My forums have been hacked!

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Mark0380
    Member
    • May 2001
    • 35

    My forums have been hacked!

    I've just got out of bed to find a mailbox full of messages from my members saying my forums have been hacked. Sure enough, attempt to login into the forums and there's a message from a hacker group known as "Alhejaz_Hackers".

    On further investigation, it looks like they have somehow managed to up their user account to administrator privilege, then proceed to delete all of the forums and their posts, change the "forum_home" template, and then finish by deleting my own admin user account so I couldn't get back in.

    I've now created a new account for myself, logged into MySQL in the conventional method on the server, and changed my user privileges back to administrator so I can access the vB control panel once again.

    It does not appear that they broke into the FTP or the hosting company's site control panel fortunately. I am now writing to my hosting company (VentresOnline) to see if they can obtain a back-up of the MySQL database from yesterday, but even if I can get the site restored, I get the impression from the hackers message that they are going to keep on doing this to me.

    I really do not know which way to proceed next. The system has logged two different IP addresses for this hacker in the admin log. It looks like they have been able to login to the admin area with an account they opened moments before, which considering even registered users have fairly restricted privileges on my forums is very worrying.

    Has this ever happened to anyone else? What should I do next for the best? How can I make the site more secure? I am quite stunned that this has happened to my fairly small and insignificant forums site, and gutted that this has happened so soon after we'd just relocated to a decent hosting company. Help!
    Last edited by Mark0380; Thu 11 Apr '02, 1:32am.
  • IDN
    Senior Member
    • Apr 2002
    • 4030
    • 3.5.x

    #2
    if you have their ip, contact their ISP
    Running vB since 4-14-2002

    Comment

    • Conrad
      Member
      • Mar 2002
      • 70

      #3
      How can they do that?

      Maybe you should send all the info you can to vBulletin so that they can see how they got in and make it harder or next to impossible the next time around.

      Maybe you had a relatively short password? There are programs out there that will keep bombarding the login with random passwords (starting with one character and moving up). Theoretically sooner or later they'll hit the right one. That's why I always use the longest password possible.

      The same goes for Excel. Passwords are cake to crack, the shorter the easier.

      Comment

      • George L
        Former vBulletin Support
        • May 2000
        • 32996
        • 3.8.x

        #4
        what version of vB are you using ?

        2.2.5 is the secure release ... 2.2.4 and lower have security bugs which all vB owners should of been notified about
        :: Always Back Up Forum Database + Attachments BEFORE upgrading !
        :: Nginx SPDY SSL - World Flags Demo [video results]
        :: vBulletin hacked forums: Clean Up Guide for VPS/Dedicated hosting users [ vbulletin.com blog summary ]

        Comment

        • Mark0380
          Member
          • May 2001
          • 35

          #5
          Eva: I am running 2.2.5, and have been doing so since it came off BETA status last week.

          Conrad: Yes, my password was relatively short (seven characters), so your theory is possible. However, the admin log indicates that this person went straight into the control panel under their newly-registered username and then proceeded to do the damage. There was no indication that someone had logged into the system with my account to alter privileges before this, which bothers me a great deal.

          IDN: I have now dug-up four IPs for the hacker - three point to one network, the fourth from somewhere completely different. Is there a procedure for reporting people? I have never been hacked before, so am I little in the dark on how to play things.

          VenturesOnline are on the case with regard to restoring the database, and have said that they will block the IPs I have provided. However, I get the feeling this hacker was spoofing his identity somehow, and will indeed be back once I get my forums up-and-running again......

          Comment

          • George L
            Former vBulletin Support
            • May 2000
            • 32996
            • 3.8.x

            #6
            if this a shared server... they could of gotten in via the server itself... i'd let VO handle

            did you setup a separate mysql username/password for your vB forum or used your web account's default username/password to connect with your vB database in the config.php file ?
            :: Always Back Up Forum Database + Attachments BEFORE upgrading !
            :: Nginx SPDY SSL - World Flags Demo [video results]
            :: vBulletin hacked forums: Clean Up Guide for VPS/Dedicated hosting users [ vbulletin.com blog summary ]

            Comment

            • Mark0380
              Member
              • May 2001
              • 35

              #7
              I have different login/passwords for 1) general account access 2) MySQL access, and 3) forums admin access.

              I have blocked five different IPs for the hacker, and can see he is on my site again right now!!! (Haven't deleted their account yet)

              Comment

              • IDN
                Senior Member
                • Apr 2002
                • 4030
                • 3.5.x

                #8
                do a whois on that ip and call the company that owns it and explain what happened
                Running vB since 4-14-2002

                Comment

                • Sven
                  Senior Member
                  • Dec 2000
                  • 240

                  #9
                  You should set up an .htaccess protection for your admin directory immediately - so any hacker needs to figure out two usernames and passwords.

                  Comment

                  • Mark0380
                    Member
                    • May 2001
                    • 35

                    #10
                    Okay, well...

                    One of the ISPs I have traced is in Saudi Arabia, the other appears to be in the USA. VenturesOnline are saying there's nothing much they can do, because he is bouncing off of so many different IPs.

                    Comment

                    • Mark0380
                      Member
                      • May 2001
                      • 35

                      #11
                      One step ahead of you Sven! This is so scary though... I can see my forums are being bombarded with guest visitors from various IPs, all likely to be this guy.

                      Comment

                      • Fusion
                        Senior Member
                        • Aug 2001
                        • 4346
                        • 3.8.x

                        #12
                        Originally posted by Sven
                        You should set up an .htaccess protection for your admin directory immediately - so any hacker needs to figure out two usernames and passwords.
                        It looked like it already was under .ht* protection
                        Toddler from Hell

                        Comment

                        • HostReach
                          Member
                          • Feb 2002
                          • 45

                          #13
                          Originally posted by Sven
                          You should set up an .htaccess protection for your admin directory immediately - so any hacker needs to figure out two usernames and passwords.
                          Does VB require user access to the admin directory files to function? If not, dropping a .htaccess file inside /admin that allows only your IP to enter should work to secure it.

                          Comment

                          • Conrad
                            Member
                            • Mar 2002
                            • 70

                            #14
                            That would be a great feature, to be able to log into the control panel using one IP address.

                            Is this a standard feature (option) yet or does it have to be done manually (hacked)?

                            Comment

                            • Mark0380
                              Member
                              • May 2001
                              • 35

                              #15
                              Well, looks like he is trying to flood the server now I have scuppered his chances of getting into the admin area.

                              I am having trouble keeping up with all of the IPs I am seeing in the Who's Online box - guest logins are coming thick and fast. Most of them trace back to Middle Eastern ISPs, but the numbers are changing thick and fast.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...