Hacked again.

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Aaron Burr
    New Member
    • Aug 2011
    • 3
    • 4.1.x

    [Forum] Hacked again.

    Am running 4.8. Was hacked a few days ago by "addiction king". Ran upgrade. Have been hacked again by "Proxiez was here!"

    Both instances the hacker created an admin account and changed the forum page.

    Any help?

    Any ideas how they get in? Any ideas how to keep them out?
  • AusPhotography
    Senior Member
    • Nov 2007
    • 1552

    #2
    4.0.8 or 4.1.8?
    What plugins?
    environment: Centos 6.9, Apache v2.4.25, PHP 5.6.30/xCache, MariaDB 10.22 -- vB5 Connect Licensed

    AusPhotography - Australia's Premier Photographic Forum vB4.2.3
    Rick (site owner) and Kym (site tech) sharing this account

    Comment

    • clubpromos
      New Member
      • May 2011
      • 15
      • 3.8.x

      #3
      For me preparing to upgrade in a few weeks it's scary, you mean 4.1.8 ? Are plugins secure?

      Comment

      • Harv
        Senior Member
        • Jan 2005
        • 157
        • 4.1.x

        #4
        I've repaired a couple of instances like this on a couple of different sites, including a 4.1.8 site. They all appear to be using instructions posted on a p0wersurge dot com script-kiddie site. It appears to be some sort of injection attack.

        The symptoms are as follows:

        New admin account added, IP addy is 1337.1337.1337

        forum.php is defaced by changing template forumhome and/or forumdisplay in one or more styles. Reverting the template will repair the "hack".

        The best defense is remove the new admin account, change the default admincp and modcp directory names (don't forget to update config.php!) and password protect those directories with .htaccess.

        Simply reverting the templates will fix the "hack" but whoever did it will likely come back and do it again so lock down your site.

        I don't visit here often enough to counter when VB comes along and says it was because of some mod, but one instance I repaired was a pretty clean install (the 4.1.8 instance).

        EDIT: Not that it will help much, but you can get a real IP address (most likely a proxy) by viewing the control panel log (before deleting the user).
        Last edited by Harv; Sun 4 Dec '11, 7:29pm.

        Comment

        • aussiefooty
          Senior Member
          • Nov 2008
          • 1902
          • 6.0.X

          #5
          When you manage to get access back to your forum change your master password to something that people don't know but you know and make it tricky so that they can't login.
          Also ban his ip address and the email address that he used.

          Just tried to ping that ip address to see what it would come up with and it doesn't exist.
          Aussiefootyforums

          New Site New forum
          Come and talk sports all day long


          Comment

          • whitey10tc
            Senior Member
            • Jan 2011
            • 415
            • 4.0.x

            #6
            Change all your passwords for your profile htaccess server ftp sql etc. run a good virus scan on your pc and if on shared hosting change your host.
            www.cdmagurus.com
            www.cellphone-gurus.com

            Comment

            • Trevor Hannant
              vBulletin Support
              • Aug 2002
              • 24326
              • 5.7.X

              #7
              Please see this thread on how to make your vBulletin installation more secure:

              Vote for:

              - Admin Settable Paid Subscription Reminder Timeframe (vB6)
              - Add Admin ability to auto-subscribe users to specific channel(s) (vB6)

              Comment

              • syrus.xl
                Senior Member
                • Jun 2005
                • 546

                #8
                I have fixed many of these lately...

                If you are getting attacked again, then it is probably down to a 'backdoor' left in your system. AFAIK, there is no known security issues with vB 4.1.8. Renaming your AdminCP and ModCP directories will not stop this type of hack, unless you remove the AdminCP and ModCP links from vBulletin.

                In most cases I have found that the culprit, gives themselves Admin permissions - so this is how they can alter your templates, or via an sql injection.

                Password Protecting your AdminCP and ModCP may help to a degree, but .htaccess files can be bypassed.

                Reverting the 'FORUMHOME' template will only remove the defacing (if you are using a custom style then reverting will break it!).

                There is a 'dummy' Style XML file circulating, which when imported installs further hack tooks. It is removed after infecting your forum.

                Also, check your Modification Plugin Manager, this is known to contain additional code for another 'backdoor'. There is known plugin code that will allow the attacker, to gain access to your forum again.

                Always check for Suspect Files, in most cases either javascript files have been modified or new files have been added and made to look like part of vBulletin. Usually these are hack tools, and if you point your browser at them directly, they are password protected. Anything resembling this type of file delete ASAP.

                Do not delete user accounts made by the culprit, change 'Usergroup' to banned and edit their email addresses to something that doesn't exist.

                BTW, changing your host because you've been hacked will not make any difference if you are carrying a 'hacked' forum around. IP addresses are normally changed by the attacker, either directly in vBulletin or they used a proxy to begin with.

                Comment

                • Zarxrax
                  New Member
                  • Mar 2009
                  • 17

                  #9
                  Same thing has happened to my forum (same hackers). Is there any way to protect against this?

                  After the first hack, I upgraded to the latest vBulletin (it took me several days to convert over from 3.x), and then I basically followed EVERY suggested security measure.

                  Then today within hours of getting my site back online, I found several shell scripts on my server. I deleted them and immediately disabled all mods that I was running.

                  What can I do?

                  Comment

                  • beishe8
                    Senior Member
                    • Oct 2005
                    • 6782
                    • 4.2.X

                    #10
                    Originally posted by Zarxrax
                    What can I do?
                    Check your whole site.
                    The attack may come from another application in use.


                    vB5 is unequivocally the best forum software, but not yet...

                    Comment

                    • Zarxrax
                      New Member
                      • Mar 2009
                      • 17

                      #11
                      Originally posted by beishe8
                      Check your whole site.
                      The attack may come from another application in use.
                      Well, I'm not running any "applications" on the server. It is a shared hosting server though. All I really have up is vbulletin and some mods. I dont believe that the hacker has full access to my server because the only added files were all in the public_html folder.

                      Aside from the shells that were uploaded, I haven't seen anything happen to my site yet. No defacing, no users with admin access, etc. However, every time I go to login, it tells me that my password is invalid and I need to wait 15 minutes before trying again. I believe they are trying to bruteforce my password or something.

                      Since disabling mods and deleting the shells from my ftp last night, I haven't seen anything added back yet.
                      Mods I was running include: vbadvanced, easy forms, mgc chatbox evo, user based word censor, sstab advanced, and Quick Auto Image Resize.
                      Those last 2 were not present the first time I was hacked. However those first 3 are very important to my site. Are there any known vulnerabilities in any of them?

                      Comment

                      • beishe8
                        Senior Member
                        • Oct 2005
                        • 6782
                        • 4.2.X

                        #12
                        Originally posted by Zarxrax
                        Well, I'm not running any "applications" on the server.
                        ............


                        Mods I was running include: vbadvanced
                        Is vbadvanced a simple mod or is it an application?
                        "In general, our products will work on your sever as long as vBulletin is
                        installed and working properly."

                        How old is the version on your server?


                        vB5 is unequivocally the best forum software, but not yet...

                        Comment

                        • Zarxrax
                          New Member
                          • Mar 2009
                          • 17

                          #13
                          Well vbadvanced is a mod which adds a cms to vbulletin. But Its used by many people and I have never heard of any security vulnerabilities in it. Of course I am using the latest version of ALL mods on my server.

                          Comment

                          • beishe8
                            Senior Member
                            • Oct 2005
                            • 6782
                            • 4.2.X

                            #14
                            Originally posted by Zarxrax
                            But Its used by many people and I have never heard of any security vulnerabilities in it.
                            That is good.


                            vB5 is unequivocally the best forum software, but not yet...

                            Comment

                            • whitey10tc
                              Senior Member
                              • Jan 2011
                              • 415
                              • 4.0.x

                              #15
                              The hack was most likely done on the server side, if you are on shared hosting the hacker can gain access to all accounts on the server through the root account and infect all the accounts or only one.
                              Of course most hosts will tell their customer the hack was due to a bad password, or no other accounts were affected even if there was.

                              For your listed mods and add on, I haven't seen any reported issues on any of them. Usually if there is a vulnerability found it's exploited widely in a short time.
                              www.cdmagurus.com
                              www.cellphone-gurus.com

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...