Announcement

Collapse
No announcement yet.

Hacked!! In spite of strong security measures!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Hacked!! In spite of strong security measures!

    One of my sites has just been hacked. The damage seems to be limited to all thread titles being changed to "you have been hacked". However, we've had this site secured by multiple security methods for a few years now, using the methods described in this post. I'm going to re-read the posts about recovering from and securing a site, but still this is not good!

    My big question right now is: Can the thread titles easily be reverted to their original titles?
    ~ Life isn't always fair, but you can be. ~

  • #2
    Originally posted by cbiweb View Post
    One of my sites has just been hacked. The damage seems to be limited to all thread titles being changed to "you have been hacked". However, we've had this site secured by multiple security methods for a few years now, using the methods described in this post. I'm going to re-read the posts about recovering from and securing a site, but still this is not good!

    My big question right now is: Can the thread titles easily be reverted to their original titles?

    That's why I do nightly backups. I'f your backed up you should be able to recover. The trick is to figure out how they did it.

    Comment


    • #3
      Indeed, finding out the point of entry and patching it up is very important. Otherwise it can happen again and again.

      Can you give us a little more info, like the version of vb that you have, what mods do you have installed etc. Are you on a shared host or do you have your own dedicated box? If the former, ask your host to check their raw access logs for the around the time of the hack. If the latter check the logs for any suspicious activity.

      Whereas about your question if the thread titles can easily be reverted to their original titles the answer is no. You will have to revert to a backup.

      Comment


      • #4
        Originally posted by cbiweb View Post
        My big question right now is: Can the thread titles easily be reverted to their original titles?
        Your best option is to restore from your last backup. You do have a nightly backup I hope.

        Comment


        • #5
          Erm... while this is meant to be helpful ( https://www.vbulletin.com/forum/show...=1#post2245599 ) it is certainly not the best method of securing your site nor is it a guarantee that if you do ANY form of "securing" that your "safe". There are actually better ways to secure your forum however you want to be on a dedicated server, in full control and have the ability to make changes when needed... either that or find a Host w/ hourly cron r1 backups, a good team and mind you one who knows security and call it a day! *This way with a good hosting support team and security in place even if your hacked, they restore a hourly backup and your back in action which is certainly much more stress free as you can imagine!

          https://www.vbulletin.com/forum/cont...vBulletin-Site


          Former vBulletin Support Staff
          Hacked recently? See my blog post "Recovering a Hacked vBulletin Site".
          Thinking outside the box? Need modification support? Visit www.vBulletin.org and have at it!
          Need a Host? - I recommend URLJet

          Comment


          • #6
            Thanks guys. To answer some of your questions....

            I definitely do nightly backups, and the host does them more frequently but I'm not sure how frequent. Chances are they have something more recent than 2AM today.

            We're using 4.2 PL2 on a VPS, with these mods installed:
            • 404 Area
            • DragonByte Tech: vBCredits II Deluxe (Lite)
            • GlowHost - Spam-O-Matic
            • Post Thank You Hack
            • Stop the Registration Bots
            • UserCP Referral Link
            • vBH - Add new tabs 1.2
            • VSa - Advanced Forum Statistics
            • VSa - Advanced Permissions Based on Post Count


            I've had the host check the logs, and I've identified a couple suspicious IPs. The hosting account password has been changed to a much stronger one (the original was not made by me, though it seemed strong enough). I'll be changing all passwords for everything. I've been through the vB files, ran Suspect File Versions, and basically scoured the place but found no indication it was done directly via the site or vBulletin installation. Most likely someone got into cPanel and had their fun. But who knows?
            ~ Life isn't always fair, but you can be. ~

            Comment


            • #7
              I wonder if a VPS has more danger of being hacked than a dedicated server, I would assume so.

              Comment


              • #8
                Quite possibly, Andy. Unfortunately we don't have the resources to have a dedicated server. The site has been restored, fortunately there was a backup from only two hours before we got hacked, so it's very little loss. And now I get to work battening down the hatches even more so than before.
                ~ Life isn't always fair, but you can be. ~

                Comment


                • #9
                  It's good to hear you're back online with very little loss. Great job backing up a protecting your forum.

                  Comment


                  • #10
                    heh... within 10 minutes after getting it back, it was hacked again. Same exact hack. So I'm back to square one. I had already done some things to secure it better, and was in the process of doing more when it happened. Again. It's been an entire day, wasted.
                    ~ Life isn't always fair, but you can be. ~

                    Comment


                    • #11
                      There's a chance your server has been rooted, which means whoever is hacking it has root access to the server, and as such, full control over everything on that server.

                      This may or may not be directly related to a script you have installed. If you're on a VPS, then that means there are other customers using that VPS as well. So if one of the other customers has a script that allows them to gain root access, then you'll continue to be vulnerable regardless of what you do.

                      Best,

                      Dustin
                      http://quikmsg.net/strtoupper/ - Convert lowercase text and code to all uppercase!
                      http://quikmsg.net/strtolower/ - Convert uppercase text and code to all lowercase!

                      Comment


                      • #12
                        Thanks for that info, Dustin. So if I change the root password, will that stop it, or am I basically f***ed on that server?
                        ~ Life isn't always fair, but you can be. ~

                        Comment


                        • #13
                          Ban those ips via Cpanel (do a range of at least 244.22.x.x for the ban), rename your admin accounts and change the passwords, ask your host to change your cpanel name, change cpanel pass.

                          If you get hacked again, ask the host to move you to a different server.
                          BrainTalk is a support group for friends, family, caregivers, and patients with neurological disorders and other health related diagnosis.

                          BrainTalk Communities Inc
                          sigpic

                          Comment


                          • #14
                            Originally posted by John Lester View Post
                            Ban those ips via Cpanel (do a range of at least 244.22.x.x for the ban), rename your admin accounts and change the passwords, ask your host to change your cpanel name, change cpanel pass.

                            If you get hacked again, ask the host to move you to a different server.
                            Yes, a few of those things were done at the time of the 2nd attack. I was in the process of doing the others when it happened. One thing I didn't think of doing was banning the IPs. But yeah.... never had time to get it all done. I'm going to restore a backup from much earlier this morning (2AM), and hopefully can get everything done before another attack. Not sure if opening the forums before I was finished was a bad move or not, but this time they're staying closed until I'm ready. If it happens a third time, it would have to be a rooted server.

                            Funny you mention moving to a different server, We asked the host just yesterday to do that for us; and we've been planning to change hosts altogether very soon.
                            ~ Life isn't always fair, but you can be. ~

                            Comment


                            • #15
                              I assisted someone with a similar situation and the hacks didn't stop until I had them move to a whole new host.

                              Similar prevention methods had been applied, but it just kept happening. We also found no evidence that the source came through VB itself. I strongly believe the root of the system was compromised rendering all prevention methods ineffective.

                              I avoid going with absolutes in circumstances like this, thus going with a new host was the only hard line effort we could take to remove the potential of the host or root machine being compromised.

                              Time will tell if I missed something.
                              To be updated...

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X