Announcement

Collapse
No announcement yet.

Keep getting hacked over and over by Ymh

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Keep getting hacked over and over by Ymh

    My forums has been hacked a few times within the last 2 weeks, I have followed every post and still the guy comes back.

    I have no additional admins
    No Base64 code in the database
    Removed the Install folder
    Secured with htaccess AdminCP, ModCP, Includes, VB
    Upgraded to the lastest VB version
    Deleted all Plugins we had aside from the ones that come with vb
    Changed DB Username & Password
    Changed FTP Password

    And as you can see he is back http://www.need2speed.com/vb_forums/forum.php

    I have replaced the forum.php, content.php & index.php and the forum page still goes to the above page, need some major help. Not sure what else to do at this point.

    I have read the links below.

    http://www.vbulletin.com/forum/blogs...ve-been-hacked

    http://www.vbulletin.com/forum/blogs...vbulletin-site

  • #2
    Just out of curiosity, was this a fresh install? Everything deleted from the server before upgrade?


    Comment


    • #3
      No, and now I cannot find how the page is being redirected.

      Comment


      • #4
        What I would do, considering that you have done everything that has been advised. It may not be the correct way, it may be unconventional, it may be impossible?

        Wipe the server of all.. Create a new DB. Do a fresh install, one admin.. Do the necessary with the config.php etc...
        Delete install folder

        Post something to entice him in again.. Something that will make him a little pissed.

        Record all the changes made when and if he returns..
        Try to monitor everything, access logs, anything that you can..

        Keep the forum as minimal as possible, bare bones.. Watch everything he does...Eventually there will be a pattern, there has to be...

        He isn't going to leave you alone so there is little to loose..

        Entice the bugger, make it strong.. Lay a trap... If there is no enticement, he will wait for your forum to build again before making his entrance..

        I think server logs might play an important part..Keep your eye on plug ins and new additions to admin etc..Anything that you didn't do.
        It may be a painstaking experience, it maybe a learning curve. It will certainly be exciting..

        Your users may suffer on this one so it should be a consideration.

        There has to be a way to bring this fish home.


        Comment


        • #5
          Have you changed your main control panel password? You'll also want to check your server logs to see how he is accessing the site.

          Ensure your main control panel password has been changed (your webhosting CP), and then make sure that you are using a different MySQL user for the database (not root). Whilst you're still being hacked, you'll want to assume that all passwords have been compromised. If your main Control Panel password has been changed (and is not used anywhere else, and never posted or PMed in your forum to other admins), then work from there.

          As you've already removed plugins etc, you seem to essentially be running a default vBulletin setup. You can use the "Suspicious File Checker" in the AdminCP to check for modified PHP files in your install. As your setup has been stripped back to the default version already, your best option may actually be to just delete all files on the site and re-upload a fresh copy of vBulletin. You can then connect the new copy of vBulletin to your existing database - that way you can be sure there are no modifications in your PHP files anyway.

          If you want to work out exactly where the exploit is, you'll need to look at your server files to find out what's happening. Check through every entry for his IPs, and look for suspicious/unusual URLs - e.g. "forums.php%00something.php".

          All passwords need to be changed at the same time - Hosting CP, DB, FTP, Admin Passwords, htaccess etc.

          Comment


          • #6
            Thanks for the suggestions, but all passwords where changed CPanel, Database, FTP, VB Admin and I changed the username of the DB as well as protected all the recommended folders with htaccess.

            Im about to update to 4.2 Alpha, so I will remove all the files not vb related and see if that makes a difference.

            Comment


            • #7
              I like the idea of post #4 but an update should - in essence - be more secure than the previous...


              Comment


              • #8
                I also just ran the and found some entries, but Im not sure if those are legit or not.
                SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

                Attached Files

                Comment


                • #9
                  Have you changed your own admin pass?

                  Comment


                  • #10
                    Originally posted by donald1234 View Post
                    Have you changed your own admin pass?
                    Yes sir, we have 2 admins and I changed both. he is not listed as an admin, plus he deleted the entire database couple of days ago, so he either has something in the db which I cannot find or a backdoor. I just deleted every file in the server and doing an upgrade with new passwords again. This is getting old.

                    Comment


                    • #11
                      Well I guess that narrows it down to server side or your side...

                      Good luck! Do tell how it goes..


                      Comment


                      • #12
                        Upgrading removed that page however Im getting the errors below, always something LOL

                        Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. Please use the date.timezone setting, the TZ environment variable or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in ..../includes/functions.php on line 4912

                        Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. Please use the date.timezone setting, the TZ environment variable or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in ..../includes/functions.php on line 5104

                        Comment


                        • #13
                          Originally posted by scroush View Post
                          My forums has been hacked a few times within the last 2 weeks, I have followed every post and still the guy comes back.

                          I have no additional admins
                          No Base64 code in the database
                          Removed the Install folder
                          Secured with htaccess AdminCP, ModCP, Includes, VB
                          Upgraded to the lastest VB version
                          Deleted all Plugins we had aside from the ones that come with vb
                          Changed DB Username & Password
                          Changed FTP Password

                          And as you can see he is back http://www.need2speed.com/vb_forums/forum.php

                          I have replaced the forum.php, content.php & index.php and the forum page still goes to the above page, need some major help. Not sure what else to do at this point.

                          I have read the links below.

                          http://www.vbulletin.com/forum/blogs...ve-been-hacked

                          http://www.vbulletin.com/forum/blogs...vbulletin-site
                          U N B E L I E V A B L E !

                          Please post a link to your forum!

                          The pieces of advice from other members (especially the axiomatic DemOnstar) amount to a big bunch of baloney. You can’t wipe out the server and lose all those posts and maybe subscriptions — that would be irresponsible! It would be like in the ancient fable: “Demolish the house because of the mice”.

                          Comment


                          • #14
                            Originally posted by Ion Saliu View Post

                            U N B E L I E V A B L E !

                            Please post a link to your forum!

                            The pieces of advice from other members (especially the axiomatic DemOnstar) amount to a big bunch of baloney.
                            The link has already been posted Mr Saliu, asthmatic friend of mine..


                            Comment


                            • #15
                              need2speed.com/vb_forums/forum.php

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X