Announcement

Collapse
No announcement yet.

Site was hacked through forum.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Site was hacked through forum.

    I upgraded to the latest version 3.7.3 pl 1 on September 19th.

    Then, on the 21st of October at 7:10 pm EST, my site was hacked. It was hacked by the same "group" that hacked another couple of sites that were posted on the forum here on the 18th of this month. (the Saudi Virus Team, though mine was done by a different hacker on their site)

    I checked with my server, they scoured through my logs, and they are convinced the hack happened through vbulletin. They first hacked the index.php file in my vbulletin. LUCKILY, I immediately got a phone call from one of my moderators, who was online reading posts when it happened.

    The first thing I did was go into my server, and changed my passwords for the server, the database, and the FTP.

    I then went in and posted an index.html page saying the site was temporarily out of order.

    In the time it took me to do that, the hack spread from the forum index.php to the main page of my site, which is a simple index.html file, and then on through to my store index.php.

    I tried to reupload new files, and check for recent registrations in the database, and looking for any attachments or images they might have placed, but I could only get a good clean hour before the hack would show back up, again back at the forum first, then spreading to the other sections. I also did the tools.php suggestions for fixing, and reuploaded the style, and tried to revert to the "defaul" style. But all of these resulted in no fix.

    FINALLY, I just deleted the whole forum from my site. Once I got rid of the forum, I put the rest of my site up (sans forum), and had no problems. I then, after waiting a couple days, making sure nothing else seemed to be affected, I put a new forum up, and dumped in my backup from 2 days prior to the hack.


    I went through the "suggested" security steps to take, and implemented/made some changes, though I already had nearly all of them implemented. I also, should note here that I don't use any other hacks or plug-ins on my site. I run just a very simple set up of the vbulletin. The only changes I have are a different style than the default, which I have been using that style for 2 years now, and I have a PhotoPost Gallery attached to the same database as the forum. Note also that while I have the gallery, there is no evidence that it was affected.

    I also changed my location of my admin cp and mod cp folders. And I had ALL moderators go in and change their passwords.

    So, I have taken the steps....but here is why i'm posting.

    I TRULY believe they are getting through a hole in the 3.7.3 PL 1 version of vbulletin. As there was nothing showing it was to my server, and my other sites that I host on the same server were not affected. (I have a dedicated server)

  • #2
    There are no known security holes in 3.7.3 PL1. Unfortunately without specific data that provides evidence of this hacking through vB, there really isn't much we can do since there is nothing to investigate.

    As you said though you do have at least one add-on. Please see this thread on how to make your vBulletin more secure:

    http://www.vbulletin.com/go/secure
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      What evidence do you need?

      The server log? I have that, and am more than willing to send it.

      The index php with the code they placed? I'm also more than happy to send that, as I pulled it off the server, before deleting it, in case it proved helpful.

      What else would you like? If I have it, i'm more than willing to send it your way. The whole purpose for paying for a program like vbulletin is because I'm not "programming" literate, which is also why I don't use a bunch of hacks and plug-ins. So please be very specific with what you would like me to send you, and I will do so!

      As I stated earlier, that I do have the gallery, but there is no evidence what-so-ever that it occurred through the gallery.

      I have had my site up for 3 years, with no problem.

      When I ran everything MINUS the forum Thurs, Fri and most of Saturday, the problem FINALLY was removed. Prior to that, I kept uploading a fresh forum, but using the now apparently hacked database (not from a backup) and within an hour, the hack would take over again. (I still have the corrupted database, as I kept that as well, in case it could be helpful in tracking down how the hacker got through.) All of the other databases on my server were not affected, including the databases for other sites. Again, I'm on a dedicated server, so that made it a bit easier to determine it wasn't something that occured on the server side.

      The only way I was finally able to stop it was to completely remove the forum from my site. Then uploading another bran new forum, and going to a backup of the database, PRIOR to the hack. That was on Saturday, and so far, we are clear.

      Anyway, let me know exactly what information you would like, and I'm more than willing to send it your way.

      (Also, as my post stated, I went through all your information on making the site more secure, and on recovering from a hack, and I explained what finally worked for me. I didn't post asking for help on how to recover, as I already have that squared away. My post was mainly to state what happened to my site, that I notice this same hacker group got through to a couple of other sites, as posted by other users. I'm more than willing to send you any information you need, I spent HOURS on the phone with my server company, and there is NOTHING showing it happened on the server side. Since the whole rest of the site works JUST FINE without the forum up, and the hack disappears when I go back to a clean database backup and clean forum, LOGIC is what is telling me that this happened through the forum. Also, on another note, spammer registrations have continued to increase on my site, even though I have implemented all I can to try to stop them.)

      Comment


      • #4
        what is your PHP, mysql, apache versions?
        also if u use some vulnerable hacks like chat or something can be the reason.
        Latest Tech News in the World
        Кейс със снимка по поръчка

        Comment


        • #5
          We would need specific evidence that shows vB was exploited. I'm sorry but we simply are not available to do a rummaging expedition through your server logs to find this info. That would have to be something you or your hosts does and provides the evidence.
          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
          Change CKEditor Colors to Match Style (for 4.1.4 and above)

          Steve Machol Photography


          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


          Comment


          • #6
            apache = 1.3.34
            perl = 5.6.1
            php5 = 5.2.6
            mysql = 4

            Comment


            • #7
              Originally posted by paperthreads View Post
              apache = 1.3.34
              perl = 5.6.1
              php5 = 5.2.6
              mysql = 4
              Are you on a shared host?
              ...steven
              www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
              bmwcca.org/forum | m135i.net
              "I tried to clean this up but this thread is beyond redemption." - Steve Machol

              Comment


              • #8
                No, I have a dedicated server.

                Comment


                • #9
                  I have a PhotoPost Gallery attached to the same database as the forum
                  Removing it fully,might solve your problem.


                  vB5 is unequivocally the best forum software, but not yet...

                  Comment


                  • #10
                    Have you rulled out possiblities of other software on the server being the cause for the defaced/changed files/database?

                    Comment

                    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                    Working...
                    X