him to detail these mysterious vb "issues" he refers to.
          Baby, I was born this way

          Comment


          • #6
            Are you on a GoDaddy hosting service?
            Shamil Nunhuck, - Radon Systems Ltd.
            VPS + Dedicated Server Hosting and Management
            vBulletin Hosting and Services
            Server / Website Consultation

            Comment


            • #7
              http://www.vbulletin.com/docs/html/securing_vbulletin
              http://www.vbulletin.com/forum/showt...ms-More-Secure

              And here is the same thing I tell every customer...

              Make sure that your email, FTP and database passwords are all separate and strong (12+ characters, letters, numbers, symbols).
              Only use FTP and email through SSL so your passwords are encrypted. They are not with the standard protocols. Never use telnet or cp. Use SSH and scp.
              .htaccess protect your Admincp, Modcp, includes, and install directories. Different usernames and passwords for each directory.
              Inventory your vBulletin files against a default download and delete anything that doesn't have a match.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

              Comment


              • #8
                htaccess protect your Admincp, Modcp, includes, and install directories. Different usernames and passwords for each directory.


                Shouldn’t your vBulletin software have those security features built-in? Shouldn’t such security features be the default? I use another software package for paid-membership. It has far stronger security features built-in. Oh, no! I would NOT use vB for paid membership even you paid me to do that!

                The vB manual gives an example of .htaccess for /includes:

                <Files config.php>
                order deny,allow
                deny from all
                </Files>


                Why didn’t you include such a security file in the installation package??

                Now, this is downright crazy!!

                Inventory your vBulletin files against a default download and delete anything that doesn't have a match.


                How many hundreds of files are there in the downloaded package? You never counted them. Who in the world would be able to compare hundreds of files on the local computer and the installation on the server — and compare them?? Hello? I said hundreds and hundreds of files…

                But this one is really discouraging!

                Never use telnet or cp.


                You mean cp as in Control Panel? If so, why in the world did you include an admincp in vBulletin?!

                Look, guys. You believe the word is made up of nice guys entirely. There are criminals out there. You kind of overlooked the importance of security in your software. As popular as it might be, it can fall deeply if serious problems (hacking especially) occur more and more often.

                I do wish you the best. I hope you take my observations in stride.

                Ion Saliu

                Comment


                • #9
                  Originally posted by Ion Saliu View Post

                  Shouldn’t your vBulletin software have those security features built-in? Shouldn’t such security features be the default? I use another software package for paid-membership. It has far stronger security features built-in. Oh, no! I would NOT use vB for paid membership even you paid me to do that!
                  htaccess files do not work at all, or are just not used in some web server configurations. Including it could break sites.

                  vBulletin is fairly sucure overall, most of its weakness would be shared with any other software like it, once system access has been obtained, everything we can do goes out the window.

                  Comment


                  • #10
                    Originally posted by Zachery View Post
                    htaccess files do not work at all, or are just not used in some web server configurations.
                    That was the case with my previous host.


                    vB5 is unequivocally the best forum software, but not yet...

                    Comment


                    • #11
                      Originally posted by Ion Saliu View Post

                      Look, guys. You believe the word is made up of nice guys entirely. There are criminals out there. You kind of overlooked the importance of security in your software. As popular as it might be, it can fall deeply if serious problems (hacking especially) occur more and more often.

                      I do wish you the best. I hope you take my observations in stride.

                      Ion Saliu
                      I think you're really just paranoid.

                      I don't understand the reasoning behind protecting your admincp with another password. If someone got your vBulletin admin password the only person to blame would be yourself.

                      Comment


                      • #12
                        Listen, guys. Don’t you get mad at me! Paranoid may be you, compwhizii. In fact, vB itself does create a sense of paranoia! “Delete install.php immediately after installation!” “Delete tools.php immediately after usage!” “Do not upload cinfig.php.new!” (But why was it included in the upload folder?)

                        When you read such messages, you get immediately the “idea” that there is something wrong with the security in vB. If the folders are well protected, why should I worry about forgetting files in my vB domain? And there are quite a few files to remember. You got to hunt for them. Human error is easy, and good software tries very hard to avoid human error. vB goes the other way in this regard. Like that crazy advice to check all those hundreds and hundreds of pages in the downloaded package and the server installation!

                        Now, I agree that there are adequate built-in security features in vBulletin. Yet, the vB team always urges the administrators to take care of the security of their own vB installations — as if vB was insecure!

                        Like the piece of advice that triggered my previous reply:

                        htaccess protect your Admincp, Modcp, includes, and install directories. Different usernames and passwords for each directory.


                        Why should admin do that if vB is already secure?! Not to mention that vB asks admins to go to third-party websites, learn a lot about htaccess and htpassword and password encryption! Hey, we already paid you pretty good for those features! But, what’s worse, the advice can lead to more dangerous results! Indeed, as someone here pointed out, htaccess are plain text files, even more vulnerable than php files. Also, htpassword are plain text files that show passwords in plain light. The vB team advises you to go to some websites and use other people’s scripts to encrypt the passwords (most likely, pay extra for that!)

                        Repeat, the admin folders in vB come with security built-in features. I can see hundreds of attempts to run PHP in my admin folders. The malicious attempts are failing. Then, again, why does vB team advise the admins to secure their folders (especially with those dangerous htaccess files)?

                        Here is a good idea and easy to implement. vBulletin should have in the Administrator Control Panel an option like aMember has. The left pane should have a visible option: ‘Protect Folders’. aMember gives me peace of mind. I can protect folders by three, not just one protection method. Everything is encrypted. I don’t have to hunt on other websites for security tools.

                        That would solve plenty of problem reports like you see in these vB forums. Don’t blame GoDaddy. They gave me a very good response regarding security. I have had no hosting problems with them since I started in 2005. It only happened after I installed vB. No other portion of my site was affected — only vB. Moreover, the problem reports refer to other webhosts, not only GoDaddy.

                        I only talked in firm terms because the issue is a very serious one. I’ve had no intent to harm or hurt feelings. I’ve viewed my posting as constructive participation. After all, it’s in my best interest to have a very secure vBulletin at my Web site.

                        Best of luck to all!

                        Ion Saliu

                        Comment


                        • #13
                          Originally posted by Ion Saliu View Post
                          I can see hundreds of attempts to run PHP in my admin folders.
                          Try renaming your admincp folder to something completely off the wall (update your config.php file to match), and see if these attempts continue to exist.

                          Comment


                          • #14
                            Forget about it! You didn’t pay attention to the thread (perhaps you soon after a mid-day nap!) I consider a very bad idea to change folder names. It can turn into a bigger headache, as you need to edit the conig.php … and who knows what else. Beside, those attempts to my admincp folder will keep coming regardless. They’ll show up as errors in my site stats.

                            The main thing is the folders to be well secured against intruders. That was the topic of this thread.

                            I’m gonna have my mid-day coffee now. Bye!

                            Comment


                            • #15
                              Originally posted by Ion Saliu View Post
                              Shouldn’t your vBulletin software have those security features built-in? Shouldn’t such security features be the default?

                              Why didn’t you include such a security file in the installation package??

                              Now, this is downright crazy!!
                              What would the point be of vB including .htacccess files if the default user name and password would be the same for every forum? Not to mention with all the different server configurations out there it just wouldn't make sense.
                              Originally posted by compwhizii View Post
                              I don't understand the reasoning behind protecting your admincp with another password. If someone got your vBulletin admin password the only person to blame would be yourself.
                              It's just another password the hacker has to get before he can even get to your admincp login screen.
                              Originally posted by Ion Saliu View Post
                              In fact, vB itself does create a sense of paranoia! “Delete install.php immediately after installation!” “Delete tools.php immediately after usage!” “Do not upload cinfig.php.new!” (But why was it included in the upload folder?)

                              When you read such messages, you get immediately the “idea” that there is something wrong with the security in vB. If the folders are well protected, why should I worry about forgetting files in my vB domain?
                              Are you serious, why wouldn't you delete those files after you're done with them?

                              Why was the config.php.new in the upload folder? Well if it wasn't there you'd probably be asking where it is/goes. Also the config.php.new has no important info in it, it's just a blank config file.

                              Originally posted by Ion Saliu View Post
                              Repeat, the admin folders in vB come with security built-in features.
                              They come with what? Not sure what you mean by "security built-in-features"

                              Originally posted by Ion Saliu View Post
                              Like the piece of advice that triggered my previous reply:
                              htaccess protect your Admincp, Modcp, includes, and install directories. Different usernames and passwords for each directory.
                              Why should admin do that if vB is already secure?
                              vB can't protect those folders you have to. (See first comment) I protect my folders through my server cp (Plesk)
                              Originally posted by Ion Saliu View Post
                              I consider a very bad idea to change folder names. It can turn into a bigger headache, as you need to edit the conig.php … and who knows what else. Beside, those attempts to my admincp folder will keep coming regardless. They’ll show up as errors in my site stats.

                              The main thing is the folders to be well secured against intruders. That was the topic of this thread.
                              Why is it bad to change your admincp and modcp folder names? If the hackers don't know what they're called how can they get to them? Also the config.php file is one of the easiest things to change in vB.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X