So what if your Board gets hacked. Like all your forums are cleared out.
All your admins are kicked off and you
But your FTP and everything is safe right..
Your kicked off admin and hes got all the powers.
Its happend to me twice, What do i do from Preventing it in the future?

First you need to find the problem. Make sure you are being hacked and its not one of your other admins screwing around trying to feel important.

Depending on how the hack was preformed you could loose total control of your server, until you get in touch with your hosting company or you could simply lose vBulletin.

either way make sure to have some backups, and when you restore, disable all plugins and hacks you've ever installed to make sure your vBulletin is secure, oh and using the latest version always helps ;)

Yea. I got the latest version.
The first time it happend to me, it was one of my admins.

Second time i cleared my whole FTP cleared tables.
Got new database New FTP
and it still happend.

Did you remove the admin?

Yes.

I re-installed the whole V/B again cleared out everything and only had 2 other admins i trusted.

And he still hacked me again.
Clearing all forums, then made himself as admin and did whatever.. How?

Hard to say unless he knows your passwords on the server or something.

make sure tools.php is not uploaded and that he does not have any ftp access.

For now withhold given out any admin control. Your friend may be trusted but in order to find the problem you can't leaven anything to chance. If you explain to him and he is your friend he/she will understand.

Redo all of your passwords and not something easy someone can figure out. Example:

cookiedoh = Bad
35gr_66f1 = OK
F9$@hR4*_! = Very good.

For now withhold given out any admin control. Your friend may be trusted but in order to find the problem you can't leaven anything to chance. If you explain to him and he is your friend he/she will understand.

Redo all of your passwords and not something easy someone can figure out. Example:

cookiedoh = Bad
35gr_66f1 = OK
F9$@hR4*_! = Very good.

What about: iohjeodp2iu43hnHJHLKJH3dih2nfio23h498yuf-copux@#(*&$)& ?

What about: iohjeodp2iu43hnHJHLKJH3dih2nfio23h498yuf-copux@#(*&$)& ?

hehe...better write that one down to remember it ;)

What about: iohjeodp2iu43hnHJHLKJH3dih2nfio23h498yuf-copux@#(*&$)& ?

Exceed password character limit I assume. Plus, sometimes the "(" will show up as illegal. If not, well...Good luck. :rolleyes:

What about: iohjeodp2iu43hnHJHLKJH3dih2nfio23h498yuf-copux@#(*&$)& ?
:cool:

You guys think its just password?

What about table hacking...

Unless he inserted some sort of script that will insert himself into the DB has a admin i doubt it.

You did completely delete everything didnt you?

You guys think its just password?


At this point we don't know if your site has been compromised. It's a guessing game at this stage. The way to investigate is to minimize all unknown to questionable variables and go from there.

1). Set yourself as the only administrator, don't promote any other user for the time being.

2). In config.php, insert your userid in the area to limit the editing of users. This way, if it is something gaining access via the admin cp, they at least will not be able to edit your admin account.

3). Make sure the tools.php folder isn't accessable or uploaded.

4). Rename your admincp and modcp folders and then .htaccess them for an extra layer of protection.

The above should stop anyone gaining access via software, however, if they still get through the above, chances are there's a security breach somewhere along your server and you would need to contact your host and have them check the logs and such.

I agree with all the steps given above, especially step 2. Also to add a little bit more security, make sure that you put a blank "index.html" page in almost all the folders that need one. Not having an index page allows people to look into your files and folders and they might find something within your files to steal data.

good luck to you.

-I read it all.
Thanx ill try it

Make sure too that you've set your Admin account as uneditable -- that way, he won't be able to remove you, if this is just simply another administrator messing with you. But if your actual site is being hacked, then this would only protect you if the intruder didn't know his way through vbulletin or was just an idiot.

Optionally, also check your admin logs to see if it is another administrator tinkering around. See what has been done and move from there. The above listed steps are the most crucial though and should prevent it from happening again, pending it's not something server-side.

I've got a small how-to that can be of some help in the future for you:

https://vborg.vbsupport.ru/showthread.php?p=877421

^Thanx Chris
Im Installing it.

Also, try ensuring SSH and telnet are disabled.

Enable SSH only when needed is a good rule.

how are you going to enable SSH only when you need it? wouldnt it be disabled when you go to turn it back on



:)

Alright, I could have explained it better. :D Anyway...

I use WebHost Manager to set the permissions. There's an option to enable and disable SSH. Unless I'm using it it's set to disable.

If you do leave SSH up, change it to a random high numbered port. I have tons of generic blanket attacks in my logfiles of people trying to SSH in as things like 'root' 'admin' 'administrator' etc on port 21.

Port 21 is FTP, did you mean Port 22 which is SSH. :)

how are you going to enable SSH only when you need it? wouldnt it be disabled when you go to turn it back on



:)
CPanel or asking your host, I would assume.

But lightwave, the best way to protect your forums: you are currently showing up as unlicensed. To be able to download hacks and/or receive support here at vBulletin.org, we ask you to please click here (http://members.vbulletin.com/membersupport_priority.php) (vB-germany users click here (http://members.vbulletin-germany.com/membersupport_priority.php)) and enter your email address, to show us that you are licensed.

You will need to use your customer number and password (which will be in the email you got when you paid for your license) to access that page. Please note that your email is case sensitive. The update of your account may take up to one hour.

Thank you.

maybe you can post a list of hacks installed.

maybe it's a mixture of the mods and hacks, I'm sure some are exploitable

If you do leave SSH up, change it to a random high numbered port. I have tons of generic blanket attacks in my logfiles of people trying to SSH in as things like 'root' 'admin' 'administrator' etc on port 21.
That's advisable, yes, but a port sniffer will find the higher port number easily, so it's easily circumvented and definitely not foolproof.

Use RSA keys instead of password for SSH, and always use SSH2.

That's advisable, yes, but a port sniffer will find the higher port number easily, so it's easily circumvented and definitely not foolproof.

Use RSA keys instead of password for SSH, and always use SSH2.

Well we could take it one farther and issue a SecurID token to anyone needing access. And surround the token with angry, hungry dobermans. ;)

Nothing is foolproof dude, if an experienced hacker really wants at your system, chances are he's going to get in if given the time.

Heres one idea, if you do everything correct, and follow the previous suggestions, and it still happens again, you might try to check you pc for any tojans, keyloggers, etc. that is assuming that you havent already.. You never know it could be something as simple as your PC being compromised, wouldn't be the first time that has happened to someone.

Augh! you beat me to it, i read thru the entire topic and thaught, why has noone mentioned keyloggers. then i get to the last post >_< yes, i would reccommend either Adaware or Spybot search and destroy. also have Avast scanner running in the background at all times.

If you are on shared hosting, check if safe mode is on. If not then it is possible to go from one website to another on the same server. i.e. access to your site from another shared hosting account.

If you have FTP still, upload tools.php and regain ACP access, then add user ID to Super Admin's and your done.