Announcement

Collapse
No announcement yet.

Hacked on vB 2.3.0

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • filburt1
    replied
    Maybe somebody else just got physical access to the admin's machine.

    Leave a comment:


  • ummahforums
    replied
    Well, here's the latest:

    Apache shows "POST /forum/admin/options.php" 6 times between 13:46 and 13:51 GMT (and the vB admin log agrees). The IP reported is the IP of an admin (well, the IP of the NAT router at his workplace).

    The admin remembers having changed the options once, but he's pretty sure that he didn't click submit 6 times.

    What I think is that a backdoor has been installed, either on his box or another box behind the same router. A clever kiddie must be using this backdoor as a kinda proxy, and must have accessed the panel soon after the real admin did.

    I believe this may be the case, as the admin tells me that a friend was complaining about receiving viruses from him via e-mail, and that the e-mails originated from his IP....

    Leave a comment:


  • Steve Machol
    replied
    Since the board was closed, someone did this either from the Admin CP or by direct access to the database. Do you have phpMyAdmin on your server? is it password protected? If so, you should change that password as well.

    Leave a comment:


  • ummahforums
    replied
    Originally posted by Scott MacVicar
    check the admin usernames for that time period and check the IP matches what the admin usually has.
    Yep, I just checked, and it does.

    Leave a comment:


  • ummahforums
    replied
    Well, the hacker didn't do any damage at all, which is why it's so puzzling. I've looked through the Apache access_log for accesses to the admin directory, and they all check out with the admins, and there are no mySQL accounts which allow non-local access. It's a dedicated box, so there's no-one else on it apart from me.

    Leave a comment:


  • Scott MacVicar
    replied
    check the admin usernames for that time period and check the IP matches what the admin usually has.

    Leave a comment:


  • filburt1
    replied
    Maybe your host has an insecure root connection to MySQL and somebody else on the server could access your DB.

    Just a lession also to back up at least daily.

    Leave a comment:


  • ummahforums
    replied
    Originally posted by filburt1
    One of your admin accounts is using an insecure username and password.
    But all the entries in the admin log check out, fully. Surely an entry would appear in the admin log, if it was done by a person using an admin account?

    The Sendmail on the box has also been updated, so there's no vulnerability there. Sure there couldn't be a buffer overflow somewhere in vB?

    Leave a comment:


  • filburt1
    replied
    Originally posted by ummahforums
    The thing is, there are only a few entries in the admin log today and all of them check out (xiphoid - I have talked to the other admins and checked).

    As to direct access, root login on my server (dedicated box) is allowed only with an SSH key (password logins are not allowed - I have configured sshd in this way). Login to the vBulletin mySQL account is limited to localhost only, and there are no other accounts which allow non-local logins. I am running mySQL 3.23.55 (latest version).

    What puzzles me is why the hacker didn't do any damage (apart from closing the board).
    One of your admin accounts is using an insecure username and password.

    Leave a comment:


  • ummahforums
    replied
    Originally posted by Steve Machol
    The most likely explanation is that he got ahold of an Admins password and/or direct access to your server. In addition to htaccess password protection, I suggest you change all the Admin passwords and your server login password as well.
    The thing is, there are only a few entries in the admin log today and all of them check out (xiphoid - I have talked to the other admins and checked).

    As to direct access, root login on my server (dedicated box) is allowed only with an SSH key (password logins are not allowed - I have configured sshd in this way). Login to the vBulletin mySQL account is limited to localhost only, and there are no other accounts which allow non-local logins. I am running mySQL 3.23.55 (latest version).

    What puzzles me is why the hacker didn't do any damage (apart from closing the board).

    Leave a comment:


  • Floris
    replied
    Your E-mail
    Your ftp
    Your SSH/telnet
    Your Admin userpasses
    Your (Super) Mods userpasses
    Your Control Panel (the one from isp, if any) userpass
    Etc ..
    Htpasswd all dirs that shouldn't be visible.
    Match all the IP's from the admin and/or mod logs against the ip's from the admins and see which mismatch.
    Those can be compared against any ip in your database to see if it is a registered member.
    And report all logs of the hack to the hosting provider/ abuse department of that isp for hacking.

    Leave a comment:


  • Steve Machol
    replied
    The most likely explanation is that he got ahold of an Admins password and/or direct access to your server. In addition to htaccess password protection, I suggest you change all the Admin passwords and your server login password as well.

    Leave a comment:


  • ummahforums
    started a topic Hacked on vB 2.3.0

    Hacked on vB 2.3.0

    For 5 minutes, my board displayed the following message:

    vBulletin Message
    Board Hacked ^^____DaKeWl____^^

    After that, the message was removed but the board was still closed. An admin logged in about an hour later and switch the board back on.

    I've looked at the admin log, and I can see nothing out of the ordinary (I have confirmed the login times and stuff noted there with the admins).

    So how did "DaKewl" do this?

    I don't know if this will help, but I'm gonna .htaccess protect the admin directory now.
Loading...
Working...
X