Well.. i was hacked today.

They used SnIpEr_SA Shell and i think ive fixed it! They changed the index.php file to redirect to their site and somehow got my info via this script.

Ive changed my password to my..
FTP
Web Panel
Forum Account
and ive changed my admincp folders name..

Also ive banned the hackers i.p's via vbulletin.

Anything else i can do?
Thanks,

You would need to figure out how they did it, since you probably have a vulnerable script somewhere which can be sql injected.

From the looks of it, it just seems they "knew" my password. And it was a really strong one with CAPITALS and *^%'s. I dont have any scripts on my server... except for vbulletin and vbportal and the vbulletin mods which have no vuneralbilities. :(

if you on a dedicated server try to get it harden.
change all password :
vbulletin login,Sql ,ftp,server login
on admincp index.php
add a .htacess

something like


$index['public'] = $index['public'];
$phpkd['username'] = "dtv100"; // Here Is the User Name
$phpkd['password'] = "mypassword"; // Here Is The htaccess Password

if(!$index['public']){
if($_SERVER['PHP_AUTH_USER'] != $phpkd['username'] || $_SERVER['PHP_AUTH_PW'] != $phpkd['password']){
Header("WWW-Authenticate: Basic realm=\"Highly Secured\"");
Header("HTTP/1.0 401 Unauthorized");echo "<head><title>Unauthorized</title></head><body bgcolor='#000000'><center><br>
<a href=\"../index.php\" style=\"text-decoration: none\" target=\"_blank\">
<font face=\"MS Sans Serif\" color=\"#FFFFFF\" size=\"8\"><b><br>Enter Here Only<br></b></a></body></html>";exit;}}

From the looks of it, it just seems they "knew" my password. And it was a really strong one with CAPITALS and *^%'s. I dont have any scripts on my server... except for vbulletin and vbportal and the vbulletin mods which have no vuneralbilities. :(

Then if you were using a password like that, it would have taken them forever to guess it. You've still got a serisous security hole some where along the lines or it'll just keep occurring.

Maybe they have your computer rooted, your server rooted, or you used a vulnerable script.
Update your vBulletin and uninstall any unneeded mods/scripts etc.
Try and keep stuff minimalistic, the less stuff you have the less to go wrong.

They probably exploited a folder permission or uploading feature in vBulletin to add the shell script.

I was hacked 27 times last month, spread across 4 domains. Took out all my forums.

2 forums was phpbb3 with no mods, one was SMF, and 1 modded phpbb3.

I then moved all my forums to VBulletin and was hacked yet again on every single account.

(you want to talk about fustrated?)

Finally i said enough is enough. I block all ftp acccess and shell access except from my IP.

(found out from the access logs they was using brute force to hack my forums and not even going through sql injection methods)

If you want to protect your server lock it down. install a firewall, put timeouts in place of anyone trying to access anything pw protected.

There may a shell on the shared server allowing them access to all accounts.
We had to move from Bluehost because they didnt address the issue and all their hosting
customers were getting hacked.
http://thebestforumever.com/41248-post1.html

I was hacked 27 times last month, spread across 4 domains. Took out all my forums.

2 forums was phpbb3 with no mods, one was SMF, and 1 modded phpbb3.

I then moved all my forums to VBulletin and was hacked yet again on every single account.

(you want to talk about fustrated?)

Finally i said enough is enough. I block all ftp acccess and shell access except from my IP.

(found out from the access logs they was using brute force to hack my forums and not even going through sql injection methods)

If you want to protect your server lock it down. install a firewall, put timeouts in place of anyone trying to access anything pw protected.

you didnt have brute force detection installed atleast?:confused:

mine is a dedicated server and no I had no security setup. I learned the hardway.... but now I know and I am locked up tighter than hillary clintons underoos.......

Another possiblity: You used this password on another forum/service, thus got hacked, so they got your password. Don't laugh, this is happening!

mine is a dedicated server and no I had no security setup. I learned the hardway.... but now I know and I am locked up tighter than hillary clintons underoos.......
Goal for you. You learned something, and that's the most important thing in the world.

bw,
Stefan

I was hacked 27 times last month, spread across 4 domains. Took out all my forums.

2 forums was phpbb3 with no mods, one was SMF, and 1 modded phpbb3.


And you checked all files for hidden backdoors ?

If you want to protect your server lock it down. install a firewall, put timeouts in place of anyone trying to access anything pw protected.

Just that a firewall can't protect you from bruteforce attacks unless you block HTTP - blocking ports which aren't used is a little bit useless.
Other tools like fail2ban that scan logs for possible bruteforce attacks and block IP's can do a lot of damage - Logfile injection as example so you've a nice SelfDoS. Also, in a world of bot nets where private comps are abused blocking IP's usually hits the wrong people - the real attacker simply uses the next comp, another IP and continues.

Generally - check all files on your server and compare them with the original ones from trusted sources. Both the PHP files and the OS files.

Then changing Passwords may be useful - all this just in case some hidden backdoor has been installed

Yah, I had the same problem with someone attacking my forum with the sniper_sa. Here is the post I had made with the same. I'm am assuming they were using the script to grab either my admin login/pw or database login/pw. I also have a list of files that I found.

https://vborg.vbsupport.ru/showthread.php?t=192151

Unless they can crack your password (which would take years), they don't know it. If they could upload files directly though, though could just create a new user as admin, or log themselves in as you if they knew how vBulletin worked well enough.

Unless they can crack your password (which would take years), they don't know it. If they could upload files directly though, though could just create a new user as admin, or log themselves in as you if they knew how vBulletin worked well enough.

That's what it puzzle me... I got a gooood password and then they enter, they changed, but I used that password in bank accounts and many services [now are changed] how is that they don't block the way to cPanel? change emails, steal domains, in fact steal everything from you...

do they really get your password? or just they got a way to enter?
because I just saw the extra files, a cronjob, a new email account, and a few ftp transfers, and I got thousands worth of domains and scripts.... :confused:

I uploaded the sni.php to another server that I own and played around with it. It allows you to upload, download and edit files on on the server. so if they can find config.php they can download it and view it's contents (ie db login/pw) and then use the sni.php to enter the login/pw to access the db. It also allows you to use sendmail, FTP (if login/pw known) and some other stuff.. it can be very damaging in the wrong hands.

Now tell me the good news! :mad:
how we can avoid that?

how many files of this kind there's?

do they really get your password? or just they got a way to enter?
They can just initiate a login process - they don't know your password, but they are logged in as you. Similar to the "Admin Log In As User" modification.
how we can avoid that?

how many files of this kind there's?
How can you avoid it? Don't let anyone be able to upload files files directly. (Attachments are OK, they are correctly stored by vBulletin.)
How many of these files are there? There are probably thousands of shells available to freely download.

I did some more searching over the last couple days and there were some issues, exploits, vulnerabilities or whatever, where files (other than images) can be uploaded using vbpicgallery, photpost classifieds, and photopost vbgallery, and vbadvanced cmps. All of them seem to have been resolved except for vbadvanced cmps, or at least not that I could find. It's kind of my fault that I haven't been keeping up with the updates, but I haven't been receiving any notifications that any new updates have been released.

What I've been doing over the last few days is using woopra to track all of the visitors whose languages are arabic, and banning those IP's. So far, using those IP's and searching the logs, they've been attempting to access the directories where the old sniper_sa scripts were and have also helped me locate where other scripts have been placed within my site. After a few days of watching, I've done an IP ban on the internet provider that this guy has been using, which is also a very common ip used by hackers and spammers.. 213.0.0.0/8. This pretty much blocks all IP's from 213.0.0.0 to 213.255.255.255. if you do a reverse IP lookup on the spammer/hacker you can sometimes view the ISP's info and it will tell you the IP's that they cover, in this case, start IP was 213.0.0.0 to 213.255.255.255.

If you're not familiar with how to block IP's, here is how you do it. If you search for .htaccess and deny IP you can find some documentation on it.

<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 212.14.224.2
deny from 84.41.118.98
deny from 213.0.0.0/8
deny from 193.0.19.25

I love CIDR notation, saves a lot of IP typing :p.

But yes, many uploading scripts (i.e. galleries, download managers, etc.) have vulnerabilities which allow attackers to upload arbitrary files whole and unchanged.

OP your are in a chain of trust
user trust you, you trust vbulletin isp host etc but u never know where is a security hole