What can I do guys? I just got hacked and my everyone who has an account to the admin control panel had their account deleted!!! What can I do to get back in and fix it. Some of the info on the board does not need to be open to the public.

Ok, I have everything moved to a new directory now. Here is what happened.

Somehow the guy was able to register under the account "admin" (supposed to be restricted). I suspended (suspended category allows PMs but no posting) the account and told him by PM to register under a new name in order to not confuse members. Then I decided to just delete the account because I noticed that he modified the board to expose one of the hidden forums and changed the board to say, check out our New Vet Board (suppose to be hidden). So in other words he gained access to the admin panel.

He then registered another account named admin. I kept banning it until he got up to a total of 4 accounts named admin. After that happened he deleted my account.

I tried to access the other accounts that I gave admin access to while all of this was going on (I was thinking ahead) but he deleted them too. He then deleted all of my mods who had access to the admin panel.

I run 2.03 and I have no idea what to do now. I didn't think anyone was able to register under the account admin, I didn't think you could give yourself access to the admin panel, and I didn't think you could remove the account of the original administrator. Someone please contact me ASAP and let me know what to do next.

Is there anything I can do where I can alter the PHP to give myself access to the board again? I still have access to that. Anything you can do to help me will be greatly appreciated.

****, that sux

first, make sure you do NOT have the retrieve admin password file loaded. Its the one that is included in the tools folder in the initial zip.

second, check the permissions for all your user groups to ensure that there arent any extra's - or current ones - with admin like power.

should do the trick ... should ...

how do I get into the admin panel now?

Originally posted by Reeve of shinra
first, make sure you do NOT have the retrieve admin password file loaded. Its the one that is included in the tools folder in the initial zip.

second, check the permissions for all your user groups to ensure that there arent any extra's - or current ones - with admin like power.



1st. Do you know the exact file name of it? I cannot find it in there. I was not the original installer of our vbulletin, but I can see all of the files in our folders.

2nd. They could have easily given one user access to the admin control panel without me knowing, right?

I wish I had done that instead of changing my other accounts to administrators. It would have been better hidden.

i'm working on a script to let you gain access to your admin panel.. and also in a procedure to make it secured.. stay put.. i'm testing it right now

let me know if you have control over your web account.
i secured my vb panel so nobody can have access. even if you are admin, you cannot delete the original admin or edit any admins the original admin dont want you to.. ;)

I do not have control over the web accounts, they have been deleted, but I have no idea how that was possible.

Thank you for the help

you cannot access your host anymore??????
then you must contact your web provider to assign you a new password.

about vb.. dont worry about, this can be easily bypassed, even if the hacker blocked your account. what i need to know is if you can upload files to your web folder using an ftp client

The original admin is gone. I can view the members list and the account doesn't exist. Is it a hidden account? If so I might have used the wrong password, I will try again.

I have access to the php codes (FTP), just not the admin panel. That's what I meant, sorry for the confusion.

ok.. now be patient.. i will help u.. let me do some other stuff and i will post here a file that you will run in your admin folder

with my script you will run it and you will create a new account.. then you can access the admin panel.. i will explain to you in details how to secure your panel so nobody can have access to run it.. even if they tru to hack by calling the script from another server

thank you nakkid. Take your time. My board is about as secure as it is going to get right now. No one knows where it is and all of the posts that were sensitive information have either been pruned or manually deleted. I am not exposing it again until I know I have everything secure. I will wait all weekend if I have to (though I would prefer not too. :) ).


Thanks again nakkid.

ok.. i finished the script.. i test it on my board and you can add a admin user. now i will work on a tutorial on how to lock your access to any users but the ones you want

Originally posted by ptbyjason
thank you nakkid. Take your time. My board is about as secure as it is going to get right now. No one knows where it is and all of the posts that were sensitive information have either been pruned or manually deleted. I am not exposing it again until I know I have everything secure. I will wait all weekend if I have to (though I would prefer not too. :) ).


Thanks again nakkid. ;) don't worry. i'm here to help.
the idiot who played this on you will have the biggest surprise on his live.. and i want you to restore your board the way it was before.. so he will freak even more.. on this way, you dont have to edit all your templates, etc :)

now.. i give you the choice:
1. do a php mod in your admin files so you can still use the session hash but if an admin that is not created by you wants to edit any of the atributes of any admin, will get a nice error message.

2. secure the folder with unique passwords. in this way nobody but your designated users will have access to the folder.. any file will be locked until you enter the right password. that's the one i like the most. the only disadvantage is that you have to ener your password twice. if u care about security, go for the second option.

Originally posted by nakkid
;) don't worry. i'm here to help.
the idiot who played this on you will have the biggest surprise on his live.. and i want you to restore your board the way it was before.. so he will freak even more.. on this way, you dont have to edit all your templates, etc :)


:D On a night like tonight, you have no idea how much I like to hear that. I am beginning to feel like this will be fun now. ;) :D

Originally posted by nakkid
2. secure the folder with unique passwords. in this way nobody but your designated users will have access to the folder.. any file will be locked until you enter the right password. that's the one i like the most. the only disadvantage is that you have to ener your password twice. if u care about security, go for the second option.

With my board security is extremely important, let's go with Door #2. :D

you know? i remember when i used to be in trouble and people helped me. i'm so happy that i can do this for you. let me know your option and i will post a tutorial with what to do.. i need you to post here your email i can email you the file... then wait for the tutorial, dont run it yet

ok.. 2 is to be.. :) post your email

reading back over everything. Wouldn't he still be able to get into a new account with the second option? Or are you saying that in order to log in to the admin panel you have to know the universal password?

E-mail address in new PM.

ok ckeck your email.. and wait for me to post the instructions. ;)

one thing.. this should work ok in 2.0.3 i have test it on 2.2.2 but the database structure for members didnt changed.. so you will be ok ;)
is time for me to make you a happy man :) let me start the install and security procedure....

got it, ok I will wait for the instructions

INSTALL PROCEDURE

01. first create 2 files called htaccess.txt and htpasswd.txt.

in htaccess.txt place this:
-------------------------------
order allow,deny
allow from all
require valid-user
Authname anabolicreview.com
AuthPAM_Enabled off
Authtype Basic
AuthUserFile /path/to/your/forum/admin/.htpasswd
-------------------------------
save the file. this file will lock your admin folder, if the username and
password is incorrect. ;)

in htpasswd.txt place this:
-------------------------------
username:encryptedpassword
-------------------------------
to make an username and encrypted password, go here:
http://www.xs4all.nl/~remcovz/htpasswd.html
save the file.

NOTE: you can make as many users you want. place them all in
htpasswd.txt file. here it is an example the way your file
should look like:
-------------------------------
PtbyJason:JFE77XeDHmQc2
nakkid:TpWjdGMlaQXuI
-------------------------------
NOTE: the username and password are case sensitive.

02. now that we have the 2 files saved, upload them to your /admin folder
and rename them to .htaccess and .htpasswd, using your favorite
ftp client. they will become invisible.

03. upload to your /admin folder the adduser.php file i emailed you
and run it. if you did a good job with .htaccess and .htpasswd files, you will
get a window asking you to enter your username and password. do that. ;)
the script will load and you can enter all the info necessary to create your
admin account.

NOTE: make sure you select from the dropdown the Administrators group because
with this script you can add any member to any group you want.

04. now that you created a new admin account, is time to nail the sucker
who did this. access your /admin/index.php file as usual. the secured window
will not ask you again to enter your username and pass because the lap of time
set to store your information, so there is no need to panic..

05. enter your new username and password, at VB prompt, as usual.

06. delete all admin accounts. you are done and in control again. ;)
it was easy right? yep it was, so why you panic? :D

let me know if you need something else. that should do it. ;)

working on it now

ok.. post here once you are done ;)

hmmmm, got an error

trying to fix it myself

wait, I think I remember now, hang on I forgot to edit something.

Nope, still have problem

Parse error: parse error in /business/***edit***/***edit***/***edit***/vbulletin/admin/adduser.php on line 51

oupsss.. ;) ckeck your email.. did you get the window asking you the username and password?

also. make sure you restore the exact same way your board. the information stored in the database is related to old links not the new ones. once restored to the old folders, run the adduser file in admin folder. let me know how it goes.

trying it now

ok. let me know

ok, created an account, then I tried to log in with the account and it didn't let me log in. I have tried every password it could be, what next?

when I create the account, do I use the encrypted password or one that i just make up?

the htfiles are only for your folder access, they do not interact in any way with VB

so when you add a new user, you enter the name and password you want... for example:

username: nakkid
password: bored

you do NOT use the encrypted info you used in the htfiles...

basically, the adduser.php will simulate you are an admin and want to add a regular user as you do it from the admin panel.. so proceed as usual.. ;)

ok, all of the accounts I have created with the panel, will not let me log in for some reason.

I get the following message

Wrong Password. Please press the back button, enter the correct password and try again. Don't forget that the password is case sensitive. Forgotten your password? Click here!

hmmmmm.. so do this click on the link.. and you will get emailed.. try it and let me know..

in my test board, i created 5 accounts.. and accessed all of them.. so check the steps in restoring your folder to old fashion way you had it before it started the mess..

also email me the file admin/user.php ... i need to adjust adduser.php for your version, if you still have problems

click on the link and get a file not found 404 error page.

Do you want me to restore them back to the original folder, like when all of this happened?

I will e-mail you the user.php now.

ya. restore it the exact same way you had it in the beginning.

still waiting.......... ;)

ok. i emailed you the new file. it will work perfect now. ;)

also, in /admin/config.php, add this code at the top:if(!strstr("$_SERVER[PATH_TRANSLATED]", "$_SERVER[DOCUMENT_ROOT]")) {
die();
} that should prevent from running any file from outside the server. do you have any shared accounts? let me know.

Check your e-mail. I hope I explained myself. I have modified the config.php now. Get back with me by e-mailing my phone or my regular address. I will be back in a couple of hours. I am preparing to go without sleep for a long time tonight.

So now that this is hopefully, soon to be over. Does anyone know how someone could have created an account that should not have been allowed "admin", create the same exact username 4 times, and give themself administrative access? There has got to be an explanation for this and I want to make sure that it doesn't happen to anyone else now. Anyone have any ideas?

With the original vB comes a script called "getadmin.php". Have you ever tryed to use it to get back your admin-rights?

And maybe someone has moded it to get access to your board. I don't if its working or if someone can use it to abuse, my knowledge in PHP and MySQL is to small to understand this script, maybe FireFly or an other Moderator can tell.

Good luck!!

Yeah, I am trying to get a hold of the getadmin.php. I realized that they removed it from the folder after installation was complete. But I am trying to get a hold of that to use now. But if that was not in the folder, how could he have done the things he did?

jason, don'y use getadmin.php, due to security issue, i make addadmin.php for you, is a more secure way to add an admin. run it and you will add yourself as admin with a password and email already integrated. let me know how it went. ;) also check your email.. or get on msn messenger..

ok jason, i just had a pribvate discussion with firefly, he debated your case with other devellopers and they came to the conclusion that it's all related to your host, not VB. in a way we came to the same conclusion, me and you, after discussiong in detail all the aspects of your setup. now that you upgraded to v222, change your account provider password. until then, to stop others create other accounts, even if this is just a small hack, the hacker can easily undo it, do this:

open root/admin/global.php and find the code:if ($bbuserinfo[userid]==0 and $checkpwd) {replace it with:if (($bbuserinfo[userid]==0 or $loginusername!="catwoman" or $loginusername!="batman") and $checkpwd) {just replace the names i came up with to the real usernames ;)

you can add as many loginusernames you want.

hurry up and change the password!!! lol.. we discuss it enough on messenger.. :)

You guys were great to help this guy out like you did keep up the good work.