No announcement yet.

db_mysql.php being used to hack my site/database.

  • Filter
  • Time
  • Show
Clear All
new posts

  • db_mysql.php being used to hack my site/database.

    vBulletin 3.0.1

    Over the last few days some one has been....

    1. Deleting the database and tables.
    2. Editing member info (names and passwords.)
    3. Moving/deleting threads.
    4. Editing the index page using db_mysql.php.

    (Luckly I got a back-up from just before they started doing this.)

    Last night I watched them hack the index and first it showed MY db_mysql.php file with my Licence Number in it! I searched the searver and didn't find another file that was edited. At the very bottom part they have

    echo "<html><head><title>It's a really really big humongous f***ing problem really!</title>";
    echo "<style type=\"text/css\"><!--.error { font: 200px 000088 ms sans serif, arial, sans-serif; }--></style></head>\r\n";
    echo "<body></table></td></tr></table></form>\r\n";
    echo "<blockquote><p class=\"error\">&nbsp;</p><p class=\"error\"><center><b><font size=+6 color=#000088 face=Trebuchet MS>-=CURR THE CONQUEROR=-</font></b><br><br><img src=></center><br />\r\n";

    to do this.

    If support want's a copy of the file they had, PM me and I'll give you the URL to a .txt version of it.

    Is there anything I can do to make them stop?? I got .htaccess in both admincp and modcp banning any one that doesn't have my IP address. I have

    $undeletableusers = '1';

    and they still edit it while I have to take the number out to edit my info back to normal.
    Public Domain Content
    Amazon/Webmaster Services

  • #2
    If they are editing the file then they have direct access to your server either via your ftp or another account on the same server, i would contact your host ASAP!


    • #3
      I uploaded the original file and it didn't change. It's like they didn't even touch the file but have it some where else.
      Public Domain Content
      Amazon/Webmaster Services


      • #4
        1. close forum
        2. change all admin/mod passwords for people with access to control panel at admincp and modcp
        3. upgrade vB 3.0.3
        4. upgrade apache, php and mysql to latest stable versions to ensure security bugs are eliminated
        5. if you're using a control panel like plesk, whm/cpanel etc update to latest version and change the root/control panel passwords
        6. disable ssh telnet and anonymous ftp access to your server for everyone except yourself
        7. worse comes to worse, back up all data on server and request web host to wipe the server and reinstall linux/os, apache, php, mysql etc
        :: Always Back Up Forum Database + Attachments BEFORE upgrading !
        :: Nginx SPDY SSL - World Flags Demo [video results]
        :: vBulletin hacked forums: Clean Up Guide for VPS/Dedicated hosting users [ blog summary ]


        • #5
          er yep, they are editing the file on the server (dedicated server, not shared)! Ev1 won't do anything. They scanned it but found nothing. I even changed the ftp password after they started doing stuff.
          Public Domain Content
          Amazon/Webmaster Services


          • #6
            Back doors are hard to find, but one could now be installed on your server. Assuming you're running unix or linux, can you keep those files from being writable by the server's user id? That will stop some web-based back doors.

            Again assuming unix/linux, it's possible to set the timestamp of a file to match another file. In other words, you can't just look for recently-modified files. Sounds like this guy is good at covering his tracks, so assume he or she is tricky about things like that.

            Do you have any kind of paysite or other transaction processing on that server? My experience is that the transaction processing script itself is far and away the most likely security hole on the whole server. Take a close look at any other scripts installed anywhere on that server which are web accessible.

            Take a close look at your server logs for the time periods in question, and at wtmp (the 'last' command shows its contents).

            Try google, msnsearch, etc., for any traces of this guy such as curr the conqueror, or any code snippets you see which aren't yours. Do google searches for things like "vbulletin exploit" or "db_mysql.php exploit" (without the quotes. Something may turn up which leads to an idea

            Take care with your backups. Some may be tainted. You don't know how long this guy's been operating on you.

            You don't know me personally, so take what I say with a grain of salt. If it makes sense, use it. If not, flush it. My experience is specifically limited to unix or linux with Apache.


            • #7
              Hmm... I see Johnny I Hack Stuff reports vbulletin 3.0.3 is still vulnerable to remote mySQL injection. I thought that was the calendar fix!

              Ah. The supposed patch is here:


              • #8
                That would not allow him access to the server or to edit files.


                • #9
                  Right. That would not. Sorry I implied it did! I kinda left my post hanging there..... Getting to the database that way can make for a mess, but wouldn't show up as files being edited.

                  With transaction processing scripts, the ones where the transaction system adds a password to the members area after the transaction is complete, too many of them allow you to execute arbitrary shell commands. Wannabe hackers have automated ways of searching for that kind of thing.


                  • #10
                    The hacker has now moved on to my site ( has been redirecting to it so the members have somewhere to post). No db_mysql.php edits yet, apparently, and the site isn't getting messed up, just member editing/post pruning/moving/etc., that I know our staff would not have done. I know of at least two member accounts that were hacked into... And this can't be because someone got my passwords, either. I have a protected directory login over my /admincp folder with a long, alphanumeric password and my personal account has a longer alphanumeric password. My coadmin's password contained symbols, which makes me doubt his was exploited.


                    • #11
                      If they are not getting in via your passwords, this is almost certainly because your server has been compromised.

                      BTW I get a 'forbidden' error when trying to access your site:

                      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                      Change CKEditor Colors to Match Style (for 4.1.4 and above)

                      Steve Machol Photography

                      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                      • #12
                        Not my site, and I think the admin (nintendo) did that. It could have been the hacker, though.

                        They're messing with the database, which is a bad thing. My cpanel/ftp passwords are also very secure...


                        • #13
                          If all your passwords are secure, then how do you think they are getting through? There are no known security holers in the latest version of vB.

                          Are youy sure the sever itself is secure?
                          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                          Change CKEditor Colors to Match Style (for 4.1.4 and above)

                          Steve Machol Photography

                          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                          • #14
                            Well... it might be the really obvious thing...
                            The most common way used to get into systems today is to compromize a client computer and use it to either gather the neccesary info to break in from another point of entry, or just use the client computer itself as a "router".

                            For instance: Porn-, Hack-, Keygen-, Serial- and even some commercial banner-sites are full of trojans that will exploit weaknesses in your browser to automagically download and activate themselves. Thus gaining full control of the data flow on you PC.

                            It is offcourse a good thing to track what is happening to your server, but be advised that it might as well be your (or one of your trusted friends) computer that is the main point of entry for the hacker.
                            MCP / MCSA / MCSE / MCT
                            A few eggs short of a complete easter basket

                            vB 4.0.5+ CMS (No hacks), Windows Server 2008 R2 Ent, IIS 7.5, PHP 5.3+ (FastCGI), WinCache, Memcached, MySQL 5.1.45


                            • #15
                              I've talked to my host, he says the server is secure - but the two sites that were hacked are on different servers and hosts. Unless both hosts are insecure, I don't know how he could get into both.

                              I did have a PHP script on my server the night of the hack, could it have been that? I coded it myself and thought it was secure enough, though maybe it wasn't. I'll attach the script.
                              Attached Files


                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.