Site hacked

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • testpig
    Member
    • Nov 2003
    • 42
    • 3.5.x

    Site hacked

    Hi all.
    My site was hacked this morning. Someone got my password, added themself as an admin, and then changed my password. Nothing else was done so currently I believe they only accessed the password somehow.

    I have regained control of the system, banned IP's etc, and am checking site security now. Also using an older thread on improving vB security as a guide.

    What file holds the user details, passwords etc, and what should the security setting be on this?

    Any other tips on improving site security? I've banned the IP's and the users but am concerned that the access point may still be open.
  • Steve Machol
    Former Customer Support Manager
    • Jul 2000
    • 154488

    #2
    All of that info is in the database, not files.

    Please see this thread on how to make your vBulletin more secure:



    If you are still being hacked after doing all of this, then they are most likely doing this by accessing your server. You need to contact your host about this.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment

    • testpig
      Member
      • Nov 2003
      • 42
      • 3.5.x

      #3
      Thanks for the swift response.

      My admin details are in the config file? What should the secirty level of that file be? EG: 777? or another?

      The fact that they only accessed my details makes me suspicious that they got my access only and then once in the admin panel made the changes.

      Comment

      • Steve Machol
        Former Customer Support Manager
        • Jul 2000
        • 154488

        #4
        The only way your config.php file would be a security risk is if your sweb hosting account itself was hacked. That file does not need any special permissions except that it should be worlld-readable otherwise your forums won't work.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment

        • testpig
          Member
          • Nov 2003
          • 42
          • 3.5.x

          #5
          Ok - thanks Steve.

          No damage was done so I'm up and running.....I will take a good look through the above thread and make any changes necessary.

          I dont believe they had server access etc as nothing was done other than change my password, install themselves as Mods, and make a post saying we'd been hacked.

          How they got my password is the key to it!

          Comment

          • RMS-Chef
            Member
            • Aug 2003
            • 75
            • 3.8.x

            #6
            Originally posted by testpig
            Ok - thanks Steve.

            No damage was done so I'm up and running.....I will take a good look through the above thread and make any changes necessary.

            I dont believe they had server access etc as nothing was done other than change my password, install themselves as Mods, and make a post saying we'd been hacked.

            How they got my password is the key to it!
            Just make sure that there were no newly created admin/mod/etc accounts created.

            Comment

            • testpig
              Member
              • Nov 2003
              • 42
              • 3.5.x

              #7
              Yup - already done - but thanks for the heads up! All advice is good in these situations.

              The hacker doesnt seem to have a good working knowledge of vBulletin! The changes were only very basic and no mods access was removed. if it was one of us with our working knowledge of the software it would have been a lot harder for me to get back in!

              Looking at the IP it appeared to come out of France via the US.

              Comment

              • mcipdns
                Member
                • Jul 2006
                • 51
                • 3.6.x

                #8
                Keep in mind, though, that IP's can be misleading, i.e. proxy servers.

                Comment

                • testpig
                  Member
                  • Nov 2003
                  • 42
                  • 3.5.x

                  #9
                  ok...he came back and uploaded the following:
                  80.90.160.167
                  C:\Program Files\SQLFront\SQLFront.exe
                  I've closed the forum and after googling the filename it may be getting in through the RS feed function. Still live and watching this turd in action....my forum is turned off and it seems to have pulled him up at this stage.

                  Comment

                  • rike-online
                    New Member
                    • Jun 2004
                    • 10

                    #10
                    Hi to all,

                    same problem here today with vBulletin 3.6.0.

                    we've watched the same process ...

                    Hacker-IP: 80.90.171.80
                    Email: adiga.hacker@yahoo.com

                    All user-accounts were deleted.... including my admin-account wich is defined as undeletable in config.php....

                    details will be given...

                    Greetings
                    rike
                    Last edited by rike-online; Thu 24 Aug '06, 6:39am.

                    Comment

                    • Steve Machol
                      Former Customer Support Manager
                      • Jul 2000
                      • 154488

                      #11
                      Originally posted by testpig
                      ok...he came back and uploaded the following:

                      I've closed the forum and after googling the filename it may be getting in through the RS feed function. Still live and watching this turd in action....my forum is turned off and it seems to have pulled him up at this stage.
                      He has access to your server to do this. You need to contatc your host.
                      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                      Change CKEditor Colors to Match Style (for 4.1.4 and above)

                      Steve Machol Photography


                      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                      Comment

                      • webgroup
                        Senior Member
                        • Jun 2006
                        • 114
                        • 3.5.x

                        #12
                        HUM, does this means thers a security hole in the RSS feed feature of 3.6.0??

                        Comment

                        • Steve Machol
                          Former Customer Support Manager
                          • Jul 2000
                          • 154488

                          #13
                          No, why would it? This hacker obviously has access to the server itself.
                          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                          Change CKEditor Colors to Match Style (for 4.1.4 and above)

                          Steve Machol Photography


                          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                          Comment

                          • testpig
                            Member
                            • Nov 2003
                            • 42
                            • 3.5.x

                            #14
                            OK - what I've found to date.

                            The hacker managed to get access to the database. From there he changed the passwords of random moderators untill he found my account (admin). He then changed my password preventing me from accessing the board, and made himself admin.

                            I'm confident this was all done at the database level and have had my providor install a firewall.

                            The Question remains how he got the database access codes?

                            He was definately uploading to the site in an attempt to gain access. He opened a user in order to do so. Wether this was successfull or he used other means I dont know (and I'm definately not pointing my finger at vB software)...but once I regained control of the site he attempted to uploaad to Coppermine and anywhere else an upload feature was enabled.

                            I'm back up and running with RSS disabled, database firewalled, and his IP (80.*) banned. We traced his IP to France, routed through LA. Goes by the name "Ädiga" and email is [email protected]

                            Comment

                            • wbear
                              Senior Member
                              • Aug 2003
                              • 216

                              #15
                              and his IP (80.*) banned
                              Did you really ban that large a chunk of IPs?

                              Just curious how you decided that IP was France? Looks to me at first glance to be Jordan.

                              IP address: 80.90.160.167
                              Reverse DNS: [No reverse DNS entry per dns1.doosa.jo.]
                              Reverse DNS authenticity: [Unknown]
                              ASN: 8697
                              ASN Name: JTC-AS8697 (Jordan Telecom)
                              IP range connectivity: 1
                              Registrar (per ASN): RIPE
                              Country (per IP registrar): JO [Jordan]
                              Country Currency: JOD [Jordan Dinars]
                              Country IP Range: 80.90.160.0 to 80.90.175.255
                              Country fraud profile: Normal
                              City (per outside source): Amman, 'Amman
                              Private (internal) IP? No
                              IP address registrar: whois.ripe.net
                              Known Proxy? No
                              Link for WHOIS: 80.90.160.167

                              Comment

                              Loading...
                              Working...