Announcement

Collapse
No announcement yet.

Hacked!! In spite of strong security measures!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • AusPhotography
    replied
    Originally posted by Andy View Post
    I wonder if a VPS has more danger of being hacked than a dedicated server, I would assume so.
    Slightly, Virtuozzo more so than XEN.

    Leave a comment:


  • cbiweb
    replied
    Originally posted by ENF View Post
    I assisted someone with a similar situation and the hacks didn't stop until I had them move to a whole new host.

    Similar prevention methods had been applied, but it just kept happening. We also found no evidence that the source came through VB itself. I strongly believe the root of the system was compromised rendering all prevention methods ineffective.

    I avoid going with absolutes in circumstances like this, thus going with a new host was the only hard line effort we could take to remove the potential of the host or root machine being compromised.

    Time will tell if I missed something.
    I've been talking with the host, and the consensus is a rooted server, so yes, time to move.

    Originally posted by Andy View Post
    If you don't mind me asking, how much are you paying for a the VPS account?
    I don't own the site so I don't have that information. Just a lowly techie admin I am.

    Leave a comment:


  • Andy
    replied
    Originally posted by cbiweb View Post

    Funny you mention moving to a different server, We asked the host just yesterday to do that for us; and we've been planning to change hosts altogether very soon.
    Sounds like now is the time to find another web hosting company.

    If you don't mind me asking, how much are you paying for a the VPS account?

    Leave a comment:


  • ENF
    replied
    I assisted someone with a similar situation and the hacks didn't stop until I had them move to a whole new host.

    Similar prevention methods had been applied, but it just kept happening. We also found no evidence that the source came through VB itself. I strongly believe the root of the system was compromised rendering all prevention methods ineffective.

    I avoid going with absolutes in circumstances like this, thus going with a new host was the only hard line effort we could take to remove the potential of the host or root machine being compromised.

    Time will tell if I missed something.

    Leave a comment:


  • cbiweb
    replied
    Originally posted by John Lester View Post
    Ban those ips via Cpanel (do a range of at least 244.22.x.x for the ban), rename your admin accounts and change the passwords, ask your host to change your cpanel name, change cpanel pass.

    If you get hacked again, ask the host to move you to a different server.
    Yes, a few of those things were done at the time of the 2nd attack. I was in the process of doing the others when it happened. One thing I didn't think of doing was banning the IPs. But yeah.... never had time to get it all done. I'm going to restore a backup from much earlier this morning (2AM), and hopefully can get everything done before another attack. Not sure if opening the forums before I was finished was a bad move or not, but this time they're staying closed until I'm ready. If it happens a third time, it would have to be a rooted server.

    Funny you mention moving to a different server, We asked the host just yesterday to do that for us; and we've been planning to change hosts altogether very soon.

    Leave a comment:


  • John Lester
    replied
    Ban those ips via Cpanel (do a range of at least 244.22.x.x for the ban), rename your admin accounts and change the passwords, ask your host to change your cpanel name, change cpanel pass.

    If you get hacked again, ask the host to move you to a different server.

    Leave a comment:


  • cbiweb
    replied
    Thanks for that info, Dustin. So if I change the root password, will that stop it, or am I basically f***ed on that server?

    Leave a comment:


  • Dustin L.
    replied
    There's a chance your server has been rooted, which means whoever is hacking it has root access to the server, and as such, full control over everything on that server.

    This may or may not be directly related to a script you have installed. If you're on a VPS, then that means there are other customers using that VPS as well. So if one of the other customers has a script that allows them to gain root access, then you'll continue to be vulnerable regardless of what you do.

    Best,

    Dustin

    Leave a comment:


  • cbiweb
    replied
    heh... within 10 minutes after getting it back, it was hacked again. Same exact hack. So I'm back to square one. I had already done some things to secure it better, and was in the process of doing more when it happened. Again. It's been an entire day, wasted.

    Leave a comment:


  • Andy
    replied
    It's good to hear you're back online with very little loss. Great job backing up a protecting your forum.

    Leave a comment:


  • cbiweb
    replied
    Quite possibly, Andy. Unfortunately we don't have the resources to have a dedicated server. The site has been restored, fortunately there was a backup from only two hours before we got hacked, so it's very little loss. And now I get to work battening down the hatches even more so than before.

    Leave a comment:


  • Andy
    replied
    I wonder if a VPS has more danger of being hacked than a dedicated server, I would assume so.

    Leave a comment:


  • cbiweb
    replied
    Thanks guys. To answer some of your questions....

    I definitely do nightly backups, and the host does them more frequently but I'm not sure how frequent. Chances are they have something more recent than 2AM today.

    We're using 4.2 PL2 on a VPS, with these mods installed:
    • 404 Area
    • DragonByte Tech: vBCredits II Deluxe (Lite)
    • GlowHost - Spam-O-Matic
    • Post Thank You Hack
    • Stop the Registration Bots
    • UserCP Referral Link
    • vBH - Add new tabs 1.2
    • VSa - Advanced Forum Statistics
    • VSa - Advanced Permissions Based on Post Count


    I've had the host check the logs, and I've identified a couple suspicious IPs. The hosting account password has been changed to a much stronger one (the original was not made by me, though it seemed strong enough). I'll be changing all passwords for everything. I've been through the vB files, ran Suspect File Versions, and basically scoured the place but found no indication it was done directly via the site or vBulletin installation. Most likely someone got into cPanel and had their fun. But who knows?

    Leave a comment:


  • TheLastSuperman
    replied
    Erm... while this is meant to be helpful ( https://www.vbulletin.com/forum/show...=1#post2245599 ) it is certainly not the best method of securing your site nor is it a guarantee that if you do ANY form of "securing" that your "safe". There are actually better ways to secure your forum however you want to be on a dedicated server, in full control and have the ability to make changes when needed... either that or find a Host w/ hourly cron r1 backups, a good team and mind you one who knows security and call it a day! *This way with a good hosting support team and security in place even if your hacked, they restore a hourly backup and your back in action which is certainly much more stress free as you can imagine!

    https://www.vbulletin.com/forum/cont...vBulletin-Site

    Leave a comment:


  • Andy
    replied
    Originally posted by cbiweb View Post
    My big question right now is: Can the thread titles easily be reverted to their original titles?
    Your best option is to restore from your last backup. You do have a nightly backup I hope.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X