My website has been hacked by some turkish group. :mad: Someone registered at my site. When i connected to my sql directly i found they had changed userid 1, the admin...

I had the following:

vBulletin 3.5.4
vBadvanced 2.1.0
DLM manager
VBgameserver hack
Teamspeak display hack

My best guess is they used some exploit in the vb gameserver hack. I'm now resetting my site using only:

vBulletin 3.5.4
vBadvanced 2.1.0
DLM manager

Are these three secure enough to use at this moment without getting hacked?

Second i used Mysql front to make back-ups of my database. Yesterday i used the same program to restore the sql file and guess what it didn't work :mad:

Because i just switched to vBulletin from phpnuke i had the phpnuke database which i could use, so only lost 2 weeks of data.

My second question what is a good program to use to back up your database and to restore it. PhPmyadmin is no option because i don't want it installed on my webspace. The only thing it will do is add another why to kill off my database. :confused: Another vB user pointed out to ssh, but are there any good programs out there that would do the job?

Thanks for all the help, i really need it!!!

I can only say that vBulletin 3.5.4 should be secure enough, there are no known security issues. About the other 2 i can't make a judgement.

Back ups (if you host don't make them yet) can best be made from the shell. Beside a terminal emulation programm, no other software needed.

For instructions see the chapters in the vBulletin manual:
Backing-up your MySQL Database Manually (http://www.vbulletin.com/docs/html/main/manual_database_backup)
Restoring your MySQL Database Manually (http://www.vbulletin.com/docs/html/main/manual_database_restore)

Did you have SSH or telnet enabled?

This is precisely the same thing that happened to me that I made a post about here and got my butt chewed out for it.

With all due respect, your statements in thread Is this really how crappy vbulletin is? I mean You can not fix security holes in the software. Very unhappy. I may have to go to IPB. Terribly disappointing. here (https://vborg.vbsupport.ru/showthread.php?t=119099) made an attempt at lashing out at the software without regards to investigating the problem, is NOT precisely the same thing as stated. In this thread, the poster is requesting help. I had to do some research to find that thread as I was unfamiliar with it.

Please either stay on topic and offer assistance or do not respond. If you would like to discuss this further, please PM me.

Aside from all of the bashing there was quiet a few good suggestions and pratices that could have been taken and followed.

I did take all the steps that where offered to me.

I did take all the steps that where offered to me.

No, you insisted that it was a security hole in VB amid continuous suggestions that the problem lay elsewhere. Then you claimed that people were attacking you when they offered up any other possible explanation.

So what happened? Did you find out who was hacking your server every day? Where was the vulnerability?

Heidrich, I was on phpNuke when I was brutally hacked and from the way it is being described, my attack was similar to yours. One thing I took note of was SSH traffic. I had previously been hacked once before, a minor defacing, but I made note of the SSH traffic on that as well. This time it was much larger. It was then I requested my SSH and telnet disabled - in fact, all avenues of access other than ftp and http closed. Knock on wood, I've not had anything happen since. It was this last hacking that I had decided to move to vbulletin - away from phpNuke. Fortunately, since I worked for my ISP, and we were going to migrate to a newer box anyways, I built our next hosting box. The crack had corrupted the old mysql database. Even recreating the site wouldn't fix it. I hope your fix is easier than mine was.

No, you insisted that it was a security hole in VB amid continuous suggestions that the problem lay elsewhere. Then you claimed that people were attacking you when they offered up any other possible explanation.

So what happened? Did you find out who was hacking your server every day? Where was the vulnerability?


As I stated, it was vbulletin.

What proof of this do you have specificly? Have you done security audits? Have you uninstalled all of your modifications and ran with only the default vBulletin code? If not you cannot say beyond a doubt that there was not something else aside from vBulletin allowing you access.

Heidrich, I was on phpNuke when I was brutally hacked and from the way it is being described, my attack was similar to yours. One thing I took note of was SSH traffic. I had previously been hacked once before, a minor defacing, but I made note of the SSH traffic on that as well. This time it was much larger. It was then I requested my SSH and telnet disabled - in fact, all avenues of access other than ftp and http closed. Knock on wood, I've not had anything happen since. It was this last hacking that I had decided to move to vbulletin - away from phpNuke. Fortunately, since I worked for my ISP, and we were going to migrate to a newer box anyways, I built our next hosting box. The crack had corrupted the old mysql database. Even recreating the site wouldn't fix it. I hope your fix is easier than mine was.

All the hacking with PHPnuke made me move to vBulletin aswell. I have been hacked 5 times with PHPnuke. Everytime it was bugs in the script that needed fixing. The last one was so intensive i had to rebuild my site. :confused: So i moved to vBulletin, it's reputation and history pulled this one over. ;) But it's harse to see it happen again...

As vBadvanced main website is still running i'll guess that script is more then okay. The only factor remaining is Download and Links manager. Do any users of this hack have any problems?

About SSH i believe my host doesn't allow telenet or ssh connections to the database. I'll check. I have went through the corrupt backup and found in the admin logs that they changed my templates to my board.

If i understand correctly there are no back-up programs (software) for mysql available?

Thanks for the help sofar all!!

Oh goodness no, there are tons, via ssh is the best way with the mysqldump utility. vBulletin also provides a backup feature via the admincp but its not 100% reliable due to php/webserver restrictions. Make a dump and check the last few lines, vBulletin will tell you if it had completed

Oh goodness no, there are tons, via ssh is the best way with the mysqldump utility. vBulletin also provides a backup feature via the admincp but its not 100% reliable due to php/webserver restrictions. Make a dump and check the last few lines, vBulletin will tell you if it had completed


Can you please point me to a good tut. for ssh as i'm new to it.:)

-> edit: just saw Marco's post. Will check those out thanks.

Ive had the same problem..
Thats why im the only admin :)
________
List of Chrysler engines specifications (http://www.dodge-wiki.com/wiki/List_of_Chrysler_engines)

Ive had the same problem..
Thats why im the only admin :)

I've never had the problem, but I do have a howto written up that relates to this thread:

https://vborg.vbsupport.ru/showthread.php?p=877421

my webiste is on a windows server and .htaccess won't work.:confused: Are there any other like htaccess, but for windows server?

Ow i don't know if it's allowed to post, but i take my changes:

The IP of the guy that "hacked" me:

88.240.173.99

Here is what he did:

INSERT INTO `adminlog` VALUES (2419,1,1151358777,'template.php','modify','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2420,1,1151358800,'template.php','modify','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2421,1,1151358862,'template.php','modify','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2422,1,1151358886,'template.php','edit','style id = 0','88.240.173.99');
INSERT INTO `adminlog` VALUES (2423,1,1151358898,'template.php','updatetemplate' ,'style id = 2','88.240.173.99');
INSERT INTO `adminlog` VALUES (2424,1,1151358948,'template.php','edit','style id = 0','88.240.173.99');
INSERT INTO `adminlog` VALUES (2425,1,1151358959,'template.php','updatetemplate' ,'style id = 2','88.240.173.99');
INSERT INTO `adminlog` VALUES (2426,1,1151358991,'options.php','','','88.240.173 .99');
INSERT INTO `adminlog` VALUES (2427,1,1151358991,'options.php','','','88.240.173 .99');
INSERT INTO `adminlog` VALUES (2428,1,1151359008,'backup.php','choose','','88.24 0.173.99');
INSERT INTO `adminlog` VALUES (2429,1,1151359035,'attachment.php','intro','','88 .240.173.99');
INSERT INTO `adminlog` VALUES (2430,1,1151359080,'usergroup.php','modify','','88 .240.173.99');
INSERT INTO `adminlog` VALUES (2431,1,1151359168,'admincalendar.php','modify','' ,'88.240.173.99');
INSERT INTO `adminlog` VALUES (2432,1,1151359171,'announcement.php','modify','', '88.240.173.99');
INSERT INTO `adminlog` VALUES (2433,1,1151359177,'language.php','modify','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2434,1,1151359225,'options.php','searchtype','',' 88.240.173.99');
INSERT INTO `adminlog` VALUES (2435,1,1151359370,'template.php','modify','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2436,1,1151359371,'template.php','modify','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2437,1,1151359374,'template.php','search','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2438,1,1151359378,'replacement.php','modify','',' 88.240.173.99');
INSERT INTO `adminlog` VALUES (2439,1,1151359380,'template.php','files','','88.2 40.173.99');
INSERT INTO `adminlog` VALUES (2440,1,1151359390,'language.php','modify','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2441,1,1151359395,'language.php','files','','88.2 40.173.99');
INSERT INTO `adminlog` VALUES (2442,1,1151359519,'options.php','','','88.240.173 .99');
INSERT INTO `adminlog` VALUES (2443,1,1151359526,'options.php','options','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2444,1,1151359537,'options.php','dooptions','','8 8.240.173.99');
INSERT INTO `adminlog` VALUES (2445,1,1151359541,'options.php','options','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2446,1,1151359550,'language.php','files','','88.2 40.173.99');
INSERT INTO `adminlog` VALUES (2447,1,1151359710,'template.php','modify','','88. 240.173.99');

He even took a copy of my database...:mad: :mad: :mad:

I'm going to run that IP by a friend of mine who was hacked 2-3 weeks ago. It looks familiar.

As vBadvanced main website is still running i'll guess that script is more then okay. The only factor remaining is Download and Links manager. Do any users of this hack have any problems?I run my site as a private one and tried the links and downloads hack and had security problems with it so I removed it. The first thing I noyiced was that the downloads page was ignoring Vbulletin login and security. The second thing was that every item on my downloads page showed up in search engines and bots and spiders flocked to it like a super magnet. I dont know why that hack did that but I got rid of it real quick.

I run my site as a private one and tried the links and downloads hack and had security problems with it so I removed it. The first thing I noyiced was that the downloads page was ignoring Vbulletin login and security. The second thing was that every item on my downloads page showed up in search engines and bots and spiders flocked to it like a super magnet. I dont know why that hack did that but I got rid of it real quick.

Okay you got me scared...;) I'm removing it now. I'll wait and see. What is best for downloads? Doesn't need to be all that. Just need to offer a few links for my members.

Maybe an idea for vBulletin.org to seperate all downloads in two. Secure and issues? Because time goes by and looking at all the mods in here you don't really know what you can use and what you can't.

If we get a security report about a mod we take actions to correct it and notify anytone whos clicked install.

Here are the IP addresses {of the attackers} which targeted my friend's website.

88.226.184.31
88.226.76.220

I had this happen to my forum and they used flashchat as a way to upload files.

If you are using flashchat, I suggest upgrading to their latest version or remove it completely. Or host it on a seperate hosting plan away from your main forum/site.