Announcement

Collapse
No announcement yet.

My forums have been hacked!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #46
    Yes, if so, do tell!
    "63,000 bugs in the code, 63,000 bugs, you get 1 whacked with a service pack, now there's 63,005 bugs in the code."
    "Before you critisize someone, walk a mile in their shoes. That way, when you critisize them, you're a mile away and you have their shoes."
    Utopia Software - Current Software: Utopia News Pro (news management system)

    Comment


    • #47
      There's not an awful lot to tell beyond what was said here I am afraid...

      The best advice I got through these forums was to protect my "config.php" file by changing the read/write access privileges. I couldn't do this directly, so simply forwarded the necessary instructions to my hosting company, and they did the rest. A good rule of thumb is also to take regular back-ups of the database off of the server in case the worse should happen. Also, while it may not ward off the more determined hacker, password protecting the "admin" sub-directory with an .htaccess file is a good idea.

      I traced the hacker to a number of forum sites based out of the Middle East, where he was basically bragging about his exploits and which sites he had hacked. In addition to my site, I found evidence that three more sites had fallen prey to him. I forwarded all of the information on to my hosting company who promised to pass it on to the relevant people, but I never heard anymore. I was *truly* convinced that he was using the shared account loophole to do the damage, as he restricted all of his hacking activities to sites hosted by two particular companies.

      Sorry that I cannot really offer any more advice guys...

      Comment


      • #48
        hi every body

        iam from state of kuwait.

        from the hacker name which is alhejaz_hackers
        and as most arabic people know that alhejaz is an area in sudia

        i made a search and i found hem.
        he uses the same name in a vb site.

        i read the articles written by the guy who hacked your site.

        he thinks that he (as a muslim) should destroy all sexual site.

        he didnt explain how did he do that.

        but do u know somthing that what he did is a crime in aslam or in any other law.

        what should u do?
        you should talk to the hotmail telling them that the email adress which is [email protected] is belong to hacker who had hacked my site.
        ask them if they have some info. about him.

        what should i do?
        i should talk to the forum admin to delete his account or iam going to tell vb owner that u have an illegal coby of vb forum with copyrights removed too.




        fixer

        Comment


        • #49
          Mark, thanks for the follow-up. I hope you follow up with VO, as well, so they don't drop the ball on this.

          I have put a .htaccess file in both the admin folder and the mod folder. And I put the .htpasswd file in the top-most root folder. I chmod'ed all three of these files as 644. And I chmod'ed the config.php file to 744.

          I don't fully understand the read/write access thingy, though. What exactly does "read" mean? If I'm providing "read" privileges to "other", then can't anyone open and read those files through telnet or FTP? Anyone have any helpful comments to clarify this? As Eric said...
          Originally posted by svoec
          ... if you have a account on the same server as someone else (possibly hacked account?), and if the ISP does not have the server permissions set correctly, (or you have permissions set to 777), anyone with a account on that server can view those files, no matter what your .htacces file says...


          fixer, thanks for your comments. I searched on "alhejaz_hackers" and several spelling variations, but I couldn't find anything about them at all. Would you please share a link to where they've been posting? Maybe, by reading what they've posted, people here at vBulletin can think of more ways we can protect ourselves?



          If Your Site Was Hacked, Here's Something Else You Can Do
          I happened to find myself sharing lunch, yesterday, with the Director of the Division on Middle East and International Terrorism, of The American Jewish Committee. A friend of a friend thingy... small world. Anyway, she was very interested in this conversation here, at vBulletin, because cyber attacks are the "new thing" in terrorism. And she asked me to email her the links to the two threads related to this topic. I'm going to send those links to her, as soon as I submit this reply.

          If anyone else has additional information to share with them, please contact them. Here's the organization's contact info, as can be found on their web site... http://www.ajc.org/contactus.asp ...

          The American Jewish Committee
          Harold Tanner, President
          David A. Harris, Executive Director

          For more information about the American Jewish Committee, please contact the Public Relations department at (212)751-4000 or e-mail us at [email protected]


          Just ask them to forward your information to the Director of the Division on Middle East and International Terrorism. I would've given her info here, too... but I couldn't find it on their web site... so maybe she's keeping a low profile...

          Anyway, I hope this helps someone.

          mishkan
          Last edited by mishkan; Sun 30 Jun '02, 9:34am.

          Comment


          • #50
            Originally posted by Mark0380
            .......password protecting the "admin" sub-directory with an .htaccess file is a good idea....
            yep i done that when i first set-up my forums.....in three weeks there have been 144 attempts to access that directory!!!!....hmmmmm
            ......if the world didn’t suck we’d all fall off......
            In to AQHA? If so go HERE (horses to you and me)

            Comment


            • #51
              Originally posted by Dave S
              yep i done that when i first set-up my forums.....in three weeks there have been 144 attempts to access that directory!!!!....hmmmmm
              Hi Dave,

              Couple of questions...

              (1) What did you chmod the .htaccess and .htpasswd files to? 644?

              (2) How do you know how many attempts there've been to access that directory? Where do you look for that statistic?

              Thanks in advance,

              mishkan

              Comment


              • #52
                Originally posted by mishkan

                Hi Dave,

                Couple of questions...

                (1) What did you chmod the .htaccess and .htpasswd files to? 644?

                (2) How do you know how many attempts there've been to access that directory? Where do you look for that statistic?

                Thanks in advance,

                mishkan
                Q1 Yes 644
                Q2 As i own the domain and can host i have all the apache raw data so i can see how, what & who has accessed it, it also records all the access denied attempts so i can trace down problems & the like

                HTH
                Regards
                Dave.
                ......if the world didn’t suck we’d all fall off......
                In to AQHA? If so go HERE (horses to you and me)

                Comment


                • #53
                  Originally posted by Dave S
                  Q1 Yes 644
                  Q2 As i own the domain and can host i have all the apache raw data so i can see how, what & who has accessed it, it also records all the access denied attempts so i can trace down problems & the like
                  (1) I'm confused, though about the "read" attribute for "other". Doesn't that allow anyone at all to view those files? Would you mind please explaining that a little?

                  (2) Now that is very cool, that you have access to all that info.

                  mishkan

                  Comment


                  • #54
                    Originally posted by mishkan


                    (1) I'm confused, though about the "read" attribute for "other". Doesn't that allow anyone at all to view those files? Would you mind please explaining that a little?

                    (2) Now that is very cool, that you have access to all that info.

                    mishkan
                    1= not if its in a password protected dir...FYI 604 will work...well does for me [the "other" looks like it has to be set to read....something to do with MySQL ]
                    2= oyer
                    ......if the world didn’t suck we’d all fall off......
                    In to AQHA? If so go HERE (horses to you and me)

                    Comment


                    • #55
                      Dave, thanks for your continued help... I don't mean to have you beat your head against the wall, trying to answer me. I feel so thick-headed about this. I just sent the following question to my web host to see how they would phrase their explanation...

                      I have put .htaccess and .htpasswd files on my site. And I chmod'd them to 644. This allows "others" to read those files. Isn't that a security problem for me, as anyone can "read" the contents of those files?

                      Same question for my config.php file, which I chmod'd to 744. Doesn't that leave my config.php file vulnerable to anyone who wants to read it?


                      And here is their answer...

                      1. No one can read your .htaccess or .htpasswd files as they are not accessible via HTTP.

                      2. If you do not have a print statement inside your config.php nobody can see its contents.


                      I'm even more confused now. Do you have any idea what they mean by "they are not accessible via HTTP"? And are they correct about needing a print statement inside the config.php file, in order for someone to see its contents?

                      Thanks,

                      mishkan

                      Comment


                      • #56
                        What they mean is that trying to access http://www.somewhere.com/path/to/.htaccess will fail, as Apache refuses to serve requests for .ht* files.

                        Regarding the print statement, what they mean is that config.php does not output any information, so simply browsing to http://www.somewhere.com/path/to/config.php would result in a blank page.

                        Comment


                        • #57
                          Originally posted by Kier
                          What they mean is that trying to access http://www.somewhere.com/path/to/.htaccess will fail, as Apache refuses to serve requests for .ht* files.

                          Regarding the print statement, what they mean is that config.php does not output any information, so simply browsing to http://www.somewhere.com/path/to/config.php would result in a blank page.
                          Kier, thanks for the info. That really clarifies it for me. Sorry for the delay in getting back to you... I've been juggling a number of things lately... thanks again.

                          Comment


                          • #58
                            Re: My forums have been hacked!

                            Originally posted by Mark0380
                            I've just got out of bed to find a mailbox full of messages from my members saying my forums have been hacked. Sure enough, attempt to login into the forums and there's a message from a hacker group known as "Alhejaz_Hackers".

                            On further investigation, it looks like they have somehow managed to up their user account to administrator privilege, then proceed to delete all of the forums and their posts, change the "forum_home" template, and then finish by deleting my own admin user account so I couldn't get back in.

                            I've now created a new account for myself, logged into MySQL in the conventional method on the server, and changed my user privileges back to administrator so I can access the vB control panel once again.

                            It does not appear that they broke into the FTP or the hosting company's site control panel fortunately. I am now writing to my hosting company (VentresOnline) to see if they can obtain a back-up of the MySQL database from yesterday, but even if I can get the site restored, I get the impression from the hackers message that they are going to keep on doing this to me.

                            I really do not know which way to proceed next. The system has logged two different IP addresses for this hacker in the admin log. It looks like they have been able to login to the admin area with an account they opened moments before, which considering even registered users have fairly restricted privileges on my forums is very worrying.

                            Has this ever happened to anyone else? What should I do next for the best? How can I make the site more secure? I am quite stunned that this has happened to my fairly small and insignificant forums site, and gutted that this has happened so soon after we'd just relocated to a decent hosting company. Help!
                            I am virtually in the same spot you are bro. My forum has a dedicated individual seeking to destroy it. Be careful, because they now may have a copy of your DB.

                            The server my forum is on has been locked down like fort knox.

                            I hope you get through this. I hope I do too. These people wont go away.
                            Proud to have designed, developed, and implemented my own Anti Troll software into my vbulletin installation with the help of my great friend Bialar Crais. We specialize in the confusion and banishment of all that which tries to stop our community from thriving. Thanks to the trolls for driving our community closer together in the fight against a common enemy.

                            Comment


                            • #59
                              Re: Re: My forums have been hacked!

                              Originally posted by Nemesis2000


                              I am virtually in the same spot you are bro. My forum has a dedicated individual seeking to destroy it. Be careful, because they now may have a copy of your DB.

                              The server my forum is on has been locked down like fort knox.

                              I hope you get through this. I hope I do too. These people wont go away.
                              Nemesis2000 , would you mind sharing all the security measures you took? Thanks.

                              mishkan

                              Comment


                              • #60
                                Re: Re: Re: My forums have been hacked!

                                Originally posted by mishkan

                                Nemesis2000 , would you mind sharing all the security measures you took? Thanks.

                                mishkan
                                I moved to a server where I have root access, and was able then to take more effective countermeasures.
                                Proud to have designed, developed, and implemented my own Anti Troll software into my vbulletin installation with the help of my great friend Bialar Crais. We specialize in the confusion and banishment of all that which tries to stop our community from thriving. Thanks to the trolls for driving our community closer together in the fight against a common enemy.

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X