Hacked!! In spite of strong security measures!

**BasilFawlty** · Thu 26 Jul '12, 7:38am

Originally posted by cbiweb

One of my sites has just been hacked. The damage seems to be limited to all thread titles being changed to "you have been hacked". However, we've had this site secured by multiple security methods for a few years now, using the methods described in this post. I'm going to re-read the posts about recovering from and securing a site, but still this is not good!

My big question right now is: Can the thread titles easily be reverted to their original titles?

That's why I do nightly backups. I'f your backed up you should be able to recover. The trick is to figure out how they did it.

**borbole** · Thu 26 Jul '12, 8:04am

Indeed, finding out the point of entry and patching it up is very important. Otherwise it can happen again and again.

Can you give us a little more info, like the version of vb that you have, what mods do you have installed etc. Are you on a shared host or do you have your own dedicated box? If the former, ask your host to check their raw access logs for the around the time of the hack. If the latter check the logs for any suspicious activity.

Whereas about your question if the thread titles can easily be reverted to their original titles the answer is no. You will have to revert to a backup.

**Andy** · Thu 26 Jul '12, 8:09am

Originally posted by cbiweb

My big question right now is: Can the thread titles easily be reverted to their original titles?

Your best option is to restore from your last backup. You do have a nightly backup I hope.

**TheLastSuperman** · Thu 26 Jul '12, 8:22am

Erm... while this is meant to be helpful ( https://www.vbulletin.com/forum/show...=1#post2245599 ) it is certainly not the best method of securing your site nor is it a guarantee that if you do ANY form of "securing" that your "safe". There are actually better ways to secure your forum however you want to be on a dedicated server, in full control and have the ability to make changes when needed... either that or find a Host w/ hourly cron r1 backups, a good team and mind you one who knows security and call it a day! *This way with a good hosting support team and security in place even if your hacked, they restore a hourly backup and your back in action which is certainly much more stress free as you can imagine!

https://www.vbulletin.com/forum/content.php/813-Recovering-a-hacked-vBulletin-Site

**cbiweb** · Thu 26 Jul '12, 9:15am

Thanks guys. To answer some of your questions....

I definitely do nightly backups, and the host does them more frequently but I'm not sure how frequent. Chances are they have something more recent than 2AM today.

We're using 4.2 PL2 on a VPS, with these mods installed:

404 Area
DragonByte Tech: vBCredits II Deluxe (Lite)
GlowHost - Spam-O-Matic
Post Thank You Hack
Stop the Registration Bots
UserCP Referral Link
vBH - Add new tabs 1.2
VSa - Advanced Forum Statistics
VSa - Advanced Permissions Based on Post Count

I've had the host check the logs, and I've identified a couple suspicious IPs. The hosting account password has been changed to a much stronger one (the original was not made by me, though it seemed strong enough). I'll be changing all passwords for everything. I've been through the vB files, ran Suspect File Versions, and basically scoured the place but found no indication it was done directly via the site or vBulletin installation. Most likely someone got into cPanel and had their fun. But who knows?

**Andy** · Thu 26 Jul '12, 12:23pm

I wonder if a VPS has more danger of being hacked than a dedicated server, I would assume so.

**cbiweb** · Thu 26 Jul '12, 12:58pm

Quite possibly, Andy. Unfortunately we don't have the resources to have a dedicated server. The site has been restored, fortunately there was a backup from only two hours before we got hacked, so it's very little loss. And now I get to work battening down the hatches even more so than before.

**Andy** · Thu 26 Jul '12, 1:06pm

It's good to hear you're back online with very little loss. Great job backing up a protecting your forum.

**cbiweb** · Thu 26 Jul '12, 2:32pm

heh... within 10 minutes after getting it back, it was hacked again. Same exact hack. So I'm back to square one. I had already done some things to secure it better, and was in the process of doing more when it happened. Again. It's been an entire day, wasted.

**Dustin L.** · Thu 26 Jul '12, 2:36pm

There's a chance your server has been rooted, which means whoever is hacking it has root access to the server, and as such, full control over everything on that server.

This may or may not be directly related to a script you have installed. If you're on a VPS, then that means there are other customers using that VPS as well. So if one of the other customers has a script that allows them to gain root access, then you'll continue to be vulnerable regardless of what you do.

Best,

Dustin

**cbiweb** · Thu 26 Jul '12, 2:48pm

Thanks for that info, Dustin. So if I change the root password, will that stop it, or am I basically f***ed on that server?

**John Lester** · Thu 26 Jul '12, 3:32pm

Ban those ips via Cpanel (do a range of at least 244.22.x.x for the ban), rename your admin accounts and change the passwords, ask your host to change your cpanel name, change cpanel pass.

If you get hacked again, ask the host to move you to a different server.

**cbiweb** · Thu 26 Jul '12, 3:46pm

Originally posted by John Lester

Ban those ips via Cpanel (do a range of at least 244.22.x.x for the ban), rename your admin accounts and change the passwords, ask your host to change your cpanel name, change cpanel pass.

If you get hacked again, ask the host to move you to a different server.

Yes, a few of those things were done at the time of the 2nd attack. I was in the process of doing the others when it happened. One thing I didn't think of doing was banning the IPs. But yeah.... never had time to get it all done. I'm going to restore a backup from much earlier this morning (2AM), and hopefully can get everything done before another attack. Not sure if opening the forums before I was finished was a bad move or not, but this time they're staying closed until I'm ready. If it happens a third time, it would have to be a rooted server.

Funny you mention moving to a different server, We asked the host just yesterday to do that for us; and we've been planning to change hosts altogether very soon.

**ENF** · Thu 26 Jul '12, 4:41pm

I assisted someone with a similar situation and the hacks didn't stop until I had them move to a whole new host.

Similar prevention methods had been applied, but it just kept happening. We also found no evidence that the source came through VB itself. I strongly believe the root of the system was compromised rendering all prevention methods ineffective.

I avoid going with absolutes in circumstances like this, thus going with a new host was the only hard line effort we could take to remove the potential of the host or root machine being compromised.

Time will tell if I missed something.

vBulletin 4 End of Life

Hacked!! In spite of strong security measures!

[Forum] Hacked!! In spite of strong security measures!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment