My forum has been constantly turning on and off..... so now i receive this email

Alright f**ker..

Here's the deal. You don't want your site going down anymore? You're going to have to do 1 thing.

Give me access to your cPanel for the day. And tomorrow I'll remove my account that has all admin rights. Deal?

How I've been doing it.. hehe.. well, I have a hidden account on your database that has all admin rights. All I want to do is get in your cPanel to copy your database and I'll be on my way.

The way this works is.. you have a lot of users. You'll never find me in the 200,000something users you have. So.. therefore, you need me to give you the account I have so you can delete it. NOW.. replacing your database will not work. For I have a program on my desktop that gives me admin access to any vbulletin forum I want. You want your site safe? Well.. give me your cPanel and we'll call it even. You can change your cPanel password tomorrow.


He keeps turning it on and off how can i put an end to this!!

Contact your host! Why are you not contacting your host with this information?

This is a registered user inside the database my host has Nothing to do with this.... NVM i guess i asked the wrong Big forum section.

If you can get into your admin cp then check the recent the admin log and note down all the IPs that have logged in as admin... check out who have registered with those ips and if you find any suspicious username with admin powers... BAN it right now... !! best of luck...

There is no way he has a program on his desktop that will give Admin rights to any vb site. You think you have problems now, wait until you see what happens if you do give him your CPanel login.

Lynne is right, contact your host. They can help track this down. If it's a user, just look for anyone with admin permissions either as a main group or a second usergroup.

If all he is doing is turning the board off and on, then he doesn't have that much power yet or he would be flexing muscle. Looks like he's running a script somewhere.

Do you have phpMyAdmin? Do you have it htaccess protected? Do you have your Admin CP and Mod CP htaccess protected?

i have phpmyadmin ive been going through it but going through a list of 200000 members is a drag... And no i dont have any of those htaccess protected so ill get on it.

He is either doing this by straight access to the database through phpMyAdmin, in which case looking at the access_logs will help you find exactly who is accessing that directory - use search in your text editor. Or he is going through your Admin Panel and must have admin access so you should look at your Administrator usergroup. And, as I said, you need to protect at least all three of those directories.

Damn nvm pass protecting the admin cp and mod cp directories didnt work either.... so now whats next.

He is either doing this by straight access to the database through phpMyAdmin, in which case looking at the access_logs will help you find exactly who is accessing that directory - use search in your text editor. Or he is going through your Admin Panel and must have admin access so you should look at your Administrator usergroup. And, as I said, you need to protect at least all three of those directories.

If this guy was in the DB he wouldn't need CPanel access as the DB is all he wants. If he had Admin CP access, he would lock everyone out until he gets what he wants. The clown is running a script somewhere that is toggling the site off and on. If this guy had any real access at all he would be showing what he could do. He wants the DB to get whatever settings he can so he can do some more scripts. If all he has done so far is toggle the site off and off then that is where he needs to be stopped. And no matter what he does, do NOT give him anything.

DO NOT, NO MATTER WHAT GIVE HIM ANY ACCESS.
Check all your admin logs, and you should find the culprit.

No way im giving him access. that would be murder... im looking through logs but i cant see anything. its driving me nutz sneaky little bastard.

--------------- Added 1204054037 at 1204054037 ---------------

Well now im just going to put up a fresh copy of vb just delete all files except the database then upload new files.

If this guy was in the DB he wouldn't need CPanel access as the DB is all he wants. If he had Admin CP access, he would lock everyone out until he gets what he wants. The clown is running a script somewhere that is toggling the site off and on. If this guy had any real access at all he would be showing what he could do. He wants the DB to get whatever settings he can so he can do some more scripts. If all he has done so far is toggle the site off and off then that is where he needs to be stopped. And no matter what he does, do NOT give him anything.
You are so right! I wasn't thinking clearly about the overall picture of what was going on. I think if this were my site, I'd close it down and delete all my files and put the site back up with a backup from a few days ago.

Yea im deleting all the files and just puting up new ones but im going to be keeping my current database. as he didnt get in the database....

You are so right! I wasn't thinking clearly about the overall picture of what was going on. I think if this were my site, I'd close it down and delete all my files and put the site back up with a backup from a few days ago.

He's just running "kiddie scripts" is all. I know if I was a kid with the kiddie script mind-set what I would do if I had access to someone's db. He wouldn't be asking for something he already has access to. Your suggestion is the best way to go at this point. ;)

What a team! ;)

so basically there is no way to protect yourself against this type of thing - so the culprit wins once again if he has to change his files etc.
Surely there must be some protection from this sort of stuff out there.
Remember this affects all of us in the long run not just fordsho

Well i just finished upping the new files and well everything seems good for now... i lost my design and some other stuff but ill up those later on. but these guys are serious man i have a fairly decent number of members and what not and this guy just decides to take it from me..... i allready had someone steal my database when it was at 180k... that sucked big time.

Chances are the kid found some vulnerability in a hack somewhere. It might even be one he helped to write and set up for this. This is an isolated case and we don't know all of the details.

well heres the thing. the person doing this was probably one of my old staff who decided to steal the forum for his self and failed miserably...

Well, he didn't get what he was after. And apparently he doesn't have that much access or he would have done more damage. You are lucky this time. If he might have had any other details, now would be a good time to reset all passwords, FTP, ADMIN and MOD CPs. etc.

If he was just opening and closing the forum (e.g. from the adminCP), you can just demote all mods / admins except for yourself to a normal user, double check the rights of all the member groups, and check to make sure you're the only super admin (if you are one at all).

I'm sure he didn't had access to the admincp either, because he could run custom queries from there to get the user list.

It seems to me he got a way to upload a php file, and by adding an include('includes/config.php') he ran a script that turned the forum down. Now, If he knew what he was doing, he would have included a query in the uploaded file itself to strip the user list. Again, it's just a script kiddie.

Just think for yourself: If you where a hacker and had software to gain access to any vBulletin board, why would i target your site, i would go for the sites that get most attention: vb.com & vb.org.

Now how come we are never target to such successfull attacks if it was possible to hack "any vBulletin board".

I would seriously reconsider your password and security policy's for staff.

One little question, is your whole webspace down or only your vb board?

If its the whole site (server not reachable anymore), then your provider should update the linux software with a better kernel.
I know this kinds of scripts getting your webspace down.

His Reply.

What is their URL? And for you being a little smart** bi*ch, I'll work on cracking your cPanel anyways. I have a friend that does all sorts of shit like that and it would be nothing to f**k you up. You sound like an amateur. "you lick sswarez's A**hole while your hold it's balls"? Let me guess, you're 15? You think replacing your vBulletin will fix your problem? It didn't. I'm staring at your ftp right now. You have your shit set up all sloppy. Not too professional ;) By the way, you can delete that chat directory. It doesn't seem to be working right, since your fag*ot a** doesn't know how to set it up.. lmao. Amateur? Yes indeed. Your site is perfect for XSS. That means Cross Site Scripting. Oh yeah. You're f**ed now.. LMFAO.

Now seriously. What's your f**king cPanel password? If I have to crack it myself, it's only going to piss me off and I'll delete EVERYTHING. F**ktard.

:mad:

This guy is pissing me off... im going to have all my passes rest and then go from there.

Resetting the passwords should have been one of the first things you did.

He's bluffing. Ignore him and do not respond to him. The chat remark gives him away. Most sites that have a chat on them have a chat directory. Also, if he had your FTP, you would be seeing some phantom pages by now. He's bluffing to try and get you to give in. And with language like he is using, I'm guessing he isn't 15 yet. Look there first at any staff you have had in the past.

His Reply.



:mad:

This guy is pissing me off... im going to have all my passes rest and then go from there.

All I can say is: he's working more your mind than your board... RELAX! and learn ;) everybody is trying to help you here...

As Iogames stated, he's playing mind games.
Don't give in, put on your poker face ;)
Also, my pass is 40 chars long consisting of letters numbers and an alot code.
Maybe you should do the same,so you don't have to worry about some little cracking attempts.

Btw, if he does have your database already, all he has to do is crack your hash and he has your forum password. So your best off to change it.

how is he getting in touch with u - if its by way of emails then he is leaving a trace etc - act upon it

Yea he is getting in touch with me via a email from hotmail, and yea he is really screwing with my mind. i never really had to deal with hacking or guys like this because i generally do honest work. but i had this guy work with me and he had picked a couple of mods and these mods are the ones that want the site. They decided that they should have the forums and not me so thats the reason they are barking up my tree. i changed my forum pass like 2-3 this month and im going to be changing everything else as well.

serious why get worked up over it - kk it more than annoying and is taking up time u dont have but besides that look on it as more of a hindrance than anything else.
Like everyone else said - why would they need cpanel etc if they hacked your site - so you are fairly safe.ALso get in touch with your host and let them know what is happening and see if they can offer any help.Log all chats etc and keep any emails you recieve.

I suggest you ask your host provider to ask hotmail for some help. Attacking a website is against the law and your host provider can press charges.

You've got a rogue staff member from the past is what it looks like to me. Someone who knows a few things but not enough to convince me he's dangerous at all. You have to be more careful in who you give the power to. It's not as easy to take away as it is to give it.

Ignore the emails and report them. The more you answer him the more he knows he's got you. That is a big part of it, knowing he has your mind.

If he was staring at your FTP, he could grab the database. It is BS..

If he was staring at your FTP, he could grab the database. It is BS..

Correct me if im wrong but database is not stored on the ftp - so how can he grab the database from the ftp unless it was stored there for back up purposes.

If you can get into your admin cp then check the recent the admin log and note down all the IPs that have logged in as admin... check out who have registered with those ips and if you find any suspicious username with admin powers... BAN it right now... !! best of luck...
better yet, put the entire block in iptables if you're on your own box.

if you're on shared hosting, change your database username and password as well. there's the possibility that he has an account on the same shared box and can easily manipulate your db with the proper credentials, regardless of which user root he's running a kiddie script from.

and the guy doesn't sound too smart either... if he can access your database to switch the on/off flag, then he can certainly dump the database into your webroot and simply download it.

Just like someone said at the beginning of the thread, you should contact your host about this. They do this for a living and if they are half decent they will have a standard procedure to deal with these kinds of actions to fill the holes, to track him down and report his information to the proper authorities.

In other words, you got friends, use them!

Correct me if im wrong but database is not stored on the ftp - so how can he grab the database from the ftp unless it was stored there for back up purposes.

Well, first of all, he could see your includes/config.php file and download that, get your db info, upload a script to access it, and dump/download the db..

--------------- Added 1204141158 at 1204141158 ---------------

It should also be noted that it would be to his benefit for you to NOT know he took the database. He is just trying to con you into giving it to him because he has no other way to get the data..

Thank you guys for all the help my Host has been notified since sunday and i believe they took the necessary precautions. I'm just glad my site is safe but stuff like this can really get you shook up.

Thank you guys for all the help my Host has been notified since sunday and i believe they took the necessary precautions. I'm just glad my site is safe but stuff like this can really get you shook up.

Only if you let it shake you up. Getting upset or shaken up doesn't fix the problem. Calm heads ALWAYS prevail. ;)

One thing we learned... We need a 'Board Security' Section...

and P.S. This thread has more profanity that a day with my GrandMa :D

LOL at Grandma. Been there, heard that.

Do you ever stop to think that maybe Fordsho was the real 'hacker' that was trying to learn from us?!?!?! :eek:

:D Just kidding!

p.s. but I never saw the site :P

Well, I know it wasn't me or iogames. That would be giving us both way too much credit for being smart enough to pull anything off even remotely similar.

Heres the way to find him: Goto usergroup manager, then look at all the groups the users, additional users too. If its one too many just delete the user. Or download a copy of your database, and search for (if you have your usertitle for admin "administrator" search that in the database, youll sooner or later find him.)

Worked for me when my boards were getting punked by scripties.

send me his hotmail e-mail address to cyrusphantasm@gmail.com . I hate these type of internet punks and I take GREAT DELIGHT in taking these f**ks out!!!

I will track down everything about him (because I have legal access to MSN), and forward you his IP, real name, location, phone number and anything else tied to his system.

Then you can take legal action if he did anything destructive.. But NEVER GIVE UP YOUR VB ACCESS!!! I had this exact same thing happen to me 3 weeks ago on www.indie2industry.com except this person somehow actually gained access and tried nuking my templates, hell, I'm still fixing my board, look @ this page. This is the last one I have to figure out how to fix(since I'm not a coder).

http://www.indie2industry.com/forum/forum.php

But in return, I locked him out of his home computer (from info from his hotmail address), then reported him to my local FBI office, come to find out, he was local to my area AND have child porn and hacking tools on his computer.. NYS has a no tolerence policy against hackers.


SO BASICALLY, if this dude you're dealing with is tourmenting you via "HOTMAIL" then he's a TOTAL IDIOT... HOTMAIL/MSN is totally tracable on all levels.. Let me know if you need any assistance...

I hate destructive hackers :-(

send me his hotmail e-mail address .......

I will track down everything about him (because I have legal access to MSN), and forward you his IP, real name, location, phone number and anything else tied to his system.
.....
But in return, I locked him out of his home computer (from info from his hotmail address), then reported him to my local FBI office, come to find out, he was local to my area AND have child porn and hacking tools on his computer.. NYS has a no tolerence policy against hackers.

Although i do understand your angre and frustration, i doubt what you are suggesting/offering here is legal. Please do not use or discuss illegal actions on vBulletin.org.

Although i do understand your angre and frustration, i doubt what you are suggesting/offering here is legal. Please do not use or discuss illegal actions on vBulletin.org.

gotcha;)

my apologys

indie2industry my msn is :greek-chater@hotmail.com if you want add me because in the future maybe i need your help against hackers ;)

gotcha;)

my apologys

Although Im sure we all agree with you on moral grounds alone, I guess the Boss has an obligation to "Inform you" :)

I've learnt alot from this thread, makes me think about security more to say the least ;)

All The Guys @ Volitian.

By the way. You know what would be cool? Just set up a "Custom PHP script" that will take the guy's IP. Just give the kid the link, and a face user/pass, end when he logins you will also get his IP, and you will also... scare him if you put some FBI page there :D

If you have photopost, photopost classifieds, or reviewpost, there is an exploit that was published a couple months ago. You should have an email from photopost.com telling you how to patch older versions. The exploit can be used to upload .php files to the web server by tricking photopost into thinking the file is legit.

My forum has been constantly turning on and off..... so now i receive this email

Alright f**ker..

Here's the deal. You don't want your site going down anymore? You're going to have to do 1 thing.

Give me access to your cPanel for the day. And tomorrow I'll remove my account that has all admin rights. Deal?

How I've been doing it.. hehe.. well, I have a hidden account on your database that has all admin rights. All I want to do is get in your cPanel to copy your database and I'll be on my way.

The way this works is.. you have a lot of users. You'll never find me in the 200,000something users you have. So.. therefore, you need me to give you the account I have so you can delete it. NOW.. replacing your database will not work. For I have a program on my desktop that gives me admin access to any vbulletin forum I want. You want your site safe? Well.. give me your cPanel and we'll call it even. You can change your cPanel password tomorrow.


He keeps turning it on and off how can i put an end to this!!
Please Do Not Use Bad Word In Here

And Contact Your Host For Help I Am Sure They Will Help You

Hi all,

First of all I'M a total newbie....joined a week back. Below is what I think about this discussion, its just my sweet little brainy thought over it..lol

i just went through the whole discussion, got to learn a lot..
But, I'd like to know something from the masters here !!

The person above "fordsho" describes his problem, he says that he has around 200000 members on his board. But did anyone noticed his Join Date and Post Counts ??

how can he ever have 200000 members in 3 months ??

If in any case, he's true then he must be using a nulled version of vBulletin since years that already contained some malicious program within itself that allowed the hacker to screw the board up OR he himself got lucky enough to get hands on the database of some big board (God knows how).

Please do reply to this and correct me if i'm going wrongg..

Thank You

Sounds like he gained access to an admin account and gave himself admin permissions. All you really have to do is go in and remove his admin rights, make every admin change their passwords and do scans on their computers. It would also be a good idea to change all of the site's passwords for cPanel, etc.

just getting back to this thread... I'm sorry.

I forgot to ask. Do you have any mods & add-ons you didn't get from here? he may have scripted himself access also.

Has he sent you an e-mail??? If so, he's TOAST!!! DON'T USE OUTLOOK!!
Go to www.mail2web.com

Login: yourname@yourdomain.com
password: your password

retrieve his message. In the bottom/left corner of the e-mail(s) it'll show his IP address.
FIRST, log into your server and block it from there.
THEN, go to your vbullletin admin cp, go to Banning Options, and ban the IP from there also. But DON'T BAN HIS E-MAIL!! If he contacts you again, you want to know from where so you can also block that IP.

This may also help.
https://vborg.vbsupport.ru/showthread.php?t=170616&highlight=proxy

--------------- Added 1206062226 at 1206062226 ---------------

By the way. You know what would be cool? Just set up a "Custom PHP script" that will take the guy's IP. Just give the kid the link, and a face user/pass, end when he logins you will also get his IP, and you will also... scare him if you put some FBI page there :D:D:D:D

Hi all,

First of all I'M a total newbie....joined a week back. Below is what I think about this discussion, its just my sweet little brainy thought over it..lol

i just went through the whole discussion, got to learn a lot..
But, I'd like to know something from the masters here !!

The person above "fordsho" describes his problem, he says that he has around 200000 members on his board. But did anyone noticed his Join Date and Post Counts ??

how can he ever have 200000 members in 3 months ??

If in any case, he's true then he must be using a nulled version of vBulletin since years that already contained some malicious program within itself that allowed the hacker to screw the board up OR he himself got lucky enough to get hands on the database of some big board (God knows how).

Please do reply to this and correct me if i'm going wrongg..

Thank You

He couldve had a different type of forum and switched to VB using the impex to transfer his other board.
and if had a nulled the staff would said something when he replied

He couldve had a different type of forum and switched to VB using the impex to transfer his other board.
and if had a nulled the staff would said something when he replied

On top of that. He wouldn't be able to post in the 'Big Board Discussions' since it's only for license uses.

These links may assist U...> http://www.surprisechat.com/boards/viewthread.php?tid=2458

http://www.emailabuse.org/

# Update your operating system with the latest patches.
# Keep your antivirus program up-to-date.
# Install a personal firewall.
# Periodically sweep for Trojan horses running on your PC.
# Use htaccess and allow only auth. ips access to control panel.
# Implement more security tracking software to view logs and vital areas of domain.

Good Luck

Okay few things.

1st, as vb.com would say :)

To troubleshoot this, first reupload all the original vB non-image files (except install.php). Make sure you upload these in ASCII format and overwrite the ones on the server. Also be sure to upload the admincp files to whichever directory you have set in your config.php file. Then run 'Suspect File Versions' in Diagnostics to make sure you have all the original files for your version and that none show 'File does not contain expected contents':

Admin CP -> Maintenance -> Diagnostics -> Suspect File Versions

[Note: In some cases you may also need to remove any of the listed .xml files in the includes/xml directory.]

Next, disable all plugins.

Note: To temporarily disable the plugin system, edit config.php and add this line right under <?php

define('DISABLE_HOOKS', true);

Then if you still have this problem, create a new style and choose no parent style. This will force it to use the default templates. Finally empty your browser cache, close all browser windows then try again. Make sure you change to the new style and view your forums with it. Do you have the same problem?

--------------------------------------

obviously some of the above will not apply to you, but that is the general first thing you do. Check your plugins and hacks you have done to your board!

--------------------------------------

2nd, you said your database was compromised a few months ago or something. Well that rings alarm bells straight away.
Provide more info on this aspect and it may shed some light.

--------------------------------------

3rd, are you the only admin?

--------------------------------------

4th, are you on shared hosting or a dedicated server?

--------------------------------------

5th, What vbulletin version are you running?

-------------------------------------

6th, what version of php and mysql are you on?

----------------------------------------


Once I know the above info, we can go from there.

two words - mod security - on you web server - http://www.modsecurity.org/

This will help with the script kiddies - and XSS and system injection attacks - if your server or site was compromised it was because the security sucked.

Also I would make sure you have cpanel server locked down - go to the cpanel forums to find out how.

Do you have shell access to the server?

You may want to run rkhunter and see whats up.

If you have been comprimised for a month - well best advice to you is - redo the server - i.e. wipe it clean and reinstall the OS lock it down, install mod security and trip wire - rebuild your forum etc and go from there.

A system that has been hacked for a month is screwed no matter what you do.

If you need more in depth help, I`d offer my help : server & forum. Drop a pm if you want to.

Why is this in the big board forums?

well doh cause its a big board being screwed with