Hey guys Im very worry about that someone is posting on my site as any Staff he want on the Hidden staff section.....

He for somehow have make a back door or something to enter the forum and even be creative enough to login as any admin he want including me...

What can I do to prevent this or at least make it difficult for him...
He have access for Cpanel and server as I can see since he stated it in a post at the staff section below

Cross scripting a VB site is not as easy as you think . Unless you been doing it for years. I don't care if you make a 70 digit password it can be cracked . There is a new way of hacking vB forums that no one waste there time brute forcing sites its a joke. I could walk in all 3 of your firewalls and do a head spend before you fingered out what happened.

He left me that note on the Staff section logged in as another Staff and then he replied back as me and 2 other staff members.

Now I ask, what can I do to prevent this. Is there something I can try to do with config. files ect.....?

Talk to your host! Have them help figure out how you were compromised. Are you on a shared server? If so, it could be someone else's account that was compromised. But, definitely talk to your host and also go through your own access_logs looking for his IP (if he posted, then hopefully he used the same IP to hack you) and see what he's been up to.

Here is the funny thing Lynne, he have access to the forum and I dont think he have to the cpanel or server as I believe he all bs.. He just posted as me now. So my question is how in the world someone can know all the passwords for each user or login like me to post.

My best bet is he have a back door through the config.php file but again I dont think he have access to that part.

Is just so confusing that is getting of my nerves

What version are you running and have you kept up-to-date with the security patches? You should be looking at your access_logs to see if he ran some script or what he did in order to get the passwords for your site.

I have vb4.1.3 version and yes I have been up to date on security files.
I will check on the admin logs and report back

And for passwords the only method that Im aware off it the queries system which he can do easily by logging in like me as I do have that option available. WoW I think i might have to get in as a hacker now to learn few of their tricks.

--------------- Added 1316263607 at 1316263607 ---------------

I do get this from the CP Logs for admin
SCRIPT -----------------Action--------Info
usertools.php ----------- doips--------- user id = 1
user.php ---------------- edit --------- user id = 1
user.php ---------------- --------- find


I always delete the install folder as well the the tools.php file I never have it on the forum unless I need to use it which is random

Are you running php 5.3.7 by any chance?

This version has a bug in the encryption function, which could result in the following behaviour if i do understand that bug correctly. Whatever pw you type in it sends the same value (salt) instead of the encrypted pw. I also don't know if the encryption algorithm used by vbulletin would be affected by that.

Information given here (i googled a random english site, read about it on a german one).
http://www.v3.co.uk/v3-uk/news/2103581/users-warned-php-537-bug-discovery


Anyway just a guess. It might help.

Are you running php 5.3.7 by any chance?

This version has a bug in the encryption function, which could result in the following behaviour if i do understand that bug correctly. Whatever pw you type in it sends the same value (salt) instead of the encrypted pw. I also don't know if the encryption algorithm used by vbulletin would be affected by that.

Information given here (i googled a random english site, read about it on a german one).
http://www.v3.co.uk/v3-uk/news/2103581/users-warned-php-537-bug-discovery


Anyway just a guess. It might help.

Thank you mate I will look into it..

Thanks kindly

If you have the "Quick User Changer" hack, it's pretty easy for someone to gain access to ALL accounts if he gets access to a admin one. Just a thought.

What`s your site called I can secure for you I dont do it for free i do it for 10 dollars but if you dont get it then you can pay me back anytime you want and my skype is nijyarj add me ill secure you

If you have the "Quick User Changer" hack, it's pretty easy for someone to gain access to ALL accounts if he gets access to a admin one. Just a thought.

Yeah I was thinking about this too and I do have it..

--------------- Added 1316276796 at 1316276796 ---------------

What`s your site called I can secure for you I dont do it for free i do it for 10 dollars but if you dont get it then you can pay me back anytime you want and my skype is nijyarj add me ill secure you

I wish I would have $ on my paypal right now mate but I dont. I was looking at your thread you did about this but I dont get few parts of it..

Will try it and let you know.

Okay whats your website called so i can do it for you

thank you mate, I tried and tried and got it to the level it got sense and working. lol
Thanks for your help

lets see how it goes

Yeah I was thinking about this too and I do have it..I changed the code on that plugin on my board, so only super admins can link user accounts no matter the settings. Until you add that code I strongly suggest you disable that hack. Here's what to change:

Edit the first line of the QAS: Admin Controls plugin

Change the first line to:
if ($user['userid'] AND in_array($vbulletin->userinfo['userid'],explode(",",$vbulletin->config['SpecialUsers']['superadministrators'])))

thank you I will try this mate thanks

I think this guy messed up stuff on my forum.. the users profiles are not viewable now. But good thing is he doesnt seen to have access to the forum any more. I added .HTACCESS and .HTPASSWD to the admin, mod and includes folders and even rename the admin and mod folders to see if that helps a bit and it seen that is working so far..