Announcement

Collapse
No announcement yet.

Security hole !

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security hole !

    Somebody hacked the Aletia's support forum http://aletiaforums.com/index.php

    Please explain how could be that possible and what to do to prevent such things in the future.

  • #2
    Well one thing that comes to mind is that someone got access to the Admin's password. Another possibility is that someone got access to the server. In fact, there are literally dozens of reasons a site can get hacked that have absolutely nothing to do with security holes in vB.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      thanks.

      Comment


      • #4
        No problem!
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment


        • #5
          Originally posted by smachol
          Well one thing that comes to mind is that someone got access to the Admin's password. Another possibility is that someone got access to the server. In fact, there are literally dozens of reasons a site can get hacked that have absolutely nothing to do with security holes in vB.
          Steve, could you please start me off with some examples of reasons? And do you have a "favorite" web site that explains how I can enhance my site security... in easy-to-understand language, of course? I have a shared server, BTW.

          Thanks!

          mishkan

          Comment


          • #6
            Originally posted by mishkan

            Steve, could you please start me off with some examples of reasons? And do you have a "favorite" web site that explains how I can enhance my site security... in easy-to-understand language, of course? I have a shared server, BTW.

            Thanks!

            mishkan

            Security holes in the server itself can lend to helping compromise your vB...


            Best security is password protecting your /admin and /mod dir with .htaccess...

            Comment


            • #7
              Originally posted by The Prohacker
              Security holes in the server itself can lend to helping compromise your vB...

              Best security is password protecting your /admin and /mod dir with .htaccess...
              I just read something about that idea in another thread... but it didn't say how. I know how to create and upload in ASCII a ".htaccess" file, but I have a couple of questions about your suggestion...

              (1) What should I put in the ".htaccess" files?

              (2) Where should I upload them to?

              I would greatly appreciate your help on that. Thanks in advance!

              mishkan

              Comment


              • #8
                Google search is a wonderful thing!

                HTAccess Authentication Tutorial
                Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                Change CKEditor Colors to Match Style (for 4.1.4 and above)

                Steve Machol Photography


                Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                Comment


                • #9
                  I dont use .htaccess i know that all my admins have static IP's so i just added some code to global.php.

                  look for

                  PHP Code:
                  $checkpwd=1;
                  if (
                  $HTTP_COOKIE_VARS['bbadminon']==and substr($PHP_SELF,-strlen("upgrade1.php"))!="upgrade1.php" and $checkpwd) { 
                  above it add

                  PHP Code:
                  $ipaddress=getenv("REMOTE_ADDR");
                  if(
                  $ipaddress != "62.255.156.214" or $ipaddress!= "209.120.178.10") {
                    
                  cpheader("<title>Forums admin</title>");
                    echo 
                  "<p>You are connecting from $ipaddress this is not a valid IP.</p>";
                    
                  cpfooter();

                  Scott MacVicar

                  My Blog | Twitter

                  Comment


                  • #10
                    Originally posted by smachol
                    Google search is a wonderful thing!

                    HTAccess Authentication Tutorial
                    ... Steve, you made me smile... thanks for the gentle nudge towards the search engines. I think the site you gave was specific for that particular company's clients, though... it talks about some program that I think only their clients have access to. But I found additional sites to learn about .htaccess... these looked especially good!

                    http://www.javascriptkit.com/howto/htaccess.shtml
                    A comprehensive guide to the .htaccess file.

                    http://www.euronet.nl/~arnow/htpasswd/
                    Password Generator tool... to encrypt your password for the .httpasswd file.

                    http://www.euronet.nl/~arnow/htpassw...mentation.html
                    Documentation for the Password Generator tool... and some more info on passwords.

                    I hope this helps anyone else, who is also looking for .htaccess info!

                    mishkan

                    Comment


                    • #11
                      Originally posted by PPN
                      I dont use .htaccess i know that all my admins have static IP's so i just added some code to global.php.
                      PPN, thanks for the hack... I'm building a little "hack" library and I'll add this one to it.

                      Aren't you concerned about other people, besides your administrators, trying to access your files? Why don't you use the .htaccess for them? Or have you handled site security some other way?

                      mishkan

                      Comment


                      • #12
                        Since his code is in global.php, it is in all files that are access through the Admin Control Panel.
                        Translations provided by Google.

                        Wayne Luke
                        The Rabid Badger - a vBulletin Cloud demonstration site.
                        vBulletin 5 API

                        Comment


                        • #13
                          Thanks for helping to clarify, wluke. I guess it's obvious that I just don't understand the effects of PPN's hack. In fact, I think I understood it completely backwards. I thought that he was protecting his site from his admins... when, in actuality, I guess he's protecting his site from everyone except his admins. Am I correct now?

                          mishkan

                          Comment


                          • #14
                            It checks the IP of the user, and if it doesn't equal mine or the other admins it wont even let them login so they can't even get access to any of the admin panel files.

                            This really only works for static IP's though, but you could modify it to accept a range I guess.
                            Scott MacVicar

                            My Blog | Twitter

                            Comment


                            • #15
                              Thanks for expaining that, PPN... much appreciated by clueless newbies, everywhere!

                              mishkan

                              Comment

                              Loading...
                              Working...
                              X