Announcement

Collapse
No announcement yet.

Please HELP!! Vb 3.0 Hack Problem?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Please HELP!! Vb 3.0 Hack Problem?

    Hello, I seen a few other posts on here saying that their board has been hacked, well here's another one. I have my site saved as my home page in my browser and automatically log into it all the time. Well today I opened up my browser and for some reason it wanted me to put my password in to log in to the site. Anyway, I attempted to log in 5 times and it kept giving me the wrong password page. Well then I tried to get a lost password and entered my email address and it said it wasn't recognised. I went to my config page and I am still listed there as undeletableuser. I also tried to log in with the second admin name and it also didn't go. I am not too sure what has happened here, but I have noticed our newest user for the site is named "VNHack"

    I have also contacted my server admin about it...haven't heard back just yet...

    Right now I renamed my forums folder as to keep people off the site??


    Please help...
    Last edited by Enajizer; Fri 25 Jun '04, 9:44am.

  • #2
    Contact your host and let them know you've been hacked. Also, fill out a support ticket at:

    http://www.vbulletin.com/members/mem...ontactform.php

    Be sure to include the login info to your Admin CP, phpMyAdmin and FTP.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      Thanks for the reply Steve. I am still waiting for a response from my host. I have even tried to login to PHPAdmin and I'm having problems doing so. Right now I really have no idea what else to do, but I will do as you suggest.

      Comment


      • #4
        OK, I just got an email back from my host and here is what they said.

        There is nothing wrong with phpmyadmin. However, you might want to check out
        this article:

        http://www.securityfocus.com/archive/1/366995

        email to Vbulletin and ask them for a new patch.

        If this is true, I don't quite understand why I cannot get into PHPAdmin anymore? All I get is a white page saying "HTTP/1.0 200 OK Server: cpsrvd/9.4.0 Connection: close X-Powered-By: PHP/4.3.7 Content-Type: text/html; charset=iso-8859-1"

        I am filling out a support ticket now.
        Last edited by Enajizer; Fri 25 Jun '04, 2:12pm.

        Comment


        • #5
          Sorry to keep posting, I just want to let you know a little more info. I have just logged into phpMYAdmin using my Netscape browser. For some reason I get the page described above every time I try with my Internet Explorer??

          Another update: I just logged into phpMYAdmin and my Vbulletin admin username is still there, but my email address has been changed to [email protected].
          Last edited by Enajizer; Fri 25 Jun '04, 2:39pm.

          Comment


          • #6
            It would allow them to get the hashed password and post as them, it wouldn't get them the raw password or even a simple md5 hash so they couldn't change the password via the UserCP or login to the admin panel to change it there as both of these require entering the initial unhashed password.
            Scott MacVicar

            My Blog | Twitter

            Comment


            • #7
              OK Scott, please bare with me here because I'm not the brightest when it comes to all this sort of stuff. What do you think has happened to allow somebody to get in and change my email address and password? It couldn't have been through the admin panel because I have it set to not allow changes and as you know, I cannot not even change my own (admin) settings without first changing the config.php. But this new user "VNHack" has been put into the admin usergroup without me doing so, and has somehow changed my settings. Do you think he got into phpMYAdmin to do this?

              Comment


              • #8
                It suggests that it may be a user with access on the server, possibly someone else with a hosting account and from that they could read the values out of config.php in your includes directory.

                To change the username and password via the user control panel you need to have the original password as this is asked for to do these actions.

                Do you use your admin password anywhere else, maybe another forum you signed up with? Have you made sure you dont have any viruses on your computer?
                Scott MacVicar

                My Blog | Twitter

                Comment


                • #9
                  I use a different password for every other message board I am on. I haven't given my password to anyone. I usually do a complete virus scan regularly, but I think I will do another one right now, especially since my Internet Explorer is acting weird now when I try to go to phpadmin.

                  Once again, I appreciate you taking the time to try to help me. Hopefully I can get to the bottom of this.

                  Comment


                  • #10
                    I responded to your support ticket this morning (before your last two responses.) I could not find anything wrong with your forums and I had no trouble logging in with your Admin account.
                    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                    Change CKEditor Colors to Match Style (for 4.1.4 and above)

                    Steve Machol Photography


                    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                    Comment


                    • #11
                      Hey Steve, as I said above, I was finally able to log into phpMYAdmin but only using my Netscape browser. I had to change my email address back to the original since it was changed to [email protected]. Apparently my password was reset somehow so when I originally went to log in this morning I couldn't. Then when I entered my email for a lost password, my address wasn't recognised because it was changed. You must have logged in after I was finally able to get into php and change my settings back. And as far as I can see, these were the only things that were changed.

                      Nothing else on my server was changed, I was still able to log into the control panel, FTP and that sort of stuff. The only thing changed was my Vbulletin admin password and email address along with a new user named VNHack who had admin privileges.

                      I don't mean to sound like a broken record here, but I am really trying my best to figure out what has happened here so it will not happen again. I ran a virus scan on my PC and it is clean....
                      Last edited by Enajizer; Fri 25 Jun '04, 8:42pm.

                      Comment


                      • #12
                        Without knowing how you are being hacked it's difficult to stop it. For instance if your server is being compromised then there is nothing in vB that will stop a hacker from taking over.

                        Here's some things you can do to increase the level of security for your forums:

                        1. Upgrade to the latest version.
                        2. Do not install any hacks
                        3. Password protect your Admin and Mod CPs: http://www.javascriptkit.com/howto/htaccess.shtml
                        4. Make sure the tools.php file is NOWHERE on your website
                        5. If you have phpMyAdmin make sure it's password protected.
                        6. Inform your host of these hack attempts and ask them to check the logs to see when your account was accessed.
                        7. Also ask your host to change the login password for your account
                        8. Change all your Admin and Mod passwords.
                        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                        Change CKEditor Colors to Match Style (for 4.1.4 and above)

                        Steve Machol Photography


                        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                        Comment


                        • #13
                          OK Steve, I completely understand. Thank you very much for the advice and all your time, I will definitely do my best to keep the server secure.


                          Adam

                          Comment


                          • #14
                            Hey Steve or Scott, would either of you guys be interested in looking over my log file? I can see this guys IP all over it and can see where it says "register" and login.php?do=lostpw and things like this. I am hoping somebody will be able to decipher it for me.

                            I know you guys stay pretty busy, so if you don't have the time or don't want to, I will understand.

                            Comment


                            • #15
                              Not sure what else we could add. It means this person was trying everything he could do to try and get someone's password. However since these emails are sent to the members address, there's not a lot he can do.

                              Also have you checked the IP and made sure it's not actually a search engine robot?
                              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                              Change CKEditor Colors to Match Style (for 4.1.4 and above)

                              Steve Machol Photography


                              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X