Being hacked: the aftermath

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • splooge
    Senior Member
    • Mar 2001
    • 215

    Being hacked: the aftermath

    User #1 was deleted. Any way to get this back? Is the system dependent on user #1 in any form? Didn't see a user-id 1 using phpmyadmin.

    More questions to come ;p
  • Jake Bunce
    Senior Member
    • Dec 2000
    • 46598
    • 3.6.x

    #2
    no, userid 1 is not special in any way. i am the admin on my forums and i am userid 5.

    one thing... if you want to view and prune your admin log through your admin cp make sure to specify your userid number in your forum/admin/config.php file.

    Comment

    • Steve Machol
      Former Customer Support Manager
      • Jul 2000
      • 154488

      #3
      There's no user #1 on my forums either. Hasn't been for over a year.
      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
      Change CKEditor Colors to Match Style (for 4.1.4 and above)

      Steve Machol Photography


      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


      Comment

      • N9ne
        Senior Member
        • Mar 2002
        • 2477
        • 3.5.0 Beta

        #4
        Originally posted by smachol
        There's no user #1 on my forums either. Hasn't been for over a year.
        Was he/she banned?

        Comment

        • Steve Machol
          Former Customer Support Manager
          • Jul 2000
          • 154488

          #5
          Originally posted by N9ne
          Was he/she banned?
          No. I was #1, but I ran a vB test forum for about three months before I imported my UBB. Somehow in the merging of the test and UBB forums I ended up #59.
          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
          Change CKEditor Colors to Match Style (for 4.1.4 and above)

          Steve Machol Photography


          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


          Comment

          • splooge
            Senior Member
            • Mar 2001
            • 215

            #6
            Ok, so I http auth'd the /admin directory with an .htaccess file. The .htpasswd file is outside of the web root. 10 minutes later the guy has the password. In the copyright text area in the vbulletin options, he puts in a piece of javascript that redirects to gay.com.

            The guy is spamming my board by logging in and out as different users that he seems to be able to find out the passwords for (even though they're freshly changed and e-mailed to the users).

            I take all admin access from all accounts, save 1 that I called 'admin.' He was able to log in using this account, new password.

            I end up talking to the guy a little, and I ask him what I can do to protect myself. His answer was that there was nothing I could do because he was exploiting a flaw in the way vbulletin handled its sessions.

            This guy can somehow find out my passwords that are supposedly md5 hashed. Showed me in irc last night. I used a password that I NEVER used before, letters and numbers, for my http auth, and in irc he tells me, "So who's name and password is xxxxxxx:yyyyyyy?" I mean, how the heck did he get the web auth password?

            I don't know what to do, I'm so upset I'm just thinking of taking the board down, this is too much of a headache for a hobbyist, and I don't want to run an insecure board that keeps getting hacked. Can anyone help me?

            Comment

            • Steve Machol
              Former Customer Support Manager
              • Jul 2000
              • 154488

              #7
              I honestly do not see how anyone could gain the password to an htpasswrd protected directory so easliy. Are you sure this person isn't hacking in from the server? Have you informed your hosting company about this?
              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
              Change CKEditor Colors to Match Style (for 4.1.4 and above)

              Steve Machol Photography


              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


              Comment

              • Dave S
                Member
                • Jun 2002
                • 33
                • 6.X

                #8
                Originally posted by splooge
                Ok, so I http auth'd the /admin directory with an .htaccess file. The .htpasswd file is outside of the web root. 10 minutes later the guy has the password. In the copyright text area in the vbulletin options, he puts in a piece of javascript that redirects to gay.com.

                The guy is spamming my board by logging in and out as different users that he seems to be able to find out the passwords for (even though they're freshly changed and e-mailed to the users).

                I take all admin access from all accounts, save 1 that I called 'admin.' He was able to log in using this account, new password.

                I end up talking to the guy a little, and I ask him what I can do to protect myself. His answer was that there was nothing I could do because he was exploiting a flaw in the way vbulletin handled its sessions.

                This guy can somehow find out my passwords that are supposedly md5 hashed. Showed me in irc last night. I used a password that I NEVER used before, letters and numbers, for my http auth, and in irc he tells me, "So who's name and password is xxxxxxx:yyyyyyy?" I mean, how the heck did he get the web auth password?

                I don't know what to do, I'm so upset I'm just thinking of taking the board down, this is too much of a headache for a hobbyist, and I don't want to run an insecure board that keeps getting hacked. Can anyone help me?
                silly question but have you scanned your PC for a key logging Trojan? do you have a firewall?/virus-Trojan scanner....a long shot may-be?

                HTH
                Dave.
                ......if the world didn’t suck we’d all fall off......

                Comment

                • Wayne Luke
                  vBulletin Technical Support Lead
                  • Aug 2000
                  • 73981

                  #9
                  Make sure Register Globals is off in your php.ini file. If your host won't turn it off for you then you can set it in your .htaccess file.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API

                  Comment

                  • heretic
                    Senior Member
                    • Aug 2001
                    • 718

                    #10
                    what would the session hash have to do with posting at all, in terms of hijacking someone?

                    I thought it was just for who's online logging

                    Comment

                    • mishkan
                      Senior Member
                      • May 2002
                      • 423

                      #11
                      Where?

                      Originally posted by wluke
                      Make sure Register Globals is off in your php.ini file. If your host won't turn it off for you then you can set it in your .htaccess file.
                      Wayne, where is the php.ini file? I just looked with my ftp software, but couldn't find it.

                      Thanks,

                      mishkan

                      Comment

                      • Steve Machol
                        Former Customer Support Manager
                        • Jul 2000
                        • 154488

                        #12
                        You have to have root access in ordeer to modify php.ini. If you don't have root access, then ask your host to do this. If you do, then the location of php.ini will be in the output of your phpinfo.php script.
                        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                        Change CKEditor Colors to Match Style (for 4.1.4 and above)

                        Steve Machol Photography


                        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                        Comment

                        • splooge
                          Senior Member
                          • Mar 2001
                          • 215

                          #13
                          How do I turn off register globals in my htaccess file, and should this be done from the web root or the /admin dir?

                          Some interesting reads: one of the guys that hacked my site named himself BOGGLES and used the same 3rd person language. Wish I didn't delete all of those posts now =(





                          talks about stealing pw hashes

                          ???

                          Comment

                          • Steve Machol
                            Former Customer Support Manager
                            • Jul 2000
                            • 154488

                            #14
                            Originally posted by splooge
                            How do I turn off register globals in my htaccess file, and should this be done from the web root or the /admin dir?
                            Someone will undoubtedly correct me if I'm wrong, but I don't think you can do that with htaccess. You need to edit php.ini to turn register_globals off. And that requires root access.
                            Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                            Change CKEditor Colors to Match Style (for 4.1.4 and above)

                            Steve Machol Photography


                            Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                            Comment

                            • mishkan
                              Senior Member
                              • May 2002
                              • 423

                              #15
                              Register Globals

                              Steve, thanks for your help.

                              I looked in my phpinfo file and found the location of the phpini file, but I don't have access to it. So I immediately contacted my web host. Here's what they said...

                              "The configuration on our servers is set for Register Globals to on.

                              Unfortunately we cannot switch this one to be OFF as there are many users on the server where your site is located and this may result in errors in their PHP programs"


                              I don't know what Register Globals are. By having them turned "on", what is my vulnerability? And are there other ways I can help protect myself from those vulnerabilities?

                              Thanks,

                              mishkan
                              Last edited by mishkan; Tue 2 Jul '02, 7:20pm.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...