Announcement

Collapse
No announcement yet.

Forum hacked!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forum hacked!

    Hello,

    A vB3.6.3 board I have admin access at has been hacked.

    Many of the pages in the adminCP read: "Hacked By Deli Hacker /Lan sikimin kafasý Mesut ben sseni öle yda böle sikerim dedim mi demedin mi geleceksin elimi öpeceksin !!! Seve Seve Deðil Sike sike... Saboooooooooo Ver Çoskuyu !!!"

    What step should be taken now? A recent backup of the site isn't available, I can upgrade the board but I don't know if it needs to be repaired first or what exactly.. let me know as soon as possible please.

  • #2
    I am a just a mod with AdminCP access, not an vBulletin expert, but maybe this can help you for now. The first thing I would do is block the hacker's IP's as soon as possible to keep them out. A Google search of this hacker showed hacked sites where a domain name was left in the email address, so I looked up a dns report on that:

    http://www.dnsstuff.com/tools/dnsrep...urkdefacer.com


    This shows the IP listed as being in Texas, but a .tr suffix indicates it is a Turkish IP.

    http://www.dnsstuff.com/tools/whois....dtech.com:4321


    Then I would do a search of all users and try to find any matches of IPs or email addresses to the ones in the reports, and ban them. Also don't allow any new registrations till you check them out. You have to secure the perimeter, so to speak.
    This saved us when we had a severe spam attack last year. Good luck!

    Comment


    • #3
      Hopefully the hacker did not remove any data. Fill out a support ticket at:

      http://members.vbulletin.com/members...ontactform.php

      Please include a complete description of the problem and be sure to include the login info to your Admin CP, phpMyAdmin and FTP in the 'Sensitive Data' field.
      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
      Change CKEditor Colors to Match Style (for 4.1.4 and above)

      Steve Machol Photography


      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


      Comment


      • #4
        was this one of the ip's ?
        81.52.162.111
        because that was the ip that tried the hacking attempt with my forum yesterday

        after talking to the p3tz developers, they were trying to bruteforce the admin password through an old vulnerability in the petz system (wich i had patched before, so they were not succesfull)

        hope you get your forum up and running

        Comment


        • #5
          Originally posted by legar View Post
          was this one of the ip's ?
          81.52.162.111
          because that was the ip that tried the hacking attempt with my forum yesterday

          after talking to the p3tz developers, they were trying to bruteforce the admin password through an old vulnerability in the petz system (wich i had patched before, so they were not succesfull)

          hope you get your forum up and running
          How can you tell in the server logs when someone is trying to hack into your admin account?

          Comment


          • #6
            Originally posted by bboy View Post
            How can you tell in the server logs when someone is trying to hack into your admin account?
            Because they were doing it via the forum and an addon, it generated a lot of mysql errors when the brute-force script tried it. (only for the script, not for other users)

            Comment


            • #7
              Sorry to hear about the problems

              Comment


              • #8
                "Hacked by Saudi Spy"???

                Hey all,

                I got up this morning to this message on our forum.

                http://tinyurl.com/2lbzbv

                Just to fill you in a little, at the end of Feb we moved servers and have had problems with the DNS addressing since then with several of our members still being redirected to the old site. That site has a message up saying it is down for the move, with a time of 8:30am on it, in red.

                That leads me to believe that this supposed hacker was in the old site.

                How can I find out whether it was on our new site or not? I can't seem to find any logs to indicate activity of this nature.

                Thanks heaps for your help.
                Last edited by Demaree; Tue 11 Sep '07, 1:41pm.

                Comment

                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                Working...
                X