My site (supermensa.org (http://supermensa.org/forums/)) is being hacked with the hackers gaining access to admin and presumably the sql database. The first hack was, I assume since they have a walkthrough on their site on how to do it, due to the /install/ folder exploit. I've since upgraded to 4.2.1 and deleted /install/, and they still came back and nuked the place. (changing my admin email and altering the visual appearance of the site to give the generic "you've been hacked lulz" message.

I have it set in config that my admin account cannot be altered, yet things like email get changed when they strike.

any ideas? anything someone can see that's open on my site? should i leave hooks/plugins off for the time being?

Sounds to me like a file was overlooked when you cleaned it the first time around... either a file is still present (shell script more than likely) or a plugin still within your database.

Follow these guides, by that I mean grab what you fancy red bull or coffee, sit back, read then have at it! Be thorough or don't even bother - no honestly you must be thorough no joke I'm saying that with much emphasis these days!

http://www.vbulletin.com/forum/blogs/michael-miller/3934768-recovering-a-hacked-vbulletin-site
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site

The Mailman

Just for grins, do you have any of these Plugins?

VSa - Advanced Forum Statistics 7.1 VSa - Advanced Forum Statistics
Edit Check Version Disable Export Uninstall

VSa - ChatBox 3.1.8 VSa - ChatBox
Edit Check Version Disable Export Uninstall

VSa - Visitors in Last X Hours 3.0.4 VSa - Visitors in Last X Hours

Sounds to me like a file was overlooked when you cleaned it the first time around... either a file is still present (shell script more than likely) or a plugin still within your database.

I can't be a file left over (I did an emergency rollback to like 1-2 weeks before they knew we existed on both the /forums/ dir and the sql database) so I guess a plug-in

will disabling all plugins manually do the trick and just updating/re-enabling one by one, or do i have to uninstall everything and start over


The Mailman

Just for grins, do you have any of these Plugins?

nope

nope

That kind of eliminates that idea.

I have seen it can't happen to 4.1.x, not true.

I have seen it can't happen if the Install is removed; others are saying not true. I have just removed mine; so I will find out soon enough.

People keep asking me how they are getting in; well heck if vB can't tell us, how would I know!

fwiw, i've updated every plugin i had running to the latest version and renamed the database

admincp is under .htaccess protection now

any other way they'd be able to access the sql database or admin?

Just made this post in another thread here: On vb.com one user is suggesting our MySQL database is compromised because of a lack of security on our config.php file. This is the most sensible explanation I have heard so far. But I don't know how to monitor MySQL access; I'll be trying to figure that out next.

The Mailman

Just for grins, do you have any of these Plugins?

What is wrong with these plugins? Since you mentioned them are we supposed to be concerned with these?

I have had several people suggest Plug Ins are vulnerable; I thought maybe if several of us have the same Plug In, maybe a pattern could be established to suggest one of them is bad. Was just an idea and in no way implies any of my three are bad.

It seems the experts have no clear answer, so I am beating the bushes so to speak.

After you were first hacked, did you make sure to check your Administrator usergroup and verify you didn't leave their account as an Administrator (so they could still access the admincp)? And, did you go through your Plugin Manager and make sure they didn't add any plugins to your site? Also verify that all your old plugins haven't been touched and had bad code added to them. If you can't do those things, I'd suggest using a database backup. Also, make sure all the files uploaded to the site are default vbulletin files and not files added by the hackers.

Posted in another tread, Plug Ins had a script "OverrideAdminRights" in ForumRunner, could be seen in "Product Management".

After you were first hacked, did you make sure to check your Administrator usergroup and verify you didn't leave their account as an Administrator (so they could still access the admincp)? And, did you go through your Plugin Manager and make sure they didn't add any plugins to your site? Also verify that all your old plugins haven't been touched and had bad code added to them. If you can't do those things, I'd suggest using a database backup. Also, make sure all the files uploaded to the site are default vbulletin files and not files added by the hackers.

I did and noticed like 4 more admins were added, but this was the first attack - I deleted that database and rolled back to a pre-hack one. I tried a fix and the second time they got in they didn't do this, but rather just take over my admin account. They did add a plugin that was noticeable, "cumlauncher2000"

But like I said, I've rolled back to a pre-attack db and updated all plugins and so far so good...but don't know if they've just lost interest for this week or if I'm still vulnerable.

Posted in another tread, Plug Ins had a script "OverrideAdminRights" in ForumRunner, could be seen in "Product Management".

well good thing I deleted forumrunner altogether :D

Did you remember to change your passwords to both the server and the bbs after the rollback?

If they're changing the unmodifiable users list, it sounds like they hacked into the server, not just the BBS, at which point they could manually hack the config file where you set the umodifiable users.

You may wish to ask your hosting provider to check the server for exploit code as well.

If that config file is set to mod 777, ( -rwxrwxrwx), you probably should log into a terminal to the server, and chmod the file to 555 (-r-xr-xr-x).

The Mailman

Just for grins, do you have any of these Plugins?

I have chat box and top posters.

I am trying to confirm with Valter if I have all the right files.

Good article HERE (https://vborg.vbsupport.ru/showthread.php?t=193930) about security.

I would also add THIS (https://vborg.vbsupport.ru/showthread.php?t=296383&highlight=admin+firewall) mod. Has helped us a lot in the past.

Did you remember to change your passwords to both the server and the bbs after the rollback?

If they're changing the unmodifiable users list, it sounds like they hacked into the server, not just the BBS, at which point they could manually hack the config file where you set the umodifiable users.

You may wish to ask your hosting provider to check the server for exploit code as well.

If that config file is set to mod 777, ( -rwxrwxrwx), you probably should log into a terminal to the server, and chmod the file to 555 (-r-xr-xr-x).

it's not 777, it was 644, should it be 555?

they hacked the site again. they know the name of the new sql database i made (it was named after the hacker) and his first move was to change my email address (the name he made up referenced the sql db name i made, trying to send a message or whatever) to a yopmail and i presume begin a password reset. config says i, the admin (#1) am an unmodifiable user...

how could he know the db name? should config be 555d?
how do i disable the password reset function in the interim?

Really sorry to read this, The Mailman :( No one should be able to hack your vBulletin like this, regardless of the config.php permissions. Who is your hosting company? Do you run on shared, VPS, or dedicated?

Have you changed root/whm, cpanel, FTP, and all vBulletin admin passwords?

If you have a good hosting company, please ask them to run a malware scan on your server. If they won't, you can install & run maldet for unix. If you have an amazing hosting company, ask them to find logs showing who is doing what. Have you grabbed IP addresses yet? Perhaps they can narrow it down that way? If they won't, please write back here and I can give you some starting logs to glance at.

Finally, set up Host Access Control in WHM. Do not allow anyone to run FTP, cPanel, or WHM unless it's from your IP address. Again, let me know if you need assistance with this. I just went through the same thing. They're still trying, and failing now. So they can be defeated!

Good luck :( This sucks.