Announcement

**Steve Machol** · Tue 11th Mar '03, 7:10am

The most likely explanation is that he got ahold of an Admins password and/or direct access to your server. In addition to htaccess password protection, I suggest you change all the Admin passwords and your server login password as well.

**Floris** · Tue 11th Mar '03, 7:31am

Your E-mail
Your ftp
Your SSH/telnet
Your Admin userpasses
Your (Super) Mods userpasses
Your Control Panel (the one from isp, if any) userpass
Etc ..
Htpasswd all dirs that shouldn't be visible.
Match all the IP's from the admin and/or mod logs against the ip's from the admins and see which mismatch.
Those can be compared against any ip in your database to see if it is a registered member.
And report all logs of the hack to the hosting provider/ abuse department of that isp for hacking.

**ummahforums** · Tue 11th Mar '03, 7:49am

Originally posted by Steve Machol

The most likely explanation is that he got ahold of an Admins password and/or direct access to your server. In addition to htaccess password protection, I suggest you change all the Admin passwords and your server login password as well.

The thing is, there are only a few entries in the admin log today and all of them check out (xiphoid - I have talked to the other admins and checked).

As to direct access, root login on my server (dedicated box) is allowed only with an SSH key (password logins are not allowed - I have configured sshd in this way). Login to the vBulletin mySQL account is limited to localhost only, and there are no other accounts which allow non-local logins. I am running mySQL 3.23.55 (latest version).

What puzzles me is why the hacker didn't do any damage (apart from closing the board).

**filburt1** · Tue 11th Mar '03, 7:53am

Originally posted by ummahforums

The thing is, there are only a few entries in the admin log today and all of them check out (xiphoid - I have talked to the other admins and checked).

As to direct access, root login on my server (dedicated box) is allowed only with an SSH key (password logins are not allowed - I have configured sshd in this way). Login to the vBulletin mySQL account is limited to localhost only, and there are no other accounts which allow non-local logins. I am running mySQL 3.23.55 (latest version).

What puzzles me is why the hacker didn't do any damage (apart from closing the board).

One of your admin accounts is using an insecure username and password.

**ummahforums** · Tue 11th Mar '03, 7:57am

Originally posted by filburt1

One of your admin accounts is using an insecure username and password.

But all the entries in the admin log check out, fully. Surely an entry would appear in the admin log, if it was done by a person using an admin account?

The Sendmail on the box has also been updated, so there's no vulnerability there. Sure there couldn't be a buffer overflow somewhere in vB?

**filburt1** · Tue 11th Mar '03, 8:00am

Maybe your host has an insecure root connection to MySQL and somebody else on the server could access your DB.

Just a lession also to back up at least daily.

**Scott MacVicar** · Tue 11th Mar '03, 8:11am

check the admin usernames for that time period and check the IP matches what the admin usually has.

**ummahforums** · Tue 11th Mar '03, 8:15am

Well, the hacker didn't do any damage at all, which is why it's so puzzling. I've looked through the Apache access_log for accesses to the admin directory, and they all check out with the admins, and there are no mySQL accounts which allow non-local access. It's a dedicated box, so there's no-one else on it apart from me.

**ummahforums** · Tue 11th Mar '03, 8:22am

Originally posted by Scott MacVicar

check the admin usernames for that time period and check the IP matches what the admin usually has.

Yep, I just checked, and it does.

**Steve Machol** · Tue 11th Mar '03, 8:25am

Since the board was closed, someone did this either from the Admin CP or by direct access to the database. Do you have phpMyAdmin on your server? is it password protected? If so, you should change that password as well.

**ummahforums** · Tue 11th Mar '03, 8:34am

Well, here's the latest:

Apache shows "POST /forum/admin/options.php" 6 times between 13:46 and 13:51 GMT (and the vB admin log agrees). The IP reported is the IP of an admin (well, the IP of the NAT router at his workplace).

The admin remembers having changed the options once, but he's pretty sure that he didn't click submit 6 times.

What I think is that a backdoor has been installed, either on his box or another box behind the same router. A clever kiddie must be using this backdoor as a kinda proxy, and must have accessed the panel soon after the real admin did.

I believe this may be the case, as the admin tells me that a friend was complaining about receiving viruses from him via e-mail, and that the e-mails originated from his IP....

**filburt1** · Tue 11th Mar '03, 9:23am

Maybe somebody else just got physical access to the admin's machine.

Announcement

Hacked on vB 2.3.0

Hacked on vB 2.3.0

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment