Announcement

Collapse
No announcement yet.

Suspicious Files - Malicious Hacker

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Wayne Luke
    replied
    1. Google "Using .htaccess to restrict access to a directory" there are hundreds of tutorials and your hosting provider can help with this.

    2. You want your PHP files to be 0644 on their permissions. You'll need to talk to your host to do this and to see if it is allowed.

    3. Same answer as #1.

    Leave a comment:


  • cammot
    replied
    Originally posted by Mark.B View Post
    Those files are not part of vBulletin so should be removed if you don't know what they are.

    All active users will be visible via AdminCP > Users.

    There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.

    Close the hole...
    This has three subparts in this instance.
    1. Delete your install folder
    2. Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
    3. Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.

    Fill the Hole...
    There are seven subparts in this instance.
    1. Review your files for changes. You can do this under Maintenance -> Diagnostics.
    2. Delete any Suspect Files.
    3. Replace any files marked as "Does not contain expected contents"
    4. Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
    5. Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
    6. Update your Addon Products.
    7. Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.

    Secure the Hole
    Parts of this were done by closing the hole but there are still things to do here.
    1. Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
    2. Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
    3. Create a lower permission Administrator for every day use.
    4. Review your permissions in the system.
    5. Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
    6. Move your attachments outside the forum root directory.
    7. Create a complete backup of your site. Make database backups weekly.

    Vigilance
    You need to keep active on the security of the site.
    1. Give out the fewest permissions necessary for anyone to do their job
    2. Make sure your hosting provider updates the software.
    3. Update to the latest vBulletin when it is released.
    4. Make sure your addons are always up to date.


    THANK YOU VERY MUCH FOR HELP, I really appreciate your outline. I have just started to follow each step, but don't understand how to complete some of the steps. could you please advise how I should do the following:

    1. How do I close access to my AdminCP using .htaaccess
    2 Is there a list of what the permissions shoulkd be for the system ?
    3. How do I block off access to the includes, modcp, packages and vbfolder via .htaccess

    Thanks

    Leave a comment:


  • Mark.B
    replied
    Those files are not part of vBulletin so should be removed if you don't know what they are.

    All active users will be visible via AdminCP > Users.

    There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.

    Close the hole...
    This has three subparts in this instance.
    1. Delete your install folder
    2. Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
    3. Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.

    Fill the Hole...
    There are seven subparts in this instance.
    1. Review your files for changes. You can do this under Maintenance -> Diagnostics.
    2. Delete any Suspect Files.
    3. Replace any files marked as "Does not contain expected contents"
    4. Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
    5. Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
    6. Update your Addon Products.
    7. Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.

    Secure the Hole
    Parts of this were done by closing the hole but there are still things to do here.
    1. Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
    2. Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
    3. Create a lower permission Administrator for every day use.
    4. Review your permissions in the system.
    5. Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
    6. Move your attachments outside the forum root directory.
    7. Create a complete backup of your site. Make database backups weekly.

    Vigilance
    You need to keep active on the security of the site.
    1. Give out the fewest permissions necessary for anyone to do their job
    2. Make sure your hosting provider updates the software.
    3. Update to the latest vBulletin when it is released.
    4. Make sure your addons are always up to date.

    Leave a comment:


  • cammot
    started a topic [Forum] Suspicious Files - Malicious Hacker

    Suspicious Files - Malicious Hacker

    My vBulletin CMS Forum 4.2.2 was recently hacked. We have been working with my host provider to fix and find out where or how the hacker may have gained entry. We have restored the site back, but have not been able to determine where or how the hacker entered, and more importantly if the malicious files are still residing on the site. There are a couple of files that we don't recognize and are suspect, could someone please let us know the possibility of these files being malicious. The names of the files are: oscuridad and oscuridad.pub Both these files were found on the shared server, but also on the vB folder too ! The specific path where these files reside on our vB is mysite/modules/rooting. My host person did some research and determined that oscuridad is also user, but we could not find a user with that name on the CP User area. Based on this background can it be determined, if these files are malicious and should be deleted ?. Also, how do we find the associated user on the user list and where do I begin to eliminate this user/files and block the 'hole'.

    Thanks
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X