Forum hacked!

**Adrienne** · Wed 14 Mar '07, 5:21pm

I am a just a mod with AdminCP access, not an vBulletin expert, but maybe this can help you for now. The first thing I would do is block the hacker's IP's as soon as possible to keep them out. A Google search of this hacker showed hacked sites where a domain name was left in the email address, so I looked up a dns report on that:

Free Tools - Software Reviews, Opinions, and Tips - DNSstuff

http://www.dnsstuff.com/tools/dnsreport.ch?domain=turkdefacer.com

This shows the IP listed as being in Texas, but a .tr suffix indicates it is a Turkish IP.

Free Tools - Software Reviews, Opinions, and Tips - DNSstuff

http://www.dnsstuff.com/tools/whois.ch?ip=72.232.38.42&server=rwhois.layeredtech.com:4321

Then I would do a search of all users and try to find any matches of IPs or email addresses to the ones in the reports, and ban them. Also don't allow any new registrations till you check them out. You have to secure the perimeter, so to speak.
This saved us when we had a severe spam attack last year. Good luck!

**Steve Machol** · Wed 14 Mar '07, 5:34pm

Hopefully the hacker did not remove any data. Fill out a support ticket at:

Customer Login

http://members.vbulletin.com/membersupport_contactform.php

vBulletin Community Software

Please include a complete description of the problem and be sure to include the login info to your Admin CP, phpMyAdmin and FTP in the 'Sensitive Data' field.

**legar** · Thu 15 Mar '07, 3:00am

was this one of the ip's ?
81.52.162.111
because that was the ip that tried the hacking attempt with my forum yesterday

after talking to the p3tz developers, they were trying to bruteforce the admin password through an old vulnerability in the petz system (wich i had patched before, so they were not succesfull)

hope you get your forum up and running

**bboy** · Thu 15 Mar '07, 3:07am

Originally posted by legar

was this one of the ip's ?
81.52.162.111
because that was the ip that tried the hacking attempt with my forum yesterday

after talking to the p3tz developers, they were trying to bruteforce the admin password through an old vulnerability in the petz system (wich i had patched before, so they were not succesfull)

hope you get your forum up and running

How can you tell in the server logs when someone is trying to hack into your admin account?

**legar** · Thu 15 Mar '07, 6:26am

Originally posted by bboy

How can you tell in the server logs when someone is trying to hack into your admin account?

Because they were doing it via the forum and an addon, it generated a lot of mysql errors when the brute-force script tried it. (only for the script, not for other users)

**WurkAnimal** · Thu 15 Mar '07, 6:00pm

Sorry to hear about the problems

**Demaree** · Fri 16 Mar '07, 6:09pm

"Hacked by Saudi Spy"???

Hey all,

I got up this morning to this message on our forum.

http://tinyurl.com/2lbzbv

Just to fill you in a little, at the end of Feb we moved servers and have had problems with the DNS addressing since then with several of our members still being redirected to the old site. That site has a message up saying it is down for the move, with a time of 8:30am on it, in red.

That leads me to believe that this supposed hacker was in the old site.

How can I find out whether it was on our new site or not? I can't seem to find any logs to indicate activity of this nature.

Thanks heaps for your help.

Forum hacked!

Forum hacked!

Comment

Comment

Comment

Comment

Comment

Comment

Comment