Announcement

Collapse
No announcement yet.

My forums have been hacked!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    This is probably too obvious to even mention, but did you have getadmin.php on your server anywhere? When I first got vB I uploaded everything, even the "extras" directory, without realizing that getadmin.php would allow anyone to make themselves an admin. Good thing I realized it before anything happened.
    Brian Cruz
    www.toonzone.net

    Comment


    • #32
      I think just the ability change the name, and to move the config.php, to a location other than the admin directory would be good.

      If a hacker knows the name of the file he wants, and it's location, it is much easier to get what they are looking for.. If it isn't in the same location on every VB install, that makes life more dificult for them.

      just my .02 worth
      -

      Comment


      • #33
        I checked the thread you posted also...

        I just have one question, they were recomending 750, why would you set execute on the config.php file ????

        It is just read like a text file, not executed, that is just adding one more right that someone could exploit.

        I'm done rambling now

        Mark, any progress ???

        Thanks!

        Eric C
        -

        Comment


        • #34
          Hey Brian Cruz thanks for pointing out getadmin.php

          I also had the file in the extras folder completely open for all users to read!!!! I just deleted the folder from there!!!!!!!!!

          Comment


          • #35
            Svoec well true. I have taken out the +x for config.php.

            Comment


            • #36
              I am posting to the thread you posted right now. It was started in Janurary, but It probably should be updated..

              Thanks!
              -

              Comment


              • #37
                Simply placing .htaccess on your admin directory will keep your config.php file safe.

                Also make sure that getadmin.php or any of the other files located in the Extras folder within your vBulletin zip file are on your server. These should never be online unless you are using them. Once used you need to delete them from your server.
                Translations provided by Google.

                Wayne Luke
                The Rabid Badger - a vBulletin Cloud demonstration site.
                vBulletin 5 API

                Comment


                • #38
                  actually, the .htaccess file only protects files that are accessed through the web server (apache normally)

                  If you are using telent, or FTP, the .htacces file has no affect...

                  Eric C
                  -

                  Comment


                  • #39
                    It was clearly stated earlier that FTP was not compromised unless I misread something.

                    Since the hacker is only changing things in the forum and not deleting the files or installing other malicious software for more damage (such as PHPMyAdmin) why do you assume that it being done through FTP?
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API

                    Comment


                    • #40
                      I'm sorry, I dont mean to be a ass, but

                      you are not catching the full meaning of what we are talking about.

                      What we are saying is, if you have a account on the same server as someone else (possibly hacked account?), and if the ISP does not have the server permissions set correctly, (or you have permissions set to 777), anyone with a account on that server can view those files, no matter what your .htacces file says...

                      get what I am saying ?

                      Eric C
                      -

                      Comment


                      • #41
                        Originally posted by wluke
                        It was clearly stated earlier that FTP was not compromised unless I misread something.
                        No, FTP hasn't been compromised as far as I can tell. But the current theory is that the hacker was rummaging around via Telnet/SSH, because he could have an account on the same shared server.

                        Comment


                        • #42
                          I think the first step is to drop a .htaccess file in the admin directory that limits access only to your IP. This would only work if you're connection is static of course.

                          Comment


                          • #43
                            Well, I have now got my hands on one of the emails they sent out. It seems that not only did they take a copy of my member's email list, they kindly decided to send out an email to all registered members through vB Admin Area.

                            Take a look:

                            hello all the simians and the swines. To the scoundrels & The miscreants, the time had arrived for your education. This penetration is for the amusement, I shall visit you in other time. The glory is for debt of the Islam and the victory is for the Moslems.

                            Best Regards,
                            AL- Hejaz_Hackers


                            Well, can at least be thankful they didn't mention my site in anyway in their mail. But I have since sent out a warning to all of my registered members anyway. What's the likelihood of tracing these people?

                            Comment


                            • #44
                              I received a private message on here this morning by another vB user to say that the forums he visits has been hacked by the same person/group. Their site is at http://www.thisboardrocks.com, and at the time of writing, still sports the hacked message.

                              The most worrying thing about this latest development is that I have just done a look-up on this other site's domain, and guess what? It appears to be hosted by the same company as mine!

                              Naturally, I have already informed VenturesOnline about this and will keep everyone here up-to-speed on the developments.
                              Last edited by Mark0380; Sat 13 Apr '02, 8:46am.

                              Comment


                              • #45
                                Mark, whatever happened with this awful situation? How did you stop it from happening again? Do you have a "checklist" of security advice to share with us?

                                Thanks,

                                mishkan

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X