Announcement

Collapse
No announcement yet.

My forums have been hacked!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Some of the IPS could just be people from here trying to view your forum, which I assume is http://www.leatherforums.com/

    Comment


    • #17
      I have been monitoring the guest login IPs for the last hour now, and the majority are from Saudi Arabia or the UAE, but yes, I agree there are handful of people coming in from western IPs.

      I am going to have to close my site down completely for now I think.

      Comment


      • #18
        The saga worsens. It now appears that before inflicting all of the damage, the hacker took a copy of all of the email addresses within the user database and has been inflicting some of the 750+ members with spam emails.
        Last edited by Mark0380; Thu 11 Apr '02, 4:48am.

        Comment


        • #19
          here is a theory for you that would fit, if the hacker has a page on the same server....

          if you are on the same server, some ISP's dont set permissions so well on the different sites... if he was able to look at your config.php, he could get the username and password for mysql

          he logged in, and created a new user...

          then, using mysql admin tools, he could have upped himself to admin, and then blasted away at it...

          just a thought ???
          Last edited by svoec; Thu 11 Apr '02, 5:10am.
          -

          Comment


          • #20
            Hmmm... sounds like a worryingly good theory actually. Have just put it to the test via SSH, and could easily 'vi' into another
            account's "index.html" by using simple guesswork. If you second-guessed the right account name and knew enough about vBulletin, you could easily 'cd' your way up into another account's public_html/forums/admin directory, and then 'vi' config.php as you say.

            Isn't there a way to change permissions on a file so that it can only be viewed or edited by a certain "owner" logged in on Telnet or SSH? Or would that then screw-up access to config.php by vBulletin?

            I have notified VenturesOnline immediately about this, although if this is the way he got in, I would have thought that the hacker would have gone back in again this morning and put his message back on my front door after I stripped it away, as surely he could change my templates through MySQL anyway?
            Last edited by Mark0380; Thu 11 Apr '02, 5:31am.

            Comment


            • #21
              Originally posted by Mark0380
              Hmmm... sounds like a worryingly good theory actually. Have just put it to the test via SSH, and could easily 'vi' into another account's "index.html" by using simple guesswork.

              Isn't there a way to change permissions on a file so that it can only be viewed or edited by a certain "owner" logged in on Telnet or SSH? Or would that then screw-up access to config.php by vBulletin?
              it's an issue with how cpanel/apache work together... talk with VO about this
              :: Always Back Up Forum Database + Attachments BEFORE upgrading !
              :: Nginx SPDY SSL - World Flags Demo [video results]
              :: vBulletin hacked forums: Clean Up Guide for VPS/Dedicated hosting users [ vbulletin.com blog summary ]

              Comment


              • #22
                I dont think there are any settings you would be able to change to help...

                I agree.. talk with your host. they probably done even realise you can do that.
                -

                Comment


                • #23
                  hey .. i just had another thought...

                  Someone more knowledgable would have to verify this will work, but

                  rename the admin directory for your forum...
                  is there a way to do it ?
                  -

                  Comment


                  • #24
                    Support ticket went in a moment ago... I tried to explain to them as best I can, but I feel so guilty having this happen only a week after I had relocated to VO.

                    Meanwhile, I am trying to compose an announcement to all of my members explaining the situation. This is going to put yet another major dent into the future of my site I fear.

                    Comment


                    • #25
                      Yes, "hiding" the admin directory sounds like a good security measure. Surely paths can be altered across the all of the PHP pages?

                      VenturesOnline have just responded - brilliant support turn around time, hats off to them yet again! This is what they had to say:

                      "Depending on how you had the permission set on that file then yes that could be a possability. Although most legit paying customers wouldn't be stupid enough to do something like that. We catch most of the people who open accounts fraudulently before they have a chance to even access the account."

                      Hmmmm - well, doesn't exactly instill confidence that they are going to take measures to stop this from happening again. Is there any way I can protect config.php from prying eyes? I've been rummaging around these forums... it seems to be a known problem with no easy solution

                      Comment


                      • #26
                        Mark, you'd want to change the access to the config-files so that others can't access them at all. That would mean using chmod on the shell, thru a web-interface or however the ISP lets you have access to them. Alternatively ask the ISP. Also, ask them to make sure the services run as nobody, so they can't be abused to access other people's files, which would be easy if the services run as a trusted user. In short, this is a mess caused largly by the ISP, and there's precious little you as a user could've done to prevent it.
                        Toddler from Hell

                        Comment


                        • #27
                          if this is what happened... (this is still speculation)

                          you will want to make sure you change your mysql password.


                          Also, if you can use FTP, a lot of FTP programs will allow you to change permissions...

                          BTW: I think chgmod 700 is what you would want for permissions. You will have to test it, to see if it works.

                          Eric C
                          -

                          Comment


                          • #28
                            svoec chmod 700 will make the config.php file u+rwx only.

                            However I do not think vBulletin will work with such permissions on config.php.

                            Could anyone confirm please?

                            Comment


                            • #29
                              I tried it with 700, and it would not work, had to use 740.


                              Altho I would really not like to post this info, as it leads me to believe my board could be hacked bysomeone with a account on the same server. But At least this way, someone can confirm..

                              Eric C
                              -

                              Comment


                              • #30
                                I had posted earlier in the Suggestions forum that the config.php should have some kind of encrypted password but it was deemed as being useless to have.

                                Of course this is if config.php readable was the cause of this hack but I really doubt customers would snoop on other people's files

                                Check out this thread also for config.php permissions:

                                http://www.vbulletin.com/forum/showt...php+permission

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X