In under 2 weeks I had 2-3 vbs hacked by some guys at saudihack.com/vb
It's cute knowing they're also using VB :mad:

Is there anything we can do against them. Somewhere we can report these low lives?

If you suspect them to run a pirated copy of vB you can report them here: http://www.vBulletin.com/piracy.php

In order to protect your forum we can walk through some steps. To protect the web host, that's something you have to take up with the web host.

It is very important to know HOW they exploited vBulletin, and IF it was actually vBulletin, or third party code, other software, services on the host, etc.

It's only VB they are hacking. I would like to discuss the steps you told me about. Should I send a ticket? or? It's the second time in under 24 hours they attack the forum. I am getting sick of it.

Ok, if it is vB 3.7.3 PL1 they are hacking, please provide the evidence so we can fix it.

can Hackers get Proscuted for hacking VB

since their a copyright and License for owner?

A little bit off topic...

To the OP. To be honest. hackers will never stop. just like piracy. No matter what happens in this world. a hacker. will find a way to break the security. It's what they do. No matter what vBulletin does. each time they fix it. yes they make it more secure and fix a few holes that have been published. however. I can guarantee you within a day of vBulletin releasing a new version. A hacker some ware in the world would have found a security hole. which wont be fixed until it gets popular/ or discovered by vbulletin team, or someone who reports it to vBulletin.

Don't get scared. Because. most security holes that people find. they make a mistake and tell all their friends, and bob's your uncle someone passes it onto vBulletin and it gets fixed.

The hackers that find these holes within a day. won't be bothered to come and hack your forum. because. those hackers are most likely targeting bigger forums. IE: Company.

You'll find most of the time people hacking regular forums, are what I like to call "Script Kiddies". meaning they don't acually find the hole them self. and are either using "Hack Tools" which they have downloaded, or they are exploiting what they have read about.

Bare in mind. most of the time and ways into hacking a vbulletin board are via hacking MySQL,. which. is not down to vBulletin to make secure.

Just don't give the kids any food. and they will leave you alone.
meaning.
Make regular backups.
Don't go posting on your site "oh we got hacked again"
Just restore a backup ASAP.
And make it look like nothing happend.

The kids love it when you give the "we got hacked sorry we had downtime" post.

It is also a very good idea to
1. Rename your admin page
2. Put in a .htaccess in your admin folder root that only allows access from your IP address

A little bit off topic...

To the OP. To be honest. hackers will never stop. just like piracy. No matter what happens in this world. a hacker. will find a way to break the security. It's what they do. No matter what vBulletin does. each time they fix it. yes they make it more secure and fix a few holes that have been published. however. I can guarantee you within a day of vBulletin releasing a new version. A hacker some ware in the world would have found a security hole. which wont be fixed until it gets popular/ or discovered by vbulletin team, or someone who reports it to vBulletin.

Don't get scared. Because. most security holes that people find. they make a mistake and tell all their friends, and bob's your uncle someone passes it onto vBulletin and it gets fixed.

The hackers that find these holes within a day. won't be bothered to come and hack your forum. because. those hackers are most likely targeting bigger forums. IE: Company.

You'll find most of the time people hacking regular forums, are what I like to call "Script Kiddies". meaning they don't acually find the hole them self. and are either using "Hack Tools" which they have downloaded, or they are exploiting what they have read about.

Bare in mind. most of the time and ways into hacking a vbulletin board are via hacking MySQL,. which. is not down to vBulletin to make secure.

Just don't give the kids any food. and they will leave you alone.
meaning.
Make regular backups.
Don't go posting on your site "oh we got hacked again"
Just restore a backup ASAP.
And make it look like nothing happend.

The kids love it when you give the "we got hacked sorry we had downtime" post.

My personal feeling is this, too many people are installing hacks posted on other sites. No offence, but how do you know, that a registered vB owner is not a hacker. And may use vB.org to release a mod with a security hole in it on purpose - to give them access to your site to hack it.

Best rule to follow. Never install a 3rd party vB hack. Keep your board clean, unless they are offical ones. Or mods released by a person who is known to be safe.

Yes they will find holes and hack your site, like you said its a game to them. And they will always find ways. But I think a lot of boards get hacked because these hackers abuse vB.org, along with other vB mod sites to release mods, that un-knowing to you, Give them access to your database.

If I was a hacker, I would consider that an easy way to hack your board. For starters, most people who install the hacks displayed on sites, make replies to them. So your instantly giving away your board address to them also.

My personal feeling is this, too many people are installing hacks posted on other sites. No offence, but how do you know, that a registered vB owner is not a hacker. And may use vB.org to release a mod with a security hole in it on purpose - to give them access to your site to hack it.

I'd disagree with this. Sure, mods have security holes found in them and get removed, but I've never heard of a modification being removed for installing a back door onto the server or giving a third party access to your database. Besides, if you've known many people on vBulletin.org, you'd know that the amount involved in malicious hacking activity is rather low if not non existant.




Best rule to follow. Never install a 3rd party vB hack. Keep your board clean, unless they are offical ones. Or mods released by a person who is known to be safe.



I disagree. I don't see how any board could go without a certain amount of modifications or custom features or whatever. That's one thing I advise against doing (default features) in my reviews.




Yes they will find holes and hack your site, like you said its a game to them. And they will always find ways. But I think a lot of boards get hacked because these hackers abuse vB.org, along with other vB mod sites to release mods, that un-knowing to you, Give them access to your database.

If I was a hacker, I would consider that an easy way to hack your board. For starters, most people who install the hacks displayed on sites, make replies to them. So your instantly giving away your board address to them also.

Any proof?


In under 2 weeks I had 2-3 vbs hacked by some guys at saudihack.com/vb
It's cute knowing they're also using VB :mad:

Is there anything we can do against them. Somewhere we can report these low lives?

Yes, these people are annoying, nasty and what not, and you could always report them (doesn't Jelsoft terms of services say something about not using their software for malicious or illegal purposes?)

But one thing I will say is this... If your hacked boards are anything like your board linked in your signature in terms of being about 9 versions behind the current one, it might be safe to say part of the reason might be due to security holes in the version of the software you're running. Don't use vBulletin 3.6.5, quite a few security issues and bugs have been fixed since then, and for better security against these hackers I'd suggest 3.7.3 or whatever the latest version is. That might be why quite a few boards are getting hacked, because they're often using versions past end of life or whole major versions behind the latest ones, and these old versions do have outdated code, security holes and bugs.

It is also a very good idea to
1. Rename your admin page
2. Put in a .htaccess in your admin folder root that only allows access from your IP address


#2. How do we do that? What's the proper code to put in your .htaccess file?

Thanks.

http://www.google.co.uk/search?hl=en&q=.htaccess+password+protect+directory&meta=

#2. How do we do that? What's the proper code to put in your .htaccess file?

Thanks.

Open up a text editor like notepad or textedit...

Then use the code and name the file .htaccess / upload to your admin folder

This is the code I use (Be sure to use YOUR IP address, if it is not static use a range like 75.155.*.* or 75.155. / Also make sure you leave in the 127 range as that is your localhost)

My IP's in the code below are ***'s for obvious reasons ;) Replace them with yours.


<Limit GET HEAD POST>
order deny,allow
deny from all
allow from 127.0.0.1
allow from 77.777.77.77 ## me Cable
allow from 88.888. ## me DSL
</LIMIT>

If you get a server error after uploading make sure you check your upload settings in your FTP client.

My personal feeling is this, too many people are installing hacks posted on other sites. No offence, but how do you know, that a registered vB owner is not a hacker. And may use vB.org to release a mod with a security hole in it on purpose - to give them access to your site to hack it.

Best rule to follow. Never install a 3rd party vB hack. Keep your board clean, unless they are offical ones. Or mods released by a person who is known to be safe.

Yes they will find holes and hack your site, like you said its a game to them. And they will always find ways. But I think a lot of boards get hacked because these hackers abuse vB.org, along with other vB mod sites to release mods, that un-knowing to you, Give them access to your database.

If I was a hacker, I would consider that an easy way to hack your board. For starters, most people who install the hacks displayed on sites, make replies to them. So your instantly giving away your board address to them also.TBH. they would make a callhome. which then gives them your board address. they would not need you to tell them.

Correction.

Make the file .htaccess (single dot, not two) and ONLY put this in the admincp and modcp if you're limiting access to an ip.

Also, I strongly recommend to add a .htpasswd file outside the public_html or httpdocs dir, so you have to enter a user/pass combination, as extra security layer.

If you write these files on your computer first, and upload them to the ftp, please call them htaccess.txt and htpasswd.txt and upload them, THEN rename them to .htaccess and .htpasswd. This to ensure the file is in ascii and not uploaded as binary

All of the popular webhosting control panels (cPanel, Plesk, HSphere, even GoDaddy's) allows you to protect directories and creates the files needed to do so for you. Click on the directory that you want to protect, type in a Resource Name, Username and Password and click the save button. Quite easy and simple to do without delving to the mechanics of Apache Configuration files. Interesting thing is they work on Windows Servers as well which don't use .htaccess unless you have addons to IIS.

I actually recommend restricting access to the admincp, modcp, install and includes directories. None of which should need to be directly accessed during normal operations. If you use a random long password then you don't need to restrict it by IP address though you can if you really want to. This is what my .htaccess passwords look like: KASoweij32094djs8(*&)(JLKw23hjkd,sandk. They are stored on an encrypted thumbdrive attached to my keyring (physical keyring).

Other than that, the best way to keep hackers at bay is to not use FTP or unsecure email connections. This just transmits passwords in plain text and tosses them out there for anyone to grab. Sure it might be 1 in a Million that your site will be hacked this way but is that a chance that you want to take? Only host with companies that allow SSL/SSH connections to FTP and email. Use them and protect your property.

If you're on a shared hosting plan, see if you can CHMOD your files to 644 and allow them to work. Some hosts actually require 755 for files to be parsed. Never chmod your vBulletin files to be 777.

Correction.

Make the file .htaccess (single dot, not two) and ONLY put this in the admincp and modcp if you're limiting access to an ip.


Doh! Thanks Floris :)
I edited my post to correct the double ..'s

Forgive me for playing Devil's advocate here~

[1]No offence, but how do you know, that a registered vB owner is not a hacker. And may use vB.org to release a mod with a security hole in it on purpose - to give them access to your site to hack it.
...
Yes they will find holes and hack your site, like you said its a game to them. And they will always find ways. [2] But I think a lot of boards get hacked because these hackers abuse vB.org, along with other vB mod sites to release mods, that un-knowing to you, Give them access to your database.
1. Unless the code is encoded with ioncube or the like, people are able to view the code before implementing it. It would stand to reason that the popular hacks should have had enough eyes over it to spot anything malicious.
2. A lot of boards get hacked because they're using a vulnerable version where the exploits are well made aware of.


[1] I disagree. I don't see how any board could go without a certain amount of modifications or custom features or whatever. That's one thing I advise against doing (default features) in my reviews.

[2] Yes, these people are annoying, nasty and what not, and you could always report them (doesn't Jelsoft terms of services say something about not using their software for malicious or illegal purposes?)
1. Conversely, many people can't see how a board can perform with so much of what they call bloat. It shouldn't matter as much on what you want the forums to do, but what the needs of the admins and users are.
2. Malicious and illegal purposes are one thing, rights to speech are another. It's the burden of proof in regards to their actions.


This is what my .htaccess passwords look like: KASoweij32094djs8(*&)(JLKw23hjkd,sandk. They are stored on an encrypted thumbdrive attached to my keyring (physical keyring).
...
If you're on a shared hosting plan, see if you can CHMOD your files to 644 and allow them to work. Some hosts actually require 755 for files to be parsed. Never chmod your vBulletin files to be 777.
Those are what your passwords look like? Hmmm
*Goes off to log into Wayne's site* ;D

Hmm, I would think somebody would have created a script by now that checks the admin IPs in the VB DB and writes to .htaccess to allow those IPs access. If there hasn't been, why not?

Forgive me for playing Devil's advocate here~

1. Unless the code is encoded with ioncube or the like, people are able to view the code before implementing it. It would stand to reason that the popular hacks should have had enough eyes over it to spot anything malicious.
2. A lot of boards get hacked because they're using a vulnerable version where the exploits are well made aware of.


1. Conversely, many people can't see how a board can perform with so much of what they call bloat. It shouldn't matter as much on what you want the forums to do, but what the needs of the admins and users are.
2. Malicious and illegal purposes are one thing, rights to speech are another. It's the burden of proof in regards to their actions.


Those are what your passwords look like? Hmmm
*Goes off to log into Wayne's site* ;D

Hmm, I would think somebody would have created a script by now that checks the admin IPs in the VB DB and writes to .htaccess to allow those IPs access. If there hasn't been, why not?I think there is.

Finding, writing, .. this lowers security. A hacked admin account will now have access to the admincp based on just being logged in or posting.

I rather manually edit it over FTP, because my forum user/pass does not match the htaccess user/pass, and those two don't match my ftp user/pass

Looks like I'll have to upgrade to the latest version, thus losing my templates. I always love it when I have to redesign a skin once again :(

I was attacked again these days (wasn't in the country), even after renaming the admin panel and other "security fixes" I learnt from here. I am serioulsy considering letting go of my licenses if I won't be able to run a forum without it being hacked every other day:(

Have you scanned your computer for malware and changed all your passwords (cpanel, FTP, phpMyAdmin, Email, Admin CP, etc...) so that each password is unique and at least 10 characters?

If you keep layering security and they still get in, there is an unlocked point of entry somewhere or they have a method of retrieving the key.

Seems like your server is compromised. If it's true, does not matter the version of vB nor the passwords you're using... they always can get the DB password from your config.php file and create a new Admin user, or anything like that.

Seems a server problem, not a vB one. And that's really bad :(

All of the popular webhosting control panels (cPanel, Plesk, HSphere, even GoDaddy's) allows you to protect directories and creates the files needed to do so for you. Click on the directory that you want to protect, type in a Resource Name, Username and Password and click the save button. Quite easy and simple to do without delving to the mechanics of Apache Configuration files. Interesting thing is they work on Windows Servers as well which don't use .htaccess unless you have addons to IIS.

I actually recommend restricting access to the admincp, modcp, install and includes directories. None of which should need to be directly accessed during normal operations. If you use a random long password then you don't need to restrict it by IP address though you can if you really want to. This is what my .htaccess passwords look like: KASoweij32094djs8(*&)(JLKw23hjkd,sandk. They are stored on an encrypted thumbdrive attached to my keyring (physical keyring).

Other than that, the best way to keep hackers at bay is to not use FTP or unsecure email connections. This just transmits passwords in plain text and tosses them out there for anyone to grab. Sure it might be 1 in a Million that your site will be hacked this way but is that a chance that you want to take? Only host with companies that allow SSL/SSH connections to FTP and email. Use them and protect your property.

If you're on a shared hosting plan, see if you can CHMOD your files to 644 and allow them to work. Some hosts actually require 755 for files to be parsed. Never chmod your vBulletin files to be 777.

I have someone getting into my vB and changing the permissions. How do I do what you are talking about? I have godaddy. I need to know how to lock down everything. The person who keeps getting into my vB is MUCH more experienced than I am.

Please help!

Ok. My vB site has been hacked, twice, within a month's time, using SQL injection. Now, I am not going to pretend to understand what that actually means- all I know is that I do not have the ability to password protect phpmyadmin.

That in mind, aside from the usual security precautions, what can we (and we, as in: php-illiterate) do to further protect ourselves from SQL injection? I've looked at the great thread you have on securing vB, and done most of it- to the best of my abilities. Changed directories, password protected them, etc. Still, I'd like something a bit more solid, and a bit more specific for prevention.

In each instance, a fresh upload of the vB files fixed the issue- but certainly did not prevent it from happening again.

I have someone getting into my vB and changing the permissions. How do I do what you are talking about? I have godaddy. I need to know how to lock down everything. The person who keeps getting into my vB is MUCH more experienced than I am.

Please help!
Getting into your Admin CP? Change your passwords and contact GoDaddy support about protecting a directory.

Getting into your files via FTP and changing permissions? Change your passwords and switch to a host that offers SFTP connections.

In each instance, a fresh upload of the vB files fixed the issue- but certainly did not prevent it from happening again.

Uploading files will not fix an intrusion through SQL Injection. Your FTP and/or Server have been compromised. You will need to change your passwords and make sure to only use SFTP to connect to your server. If you hosting provider does not off SFTP to connect then switch to one that does. FTP should be considered as insecure as Telnet and no host offers Telnet connections these days.

Thank you. I have since shored up our FTP area. Hopefully, combined with the other methods you included in this thread (http://www.vbulletin.com/forum/showthread.php?t=172234), the efforts will make it secure enough to avoid this type of attack.

Well, that didn't work too well. Suggestions?

Did your host find out yet how exactly they 'hack' your account?

They have no clue, whatsoever. A person that helps us from time to time has been looking over the raw access logs with me, and has a hunch of how he found us- by searching for all sites on our particular server (shared hosting). I informed the host, and they said no other sites have been hit, as far as they know. I did my own checking, and found no other sites on our server hit.

Now, 3 times, in less than a week. All with SQL injection. All by the same guy. My FTP is non existent, save for my own account, with a new password. Admin and Mod CPs locked down. All the possible steps I know of, I have taken. We have a few mods installed, but I have never had a problem with them before- not meaning they aren't the problem. I am fully aware that it is possible a mod is responsible for a security hole.

My friend has a theory that the shoutbox might be the entry point, even though I have it disabled to guests.

According to Clasione:


The 'template' table is how your site builds the page components. The hackers inject a block of code into the 'spacer_open' element, causing their code to be displayed instead of the normal code.

Any known ways to prevent this?

Quick update on this- it was said over on vBorg that the guy used a shell to get in to the server. As expected, it was a server-side security hole.

Now, I do know it had everything to do with the permissions of the files themselves, in particular the class_core and config files.

Is there any way these can be made to function at a later date, with the bare minimum of permissions, so that these can't be exploited again?

chmod 644 on files.

From what I can gather, your config files should be 644 anyway, one good thing about vBulletin. Is the fact there are very few files (if any at all). That require you to have a 777 permission. If your installing hacks that require 777 permissions, you should either leave them well alone. Or take the measure to password protect them using a .htaccess and .htpasswd files where possible.

or use a .htaccess file to deny everybody access where possible.

If it's not possible for the hack to function, if they are protected with .htaccess files, that have chmod of 777. Don't use them! Too much of a security risk. 777 means "World Writable, Word Executable". And if your server is not a very good one that takes certain measure to stop hackers, they can hack your site quite easy.