Crad
08-22-2011, 08:19 PM
My forum was recently hacked, which really was my wake-up call towards security on my server.
Somehow, possibly through an SQL Injection in another Plugin or by impersonating administrator credentials (although I can't be sure), the hacker was able to gain access to the Admin CP (via an Admin's account), and add a plugin titled "vb_ajax" that contained an encrypted string.
Once decrypted, the string would inject a check for $_REQUEST['mode'], which it would then use to run a large variety of exploits, including running shell commands and executing certain SQL queries. The parameter 'ws_ver' would identify this plugin as "WebShell PHP Server v3.2".
Thankfully, like all "good" hackers (thank god they weren't purely malicious), they made it clear that they had gained access to the ACP and the database by editing our templates to display something similar to "LOL IVE HACKED YOUR SITE, HERE'S A LINK TO YOUR USERS SQL DUMP!"; otherwise I might not have found out.
--
Anyways, I have no Admin experience, at all. I took over the site because all the other Admins left. I do have some experience as a Junior Programmer in the games industry, but that about covers it.
I've since gotten the site back online (pretty easily), and have had my plugins disabled. Some of the things I've done to help secure the board:
New Database User Name
New Database User Password (much higher complexity)
New Administrator Passwords
New Moderator Passwords
New FTP Password
New cPanel Password
Restricted AdminCP Access with .htaccess
AdminCP .htpassword Password
ModeratorCP .htpassword Password (different)
Disabled every plugin except the absolutely essential
Restricted access to core files with chmod
Flushed the FTP to a new install of vBulletin
Alerted users to please change their passwords
What I'm worried about is:
Q: If the password salt is stored in the database, and the database was compromised (very likely), do I need to re-salt it? Won't that destroy everyone's passwords?
Q: Do you have any recommended tips on what to do next?
Q: Do you have any recommended reading to become a better Admin? So far I'm boning up on my PHP, but I'm sure there are highly recommended resources that I'm unaware of.
A lot of text for very few questions... Thanks for taking the time to read them though.
Somehow, possibly through an SQL Injection in another Plugin or by impersonating administrator credentials (although I can't be sure), the hacker was able to gain access to the Admin CP (via an Admin's account), and add a plugin titled "vb_ajax" that contained an encrypted string.
Once decrypted, the string would inject a check for $_REQUEST['mode'], which it would then use to run a large variety of exploits, including running shell commands and executing certain SQL queries. The parameter 'ws_ver' would identify this plugin as "WebShell PHP Server v3.2".
Thankfully, like all "good" hackers (thank god they weren't purely malicious), they made it clear that they had gained access to the ACP and the database by editing our templates to display something similar to "LOL IVE HACKED YOUR SITE, HERE'S A LINK TO YOUR USERS SQL DUMP!"; otherwise I might not have found out.
--
Anyways, I have no Admin experience, at all. I took over the site because all the other Admins left. I do have some experience as a Junior Programmer in the games industry, but that about covers it.
I've since gotten the site back online (pretty easily), and have had my plugins disabled. Some of the things I've done to help secure the board:
New Database User Name
New Database User Password (much higher complexity)
New Administrator Passwords
New Moderator Passwords
New FTP Password
New cPanel Password
Restricted AdminCP Access with .htaccess
AdminCP .htpassword Password
ModeratorCP .htpassword Password (different)
Disabled every plugin except the absolutely essential
Restricted access to core files with chmod
Flushed the FTP to a new install of vBulletin
Alerted users to please change their passwords
What I'm worried about is:
Q: If the password salt is stored in the database, and the database was compromised (very likely), do I need to re-salt it? Won't that destroy everyone's passwords?
Q: Do you have any recommended tips on what to do next?
Q: Do you have any recommended reading to become a better Admin? So far I'm boning up on my PHP, but I'm sure there are highly recommended resources that I'm unaware of.
A lot of text for very few questions... Thanks for taking the time to read them though.