Hacked: "Team Hacker Egypt"

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • wolfey
    Member
    • Nov 2009
    • 59

    #16
    Wow! Some wild stuff...definitely powerful

    It was definitely my own stupid fault for not deleting the install folder, it had been a while since last upgrade so I forgot, when it was done...I just moved on
    I just hope that is the only way in and now im safe

    Comment

    • Wayne Luke
      vBulletin Technical Support Lead
      • Aug 2000
      • 73979

      #17
      Have you guys any plans for restricting code, run in plugins? It could be cool if it was vbulletin itself that decided what the plugin could access. As I see it, this file manager can do everything that PHP and the web server allows, so it's kind of a wild west code wise.

      Perhaps vbulletin is already considering a security model for plugins? Maybe even a walled garden, like a plugin store, were code is evaluated before beeing allowed to enter the eco system?
      Plugins are inherently insecure as they give a wide range of control over the system. You can disable functions in your php.ini files though.

      In vBulletin 5, we've gone a different route and removed PHP plugins altogether. vBulletin 5 addons use class extensions which require files to be uploaded to the server to begin with. This also gives us more control over what internal code is called or extensible as well. This is a bit more secure as you can't run arbitrary code from the AdminCP. Not perfect but more secure than previous versions.
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API

      Comment

      • wolfey
        Member
        • Nov 2009
        • 59

        #18
        Just seen this as a new feature:

        VBIV-15821 Replaced the check for install.php with a check for the install folder.

        Comment

        • _Avalon_
          Member
          • Dec 2012
          • 88
          • 4.2.X

          #19
          Dear Technical Support, just found that I had same problem with my forum (4.2). I've deleted "The plugin was installed in product vbulletin>init_startup", so now it's ok. But it is not clear for me how somebody has possibility to install it via AdminCP? I'm the only one, who has permission to work with AdminCP. How to aviod this in future?

          Comment

          • Mark.B
            vBulletin Support
            • Feb 2004
            • 24286
            • 6.0.X

            #20
            Originally posted by _Avalon_
            Dear Technical Support, just found that I had same problem with my forum (4.2). I've deleted "The plugin was installed in product vbulletin>init_startup", so now it's ok. But it is not clear for me how somebody has possibility to install it via AdminCP? I'm the only one, who has permission to work with AdminCP. How to aviod this in future?
            Delete your /install folder IMPORTANT
            Delete any admins you don't recognise
            Change all administrator passwords
            Delete any rogue plugins
            Add .htaccess pasword protection to the admincp directory.

            If you need further assistance, please start your own topic with all the details.
            MARK.B
            vBulletin Support
            ------------
            My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
            My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

            Comment

            • _Avalon_
              Member
              • Dec 2012
              • 88
              • 4.2.X

              #21
              Delete your /install folder IMPORTANT - it was deleted from the very beginning
              Delete any admins you don't recognise - deleted one with name "root"
              Change all administrator passwords - Done
              Delete any rogue plugins - have only Forum Runner installed
              Add .htaccess pasword protection to the admincp directory - pls kindly advise what should i mention in this file?

              Comment

              • Ion Saliu
                Senior Member
                • Sep 2010
                • 172
                • 4.2.X

                #22
                _Avalon_

                Creating password protected .htaccess is not simple, axiomatic colleague of mine! You can hear it here a lot from vBulletin Team. But few of the vBulletin guys know how to really do it. I’ll give you a very good resource to create password protected .htaccess files with passwords encrypted in another .htpasswd file! Yes, you need two such files, axio:




                You can make the operation a lot easier in your webhost AdminControlPanel. Every webmaster should have such a control panel. So, in my case, I go to the File Manager in my webhosting account. I select the folder (e.g. /forums/admincp) and select the Security (or Protection, etc.) tab. I select Password Protection. I select a username different from the username of my forum admin. I generate a strong password (e.g. in LastPass) – the password is different from the password of my forum admin.

                I know, changing passwords frequently is not entertaining. For years, I felt it like a pain in the neck. I succeeded in making the password operation much more bearable, almost a fun activity. My secret? I always chant a special mantra before I start generating and changing my passwords:

                “O password! O password!
                You are my defending sword!”

                Ion Saliu,
                Administrator At-Large

                “A good man is an axiomatic man; an axiomatic man is a happy man. Be axiomatic!”

                Comment

                • vbsm
                  Member
                  • Dec 2011
                  • 98

                  #23
                  In my webhost cp, when I click on Password Protect Directories, it says:

                  Password protect this directory
                  Name the protected directory:

                  Create User
                  Username:
                  New Password:

                  ... however the Username and New Password is already filled in with my webhost username and password. So is this asking me to create new user for just this directory? And if I change this user/pass from it default, will it change my login to the webhost cp?

                  Comment

                  Related Topics

                  Collapse

                  • nfinity
                    Login Session
                    by nfinity
                    Hello.

                    As your staff talked, I asked my problem at vbulletin.org. I think they don't work briskly, I couldn't get help. Is there any tip of this?

                    I have own my site. I try to...
                    Tue 27 Nov '12, 3:53pm
                  • nfinity
                    Share login session
                    by nfinity
                    Hello.

                    I have own my site. I try to use VB5 as my forum. So I need to use my login session with VB5.
                    What can I do.
                    The other question is;
                    If I change some on login page,...
                    Mon 26 Nov '12, 8:05pm
                  Working...