Announcement

Collapse
No announcement yet.

Site hacked

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Site hacked

    Hi all.
    My site was hacked this morning. Someone got my password, added themself as an admin, and then changed my password. Nothing else was done so currently I believe they only accessed the password somehow.

    I have regained control of the system, banned IP's etc, and am checking site security now. Also using an older thread on improving vB security as a guide.

    What file holds the user details, passwords etc, and what should the security setting be on this?

    Any other tips on improving site security? I've banned the IP's and the users but am concerned that the access point may still be open.

  • #2
    All of that info is in the database, not files.

    Please see this thread on how to make your vBulletin more secure:

    http://www.vbulletin.com/forum/showthread.php?t=172234

    If you are still being hacked after doing all of this, then they are most likely doing this by accessing your server. You need to contact your host about this.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      Thanks for the swift response.

      My admin details are in the config file? What should the secirty level of that file be? EG: 777? or another?

      The fact that they only accessed my details makes me suspicious that they got my access only and then once in the admin panel made the changes.

      Comment


      • #4
        The only way your config.php file would be a security risk is if your sweb hosting account itself was hacked. That file does not need any special permissions except that it should be worlld-readable otherwise your forums won't work.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment


        • #5
          Ok - thanks Steve.

          No damage was done so I'm up and running.....I will take a good look through the above thread and make any changes necessary.

          I dont believe they had server access etc as nothing was done other than change my password, install themselves as Mods, and make a post saying we'd been hacked.

          How they got my password is the key to it!

          Comment


          • #6
            Originally posted by testpig View Post
            Ok - thanks Steve.

            No damage was done so I'm up and running.....I will take a good look through the above thread and make any changes necessary.

            I dont believe they had server access etc as nothing was done other than change my password, install themselves as Mods, and make a post saying we'd been hacked.

            How they got my password is the key to it!
            Just make sure that there were no newly created admin/mod/etc accounts created.

            Comment


            • #7
              Yup - already done - but thanks for the heads up! All advice is good in these situations.

              The hacker doesnt seem to have a good working knowledge of vBulletin! The changes were only very basic and no mods access was removed. if it was one of us with our working knowledge of the software it would have been a lot harder for me to get back in!

              Looking at the IP it appeared to come out of France via the US.

              Comment


              • #8
                Keep in mind, though, that IP's can be misleading, i.e. proxy servers.

                Comment


                • #9
                  ok...he came back and uploaded the following:
                  80.90.160.167
                  C:\Program Files\SQLFront\SQLFront.exe
                  I've closed the forum and after googling the filename it may be getting in through the RS feed function. Still live and watching this turd in action....my forum is turned off and it seems to have pulled him up at this stage.

                  Comment


                  • #10
                    Hi to all,

                    same problem here today with vBulletin 3.6.0.

                    we've watched the same process ...

                    Hacker-IP: 80.90.171.80
                    Email: adiga.hacker@yahoo.com

                    All user-accounts were deleted.... including my admin-account wich is defined as undeletable in config.php....

                    details will be given...

                    Greetings
                    rike
                    Last edited by rike-online; Thu 24 Aug '06, 7:39am.

                    Comment


                    • #11
                      Originally posted by testpig View Post
                      ok...he came back and uploaded the following:

                      I've closed the forum and after googling the filename it may be getting in through the RS feed function. Still live and watching this turd in action....my forum is turned off and it seems to have pulled him up at this stage.
                      He has access to your server to do this. You need to contatc your host.
                      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                      Change CKEditor Colors to Match Style (for 4.1.4 and above)

                      Steve Machol Photography


                      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                      Comment


                      • #12
                        HUM, does this means thers a security hole in the RSS feed feature of 3.6.0??

                        Comment


                        • #13
                          No, why would it? This hacker obviously has access to the server itself.
                          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                          Change CKEditor Colors to Match Style (for 4.1.4 and above)

                          Steve Machol Photography


                          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                          Comment


                          • #14
                            OK - what I've found to date.

                            The hacker managed to get access to the database. From there he changed the passwords of random moderators untill he found my account (admin). He then changed my password preventing me from accessing the board, and made himself admin.

                            I'm confident this was all done at the database level and have had my providor install a firewall.

                            The Question remains how he got the database access codes?

                            He was definately uploading to the site in an attempt to gain access. He opened a user in order to do so. Wether this was successfull or he used other means I dont know (and I'm definately not pointing my finger at vB software)...but once I regained control of the site he attempted to uploaad to Coppermine and anywhere else an upload feature was enabled.

                            I'm back up and running with RSS disabled, database firewalled, and his IP (80.*) banned. We traced his IP to France, routed through LA. Goes by the name "√Ądiga" and email is [email protected]

                            Comment


                            • #15
                              and his IP (80.*) banned
                              Did you really ban that large a chunk of IPs?

                              Just curious how you decided that IP was France? Looks to me at first glance to be Jordan.
                              http://www.dnsstuff.com/tools/ipall....=80.90.160.167
                              IP address: 80.90.160.167
                              Reverse DNS: [No reverse DNS entry per dns1.doosa.jo.]
                              Reverse DNS authenticity: [Unknown]
                              ASN: 8697
                              ASN Name: JTC-AS8697 (Jordan Telecom)
                              IP range connectivity: 1
                              Registrar (per ASN): RIPE
                              Country (per IP registrar): JO [Jordan]
                              Country Currency: JOD [Jordan Dinars]
                              Country IP Range: 80.90.160.0 to 80.90.175.255
                              Country fraud profile: Normal
                              City (per outside source): Amman, 'Amman
                              Private (internal) IP? No
                              IP address registrar: whois.ripe.net
                              Known Proxy? No
                              Link for WHOIS: 80.90.160.167

                              Comment

                              Loading...
                              Working...
                              X