hi guys

i took the e-mail of the hacker from the index he put in mu site

and i chated with him via MSN

anyhow

i asked him why did you do it
he said for fun

so i said i need you to help me here

he said the way i hacked your site is like this

your host

host monster

is a week host

also he said

that he knew my DB by using

class_core.php

he said it gave him everything about the DB

he also told me to do the following

he said use

Zend safeguard to protect your config file

he also told me to change the config file to an image

i know the zend way but how can i change the config to an image

also he mentioned something about giving the forum folder CHMD 1111

you guys for sure know better than i do

do you think he is telling the truth

i told him that i have a domy config file and i am using an alternative one with a diff name
he told me he know about it

i am waiting for your replies

How did he hack it? When you were speaking of hosts it seemed like DDos.
Link to your site?

I also use hostmonster, and my site in the past 3 days has been hacked. I determined the hacker was able to access the database without submitting a query via the Forum files. He is still lurking and making fun of my inability to secure the site nomatter what i do.

actually, the hacker will never help you.. the technique he indicates here is just to help him integrate your site even more...

when you see the murderer of your parents, do you ask him if he can revive your parents ?!

change your host for a more secure one... yeah, you will have to pay for a host... sorry.

If your on free hosting you would wonder why! :eek:

If you really want to protect yourself , move your config.php file to one of root folders such as /etc/vb so only root can modify it.

that would still ot prevent anyone with server access (!!!) to read the config file. The only solution in this case is to have your host increase security or switch hosts.

Ok, mods delete then link if it against the rules but I've got two vBulletin licenses on hawkhost.com and haven't been hacked yet.

Well, if it's the same asshat that has been hacking my site, it's through SQL injection. I also use HostMonster.

a 1111 setting is... well... no. Just don't do it.

At any rate, any known method to prevent this clown from hitting again? All 3 times, it's been through SQL injection, bypassing all security, as if it didn't even exist. It's not a member, and the access logs seem to indicate the guy is from Israel. Halp?

As already mentioned, if the security of your host is below normal, then there is not much you can do.

thank you so much guys for replying

well i forget to mention one thing he told me

he said that a friend of his gave hime a shell

i am not familiar with shells but he said he was able to get into the hostmonster server and he said he was browsing every single file in it

not only that ...he was browsing all the site that was hosted by hostmonster in that server

i already spoke to the live help at hostmonster but these guys who are answering question dont seem to care...but now or later on believe me they will lose paying custmors

they told me the secuirty is usr problem you have to hire someone to help you

what a good way of doing buissness!!!!


now i wonder will it be too dificult for the vbulletin to get ride of the config file with something else a more secure way

all these teenager hackers are attacking DB using whatever info they get inside the config file

i CHMD my forum to 1111

things seem working fine


i know to some this might not be a big issue but belive me and i hope this day will never come

talking to each other could lead us in figring out how do they work meaning these hackers and may be stop them for the time been


thanx again guys

--------------- Added 1224327409 at 1224327409 ---------------

by the way i have his e-mail

its a very uniqe e-mail

a three letters e-mail

LOL

he told me he hacked it from someone

some of you may say that i was rescuing my pc when i was talking to him but i was using a puplic pc from an intenet cafe' and a new MSN account


by the way therogueforums

does your site hacker e-mail start with an E

and his name is mr nj?!

--------------- Added 1224327659 at 1224327659 ---------------

Lizard King

where to you move it xactly

more info is needed please

if that will help in my case

As already mentioned, if the security of your host is below normal, then there is not much you can do.
!!!

Yes. Mr NJ seems to be quite fond of our forums.

Well that proves that Marco and others are correct: you need to switch hosts ASAP.

Yeah, OK. Let me just pull out that fat wad of cash I have put back, just to move hosts :)

I, literally, cannot afford to move hosts right now. In the meantime, I'm just S.O.L.? No way to secure our site?

some one hosted in same server allow him tu put a snXXr shell
AND LIKE THAT HE BROWSED all other hosted domaine in the same machine .
i think that its the way how he hacked you .
btw ur haker is amator .
its a classic methode .
wbr

Thank you. Someone has a theory it might be a shell of some sort. Any way to solve this, other than moving hosts?

Thank you. Someone has a theory it might be a shell of some sort. Any way to solve this, other than moving hosts?

like i said before

he told me its a shell that his friend gave him

and using that shell he was able to get into the hostmonster server

and do his evil act



did you talk to the live support??

and what was thier respond

Yes, I called. They said that the server had not been compromised, and that the security hole was a flaw in vB itself. Heh. vB says it's the server.

Did you tell them that the guy had shell access given to him for one site but was then able to get into files on other sites also? That is a security flaw in the server.

actually, this whole topic have no place on this site... the ONLY thing you can do is TALK TO YOUR HOST SUPPORT STAFF... isn't it that easy to understand ???

that would still ot prevent anyone with server access (!!!) to read the config file. The only solution in this case is to have your host increase security or switch hosts.

No it will prevent them to read if you correctly chmod and chown the file so nobody expect root access can read the file. Example , lets say we move config.php to /etc/vb the following will prevent anyone expect root access to read the file.
# chown -R apache:root /etc/vb
# chmod 0640 /etc/vbulletin/config.php


I believe Floren had an article about this within article section , yep here it is :
https://vborg.vbsupport.ru/showthread.php?t=148209

The webserver process will always need read access to the config file. This will ost likely mean you can not set permissions in such a way that others will not have read access.

No it will prevent them to read if you correctly chmod and chown the file so nobody expect root access can read the file. Example , lets say we move config.php to /etc/vb the following will prevent anyone expect root access to read the file.
# chown -R apache:root /etc/vb
# chmod 0640 /etc/vbulletin/config.php


I believe Floren had an article about this within article section , yep here it is :
https://vborg.vbsupport.ru/showthread.php?t=148209

Do you read this manual - specially the part about "chown" ?

chown lighttpd config.php

Means nothing else than that the user PHP or the Webserver is running under can read this file. Since this is the case, it's useless to move that file anywhere and then softlink it back in the webroot.
Doing a:

chown root:root config.php

With the 0600 permission would leave the file unreadable to everyone except "root" but this also means you have to run your PHP / Webserver with "root" rights in order that this file can be read by Vbulletin or you'll see the "Database Error" page.

Also - when not creating symlinks that point in your webroot you can configure your Webserver in a way to ignore any symlinked files which might give a performance plus.

The way with moving the file, then symlinking it back has no advantage, a simple "cat config.php" will still work.

Back to the problem - move away from this hoster. If it's possible that another customer can upload a PHP shell - by accident or not - and then someone can browse all sites including the ones of other customers as well there's a huge security problem.

If that is possible - trying to secure your VB installation will never be successful