Serious Problem - FORUM HACKED

Oh man.... that's nasty.

1. Upload the getadmin script to your admin dir.
2. Run it from the net and get yourself admin.
3. Htaccess the forum so the intruders can't come back.
4. If you used the same password else where, change them all.
5. Inform your other admin's to change their passwords.
6. Upload fresh PHP files.
7. Change all ftp, and shell passwords..
8. Inform your host of the intrusion....
9. Restore a forum backup...
10. Change your passwords after the restore.

I'm pretty sure someone got in because someone either used a password some where else, or had an easily guess password...


In the future, besure htaccess the admin dir, so even if an account's password gets compromised, the intruder doesn't have access to the admin cp.....

1. Upload the getadmin script to your admin dir.
2. Run it from the net and get yourself admin.

Done that, ran it, the admin account doesnt exist (user 1)

3. Htaccess the forum so the intruders can't come back.

Will this affect the general running of the forums?


4. If you used the same password else where, change them all.

MY password is unique for the forums, i think the second admin (user 2), his account was used

5. Inform your other admin's to change their passwords.

cant do that, all registered users, admins and moderators were deleted, first user is user 103 i think

6. Upload fresh PHP files.

will do

7. Change all ftp, and shell passwords..

have done, i dont have a shell account i dont think

8. Inform your host of the intrusion....

have done

9. Restore a forum backup...

dont have one recent enough to be of use, my hdd corrupt and lost it, i had to wait a week for a new drive, and this is my 2nd day back online and this happens!

10. Change your passwords after the restore.

will do.


The MySQL database, most of the tables have been emptied, the getadmin doesnt work, even by creating a new user, it says table 'access' already exists.

This error
I think i should just start over from scratch as this is the second time its happend, but the first time it wasnt so bad, they just defaced it.

Is it possible to create an admin account by parsing a SQL statement? If so, I could probably create some sort of back-up from within the admin control panel will i not?

Yeah, sounds like, if your db backup is old, might as well start anew, when doing that, be sure to .htaccess the admin and mod dirs like I said above to prevent further attacks, and choose long hard to get, passwords that would not be in the dictionary.....



Before reinstalling, check the admin logs via phpMyAdmin, and see if you can get the person's IP, if you can, do an arin lookup on it, and notify their host....

I already started the new one...

I have htaccess the admin dir, will do the mod dir aswell.

Here is the adminlog table, I do not understand the time format used, but the IP starting 195 is myself, the other isnt. It looks like USERID 2 was the account to be breached, this is my co-admin.

I will try and trace the IP somehow and inform the ISP somehow.

Whats an 'ARIN' lookup?

I have started the forums agian, but have this information saved.

Arin, is the people who alot IPs. The IP above, 217.35.250.18, appears to be from europe:



Since their ISP is BT Net, don't expect them to do anything.... But sometimes worth a try, get your host to get you http logs, and get the logs from the adminlog table, and send them to [email protected] and see if you get a response...

BT !

I've had that IP before !

I dont believe it !

BTW, the chances of you getting a reply from BT are minimal !

I'm thinking more towards nill........

How do u know how bad they are (is it all my moaning )

Nah, not you... Have had friends with connection problems, problems with problem users who were using BT, etc....

Hmmz... spoke to a friend of mine with a lot of php knowledge.
He hacked out a lot of stuff. Accourding to him, when activating img tags there are security breaches.
In the PM option there is also a way of getting admin access when knowing enough about php.

I asked him if he could tell me how, but he did not have it documented yet. Pity due to his work (he must travel a lot the coming years) he probably won't have time to do it, but he told me that if he had time he would document it.

If I get it I can give it to the developers, so it can be fixed.
But vbb is not 100% secure, that's for sure, but then again, which boardsoft is?

The img tag exploit was fixed several versions ago and there are no known security bugs with the PM system (this has been checked by a couple outside security experts).

Well. I'll have to wait until my friend has some time, he still found some things.
One should have some real php knowledge to exploit them he said, but they were present.
Indeed the img tag was fixed.
Hopefully I'll get him so far he will document it for me, If he does, I surely will send you a copy.

Good to hear about the IMG tag exploit being fixed but saying outside people check it isn't quite enough I don't believe. If you were to look at some other security threads here you will see that the outside security people missed some basic issues. If I could remember exactly what it was I would type it here but I can't. I do remember that I posted in that thread regarding the use of security experts and them missing something.