up to date vbulletin site getting re-hacked, what to do?

Collapse
X
Collapse
 
  • Page of 2
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • donald1234
    replied
    Follow Zacherys advice here:-

    First you need to follow our advisory about deleting the install folder off your forums.
    Then please read the following two blog posts:
    http://www.vbulletin.com/forum/blogs...ve-been-hacked
    http://www.vbulletin.com/forum/blogs...vbulletin-site
    Also please see these recent security announcements:
    vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
    vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
    There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.
    Close the hole...
    This has three subparts in this instance.
    1. Delete your install folder
    2. Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
    3. Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.
    Fill the Hole...
    There are seven subparts in this instance.
    1. Review your files for changes. You can do this under Maintenance -> Diagnostics.
    2. Delete any Suspect Files.
    3. Replace any files marked as "Does not contain expected contents"
    4. Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
    5. Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
    6. Update your Addon Products.
    7. Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.
    Secure the Hole
    Parts of this were done by closing the hole but there are still things to do here.
    1. Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
    2. Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
    3. Create a lower permission Administrator for every day use.
    4. Review your permissions in the system.
    5. Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
    6. Move your attachments outside the forum root directory.
    7. Create a complete backup of your site. Make database backups weekly.
    Vigilance
    You need to keep active on the security of the site.
    1. Give out the fewest permissions necessary for anyone to do their job
    2. Make sure your hosting provider updates the software.
    3. Update to the latest vBulletin when it is released.
    4. Make sure your addons are always up to date.

      Leave a comment:

    • kjh411
      started a topic [Forum] up to date vbulletin site getting re-hacked, what to do?

      up to date vbulletin site getting re-hacked, what to do?

      I have a couple of vbulletin 4.x forums.

      One was hacked a couple of months back and the hackers created some phishing mechanism on the site. We were alerted to this by Apple and we identified the files and removed them. We found the hacker had added a couple of extra admins which we deleted.

      On Sunday the site was hacked again. This time they deleted all the vbulletin files and put up their own home page up baring what looked like some jihadist message.

      The database was still there.

      We had a backup of the files from about two weeks ago so we uploaded them all, then immediately upgraded vbulletin to 4.2.2 (and deleted the install folder!). I also made sure there were no new admins.

      This morning the site files had been deleted again, by a different hacker.

      It seems therefore that there must be something in the database that is enabling them to get in again.

      At this stage we haven't bothered rebuilding the site.

      Of more urgency is our other larger vbulletin site which I also just upgraded from 4.1.x to 4.2.2 . This site hasn't been taken down but over the weekend we found that it had been compromised, so we upgraded it to 4.2.2.

      I am looking through the database table "adminlog" and I can see some IPs listed which indicate illegal access back in Sept. They were executing the plugin.php script with actions like "doimport" and "files".

      Of course I just upgraded the site, so many of the files and folders have the upgrade date and time.

      I am looking for some advice on what to do. I need to secure the existing forum and find and remove any backdoors, then I need to do the same of the site they took down before I restore it again.

      If I were to rebuild the site from scratch , including a new database, is there any way to transfer all the users and posts from the old database?

      Any ideas and suggestions are welcome
      Tags: None
      Previous 1 2 template Next

      Related Topics

      Collapse
      Working...