Announcement

**Steve Machol** · Fri 25 Jun '04, 1:46pm

Contact your host and let them know you've been hacked. Also, fill out a support ticket at:

http://www.vbulletin.com/members/mem...ontactform.php

Be sure to include the login info to your Admin CP, phpMyAdmin and FTP.

**Enajizer** · Fri 25 Jun '04, 1:54pm

Thanks for the reply Steve. I am still waiting for a response from my host. I have even tried to login to PHPAdmin and I'm having problems doing so. Right now I really have no idea what else to do, but I will do as you suggest.

**Enajizer** · Fri 25 Jun '04, 2:06pm

OK, I just got an email back from my host and here is what they said.

There is nothing wrong with phpmyadmin. However, you might want to check out
this article:

http://www.securityfocus.com/archive/1/366995

email to Vbulletin and ask them for a new patch.

If this is true, I don't quite understand why I cannot get into PHPAdmin anymore? All I get is a white page saying "HTTP/1.0 200 OK Server: cpsrvd/9.4.0 Connection: close X-Powered-By: PHP/4.3.7 Content-Type: text/html; charset=iso-8859-1"

I am filling out a support ticket now.

**Enajizer** · Fri 25 Jun '04, 2:35pm

Sorry to keep posting, I just want to let you know a little more info. I have just logged into phpMYAdmin using my Netscape browser. For some reason I get the page described above every time I try with my Internet Explorer??

Another update: I just logged into phpMYAdmin and my Vbulletin admin username is still there, but my email address has been changed to [email protected].

**Scott MacVicar** · Fri 25 Jun '04, 2:43pm

It would allow them to get the hashed password and post as them, it wouldn't get them the raw password or even a simple md5 hash so they couldn't change the password via the UserCP or login to the admin panel to change it there as both of these require entering the initial unhashed password.

**Enajizer** · Fri 25 Jun '04, 3:02pm

OK Scott, please bare with me here because I'm not the brightest when it comes to all this sort of stuff. What do you think has happened to allow somebody to get in and change my email address and password? It couldn't have been through the admin panel because I have it set to not allow changes and as you know, I cannot not even change my own (admin) settings without first changing the config.php. But this new user "VNHack" has been put into the admin usergroup without me doing so, and has somehow changed my settings. Do you think he got into phpMYAdmin to do this?

**Scott MacVicar** · Fri 25 Jun '04, 3:09pm

It suggests that it may be a user with access on the server, possibly someone else with a hosting account and from that they could read the values out of config.php in your includes directory.

To change the username and password via the user control panel you need to have the original password as this is asked for to do these actions.

Do you use your admin password anywhere else, maybe another forum you signed up with? Have you made sure you dont have any viruses on your computer?

**Enajizer** · Fri 25 Jun '04, 3:18pm

I use a different password for every other message board I am on. I haven't given my password to anyone. I usually do a complete virus scan regularly, but I think I will do another one right now, especially since my Internet Explorer is acting weird now when I try to go to phpadmin.

Once again, I appreciate you taking the time to try to help me. Hopefully I can get to the bottom of this.

**Steve Machol** · Fri 25 Jun '04, 7:54pm

I responded to your support ticket this morning (before your last two responses.) I could not find anything wrong with your forums and I had no trouble logging in with your Admin account.

**Enajizer** · Fri 25 Jun '04, 8:38pm

Hey Steve, as I said above, I was finally able to log into phpMYAdmin but only using my Netscape browser. I had to change my email address back to the original since it was changed to [email protected]. Apparently my password was reset somehow so when I originally went to log in this morning I couldn't. Then when I entered my email for a lost password, my address wasn't recognised because it was changed. You must have logged in after I was finally able to get into php and change my settings back. And as far as I can see, these were the only things that were changed.

Nothing else on my server was changed, I was still able to log into the control panel, FTP and that sort of stuff. The only thing changed was my Vbulletin admin password and email address along with a new user named VNHack who had admin privileges.

I don't mean to sound like a broken record here, but I am really trying my best to figure out what has happened here so it will not happen again. I ran a virus scan on my PC and it is clean....

**Steve Machol** · Fri 25 Jun '04, 8:44pm

Without knowing how you are being hacked it's difficult to stop it. For instance if your server is being compromised then there is nothing in vB that will stop a hacker from taking over.

Here's some things you can do to increase the level of security for your forums:

1. Upgrade to the latest version.
2. Do not install any hacks
3. Password protect your Admin and Mod CPs: http://www.javascriptkit.com/howto/htaccess.shtml
4. Make sure the tools.php file is NOWHERE on your website
5. If you have phpMyAdmin make sure it's password protected.
6. Inform your host of these hack attempts and ask them to check the logs to see when your account was accessed.
7. Also ask your host to change the login password for your account
8. Change all your Admin and Mod passwords.

**Enajizer** · Fri 25 Jun '04, 8:49pm

OK Steve, I completely understand. Thank you very much for the advice and all your time, I will definitely do my best to keep the server secure.

Adam

**Enajizer** · Fri 25 Jun '04, 11:24pm

Hey Steve or Scott, would either of you guys be interested in looking over my log file? I can see this guys IP all over it and can see where it says "register" and login.php?do=lostpw and things like this. I am hoping somebody will be able to decipher it for me.

I know you guys stay pretty busy, so if you don't have the time or don't want to, I will understand.

**Steve Machol** · Fri 25 Jun '04, 11:37pm

Not sure what else we could add. It means this person was trying everything he could do to try and get someone's password. However since these emails are sent to the members address, there's not a lot he can do.

Also have you checked the IP and made sure it's not actually a search engine robot?

Announcement

Please HELP!! Vb 3.0 Hack Problem?

Please HELP!! Vb 3.0 Hack Problem?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment