Being hacked a lot, help??

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • The Mailman
    New Member
    • Dec 2011
    • 8
    • 4.1.x

    [Forum] Being hacked a lot, help??

    My site (supermensa.org) is being hacked with the hackers gaining access to admin and presumably the sql database. The first hack was, I assume since they have a walkthrough on their site on how to do it, due to the /install/ folder exploit. I've since upgraded to 4.2.1 and deleted /install/, and they still came back and nuked the place. (changing my admin email and altering the visual appearance of the site to give the generic "you've been hacked lulz" message.

    I have it set in config that my admin account cannot be altered, yet things like email get changed when they strike.

    any ideas? anything someone can see that's open on my site? should i leave hooks/plugins off for the time being?
  • Huskermax
    Senior Member
    • Mar 2010
    • 622
    • 4.2.X

    #2
    Vb posted saying to delete the install folder from your server.

    Comment

    • Wayne Luke
      vBulletin Technical Support Lead
      • Aug 2000
      • 73979

      #3
      Have you deleted the install folder as we said in your AdminCP and via Email? Is your AdminCP behind .htaccess protection?

      Config.php file settings only affect the AdminCP. If the attacker has access to the database, then anything can happen. Just handled a support ticket where the user has phpMyAdmin installed right in the open with no .htaccess or other protection on it.

      Please read the following two blog posts:
      This guide is for what to do, after youÂ’ve been hacked, exploited, and or defaced. Step 1, Change everything: If you believe, or think your site has


      Getting Started This guide is intended to be a starting point for helping to keep your site safe and secure in the long run. It is not a be-all, end-all guide


      Also please see these recent security announcements:

      vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
      vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API

      Comment

      • The Mailman
        New Member
        • Dec 2011
        • 8
        • 4.1.x

        #4
        Originally posted by The Mailman
        I've since upgraded to 4.2.1 and deleted /install/, and they still came back and nuked the place.
        Originally posted by Huskermax
        Vb posted saying to delete the install folder from your server.
        Umm...

        Comment

        • The Mailman
          New Member
          • Dec 2011
          • 8
          • 4.1.x

          #5
          Originally posted by Wayne Luke
          Have you deleted the install folder as we said in your AdminCP and via Email? Is your AdminCP behind .htaccess protection?

          Config.php file settings only affect the AdminCP. If the attacker has access to the database, then anything can happen. Just handled a support ticket where the user has phpMyAdmin installed right in the open with no .htaccess or other protection on it.
          - yes /install/ is deleted now after the database rollback.
          - admincp isn't behind .htaccess protection, how do I administer things if it's behind a deny all? (just allow from my IP?)
          - i saw that they installed adminer.php (adminer.org) on my server in a separate wordpress directory, but i nuked all of that since the first attack. Could they still have access to phpmyadmin or something similar?

          Comment

          • Wayne Luke
            vBulletin Technical Support Lead
            • Aug 2000
            • 73979

            #6
            Most people use an .htaccess with a username and password. If you have a static IP then that would be the most secure.

            adminer.php is similar to phpMyAdmin. You should delete all files of suspect origin and change your database passwords. I recommend using Keepass as a password vault and generator. I don't know any of my passwords as I store them in Keepass and they are 24 character randomly generated passwords.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API

            Comment

            • The Mailman
              New Member
              • Dec 2011
              • 8
              • 4.1.x

              #7
              Originally posted by Wayne Luke
              Most people use an .htaccess with a username and password. If you have a static IP then that would be the most secure.

              adminer.php is similar to phpMyAdmin. You should delete all files of suspect origin and change your database passwords. I recommend using Keepass as a password vault and generator. I don't know any of my passwords as I store them in Keepass and they are 24 character randomly generated passwords.
              i'll add the htaccess

              i've nuked the suspect stuff and done a complete roll back to before they started hacking. they still got in to the php or admin somehow though (and yes, i changed my database username and passwords)

              Comment

              • alzaabi
                Member
                • Mar 2012
                • 44
                • 4.1.x

                #8
                please read this

                I restored the site, deleted the INSTALL directory, removed the extra admins, did EVERYTHING you said and a group called W3 idiots hacked and deleted all my files. Help!

                Comment

                • Wayne Luke
                  vBulletin Technical Support Lead
                  • Aug 2000
                  • 73979

                  #9
                  There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.

                  Close the hole... This has three subparts in this instance.
                  1. Delete your install folder
                  2. Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
                  3. Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.
                  Fill the Hole... There are seven subparts in this instance.
                  1. Review your files for changes. You can do this under Maintenance -> Diagnostics.
                  2. Delete any Suspect Files.
                  3. Replace any files marked as "Does not contain expected contents"
                  4. Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
                  5. Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
                  6. Update your Addon Products.
                  7. Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.
                  Secure the Hole
                  Parts of this were done by closing the hole but there are still things to do here.
                  1. Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
                  2. Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
                  3. Create a lower permission Administrator for every day use.
                  4. Review your permissions in the system.
                  5. Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
                  6. Move your attachments outside the forum root directory.
                  7. Create a complete backup of your site. Make database backups weekly.
                  Vigilance
                  You need to keep active on the security of the site.
                  1. Give out the fewest permissions necessary for anyone to do their job
                  2. Make sure your hosting provider updates the software.
                  3. Update to the latest vBulletin when it is released.
                  4. Make sure your addons are always up to date.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API

                  Comment

                  • Pony
                    New Member
                    • Sep 2012
                    • 18

                    #10
                    Something which may not be made clear enough is to remove any files off your server that don't match up - "orphan" files. I've been through this about 4 times now. After the first time, my .htaccess kept getting rewritten to redirect. Scanning, sql query, and the diagnostic 'suspect file version' didn't catch the main file, which they were executing remotely - and which also kept adding additional false .php files (which the scans WERE detecting). But the backdoor was still there - somewhere. (And I'd done it all - base 64 scans and the whole works)

                    These backdoor hacks are allowing for remote access. What I've found is that these hacks allow for passthru commands, such as -la (list all, aka list the directory). I went through every single PHP file I had in my system through a different browser (that didn't have me logged in), and executed for each and every PHP file. Yes, it was time consuming, but it's now been 48 hours since I've been hacked last - so I'm hoping that I'm finally "bug free".

                    Also make sure that visitors can't post or make comments to blogs, articles, etc. Although I haven't seen it addressed here yet, I've found a few things indicating that anything which allows them to "submit" anything - even as innocuous as a comment - may allow them a foothold.

                    Comment

                    • Wayne Luke
                      vBulletin Technical Support Lead
                      • Aug 2000
                      • 73979

                      #11
                      Originally posted by Pony
                      Also make sure that visitors can't post or make comments to blogs, articles, etc. Although I haven't seen it addressed here yet, I've found a few things indicating that anything which allows them to "submit" anything - even as innocuous as a comment - may allow them a foothold.
                      Only if you allow HTML on your site. You shouldn't allow HTML posting on your site. That is why it is turned off by default.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud demonstration site.
                      vBulletin 5 API

                      Comment

                      Related Topics

                      Collapse

                      Working...