Announcement

Collapse
No announcement yet.

Hacked on vB 2.3.0

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hacked on vB 2.3.0

    For 5 minutes, my board displayed the following message:

    vBulletin Message
    Board Hacked ^^____DaKeWl____^^

    After that, the message was removed but the board was still closed. An admin logged in about an hour later and switch the board back on.

    I've looked at the admin log, and I can see nothing out of the ordinary (I have confirmed the login times and stuff noted there with the admins).

    So how did "DaKewl" do this?

    I don't know if this will help, but I'm gonna .htaccess protect the admin directory now.

  • #2
    The most likely explanation is that he got ahold of an Admins password and/or direct access to your server. In addition to htaccess password protection, I suggest you change all the Admin passwords and your server login password as well.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      Your E-mail
      Your ftp
      Your SSH/telnet
      Your Admin userpasses
      Your (Super) Mods userpasses
      Your Control Panel (the one from isp, if any) userpass
      Etc ..
      Htpasswd all dirs that shouldn't be visible.
      Match all the IP's from the admin and/or mod logs against the ip's from the admins and see which mismatch.
      Those can be compared against any ip in your database to see if it is a registered member.
      And report all logs of the hack to the hosting provider/ abuse department of that isp for hacking.

      Comment


      • #4
        Originally posted by Steve Machol
        The most likely explanation is that he got ahold of an Admins password and/or direct access to your server. In addition to htaccess password protection, I suggest you change all the Admin passwords and your server login password as well.
        The thing is, there are only a few entries in the admin log today and all of them check out (xiphoid - I have talked to the other admins and checked).

        As to direct access, root login on my server (dedicated box) is allowed only with an SSH key (password logins are not allowed - I have configured sshd in this way). Login to the vBulletin mySQL account is limited to localhost only, and there are no other accounts which allow non-local logins. I am running mySQL 3.23.55 (latest version).

        What puzzles me is why the hacker didn't do any damage (apart from closing the board).

        Comment


        • #5
          Originally posted by ummahforums
          The thing is, there are only a few entries in the admin log today and all of them check out (xiphoid - I have talked to the other admins and checked).

          As to direct access, root login on my server (dedicated box) is allowed only with an SSH key (password logins are not allowed - I have configured sshd in this way). Login to the vBulletin mySQL account is limited to localhost only, and there are no other accounts which allow non-local logins. I am running mySQL 3.23.55 (latest version).

          What puzzles me is why the hacker didn't do any damage (apart from closing the board).
          One of your admin accounts is using an insecure username and password.
          --filburt1, vBulletin.org/vBulletinTemplates.com moderator
          Web Design Forums.net: vB Board of the Month
          vBulletin Mail System (vBMS): webmail for your forum users

          Comment


          • #6
            Originally posted by filburt1
            One of your admin accounts is using an insecure username and password.
            But all the entries in the admin log check out, fully. Surely an entry would appear in the admin log, if it was done by a person using an admin account?

            The Sendmail on the box has also been updated, so there's no vulnerability there. Sure there couldn't be a buffer overflow somewhere in vB?

            Comment


            • #7
              Maybe your host has an insecure root connection to MySQL and somebody else on the server could access your DB.

              Just a lession also to back up at least daily.
              --filburt1, vBulletin.org/vBulletinTemplates.com moderator
              Web Design Forums.net: vB Board of the Month
              vBulletin Mail System (vBMS): webmail for your forum users

              Comment


              • #8
                check the admin usernames for that time period and check the IP matches what the admin usually has.
                Scott MacVicar

                My Blog | Twitter

                Comment


                • #9
                  Well, the hacker didn't do any damage at all, which is why it's so puzzling. I've looked through the Apache access_log for accesses to the admin directory, and they all check out with the admins, and there are no mySQL accounts which allow non-local access. It's a dedicated box, so there's no-one else on it apart from me.

                  Comment


                  • #10
                    Originally posted by Scott MacVicar
                    check the admin usernames for that time period and check the IP matches what the admin usually has.
                    Yep, I just checked, and it does.

                    Comment


                    • #11
                      Since the board was closed, someone did this either from the Admin CP or by direct access to the database. Do you have phpMyAdmin on your server? is it password protected? If so, you should change that password as well.
                      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                      Change CKEditor Colors to Match Style (for 4.1.4 and above)

                      Steve Machol Photography


                      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                      Comment


                      • #12
                        Well, here's the latest:

                        Apache shows "POST /forum/admin/options.php" 6 times between 13:46 and 13:51 GMT (and the vB admin log agrees). The IP reported is the IP of an admin (well, the IP of the NAT router at his workplace).

                        The admin remembers having changed the options once, but he's pretty sure that he didn't click submit 6 times.

                        What I think is that a backdoor has been installed, either on his box or another box behind the same router. A clever kiddie must be using this backdoor as a kinda proxy, and must have accessed the panel soon after the real admin did.

                        I believe this may be the case, as the admin tells me that a friend was complaining about receiving viruses from him via e-mail, and that the e-mails originated from his IP....

                        Comment


                        • #13
                          Maybe somebody else just got physical access to the admin's machine.
                          --filburt1, vBulletin.org/vBulletinTemplates.com moderator
                          Web Design Forums.net: vB Board of the Month
                          vBulletin Mail System (vBMS): webmail for your forum users

                          Comment

                          Loading...
                          Working...
                          X