Hacked!
 

Ok, need your help on this. Woke up this morning, go to log in...cant. I try several times, I know im putting in the right pw, and still cant. I look at my news forum and see some arabic writing. I log in under another admins login/pw. I search for my user name (original one) does not exist. I look under usergroups, not there. I take it that it got erased?

Here is a screen shot of the post that was made, and one was made in an admin section, so I take it was not a bot. What do i need to do to prevent this again? I attached what they wrote and the screenshots.

The first post made by the hacker says this: (arabic writing that was posted underneath)


(this is the english version of this below)
خخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخ بس العب بنك الادم تم اختراق منتداكم الفاشل الحين بغير الاندكس اصبروشو

Hacker's username that was created: Sn1p3r_spy

And this is the post made in my news section:

(this is the english version of this below)


شووفوني ادمن خخخخخخخخخ الله يلعنكم منتداكم تعبني من جد ياكلاب



Wanted to know if I could save my username or is that gone?

You can use a back up of your forum from the past day, before the board was hacked.

im checking to see when my host last did an update, last time i did a full back up was on 7/11/07

you could restore just your user account from there instead of a whole board restore... i've restored users before when they've been accidentally deleted but its a time consuming process.

caranage, is there a way to go back and save my old user name? I was running 3.6, im upgrading my board up to 3.8 as we speak under another admin name. But i want to save my old name. Is that possible?

I deleted anything that was related to this hacker that I could find, im hoping he doesnt have anything hidden on my site or server. Hoping the upgrade eliminates any further damage.

If you want to contact me, TN Zazza is my aim name

oops, ok i just upgraded to 3.6.8

Run a check for Suspect Files through the Maintenance tab in the AdminCP. This will tell you if there are any files in your directory that shouldn't be there, or if any of the core files have been altered.

Ok, what I had to do was restore my old back up that is about 2 weeks old, sux but, it put me back to a working starting point, i was at 3.6.6, so I upgraded immediately to 3.6.8. I set all of my admins so they cant be erased in the config file, changed pw's etc. Is there anything that you guys can recommend for me to check or get rid of etc, in order to prevent this from happening again?

Thanks

Did you run the check I suggested in my previous post? What modifications do you have installed?

ya under the diagnostics check, i have a bit of mods installed, i never had an issue before, I think it may have been because I didnt upgrade to the newest release yet, but here are my results, lol:

arcade.php File not recognized as part of vBulletin
fixoptions.php File not recognized as part of vBulletin
flashchat.php File not recognized as part of vBulletin
itrader.php File not recognized as part of vBulletin
itrader_detail.php File not recognized as part of vBulletin
itrader_feedback.php File not recognized as part of vBulletin
itrader_global.php File not recognized as part of vBulletin
itrader_report.php File not recognized as part of vBulletin
journal.php File not recognized as part of vBulletin
mm_menu.js File not recognized as part of vBulletin
modelapp.php File not recognized as part of vBulletin
sr_classifieds.php File not recognized as part of vBulletin
sr_classifieds_payment.php File not recognized as part of vBulletin
template.htm File not recognized as part of vBulletin
ushop.php File not recognized as part of vBulletin
vbfavorites.php File not recognized as part of vBulletin
vbgarage.php File not recognized as part of vBulletin
vbpunch.php File not recognized as part of vBulletin
vbulletin35CMS.php File not recognized as part of vBulletin
Scanned 63 files
./admincp
arcade.php File not recognized as part of vBulletin
articlebot_admin.php File not recognized as part of vBulletin
articlebot_simulator.php File not recognized as part of vBulletin
itrader_misc.php File not recognized as part of vBulletin
journaladmin.php File not recognized as part of vBulletin
read_pms.php File not recognized as part of vBulletin
sr_classifieds_admin.php File not recognized as part of vBulletin
ucash_admin.php File not recognized as part of vBulletin
ushop_admin.php File not recognized as part of vBulletin
vba_cmps_admin.php File not recognized as part of vBulletin
vba_links_admin.php File not recognized as part of vBulletin
vbacmps_install.php File not recognized as part of vBulletin
vbalinks_install.php File not recognized as part of vBulletin
Scanned 3 files
./archive
Scanned 34 files
./clientscript
activecell.htc File not recognized as part of vBulletin
ncode_imageresizer.js File not recognized as part of vBulletin
vbpunch.js File not recognized as part of vBulletin
Scanned 3 files
./clientscript/yui
Scanned 2 files
./images/regimage/fonts
Scanned 111 files
./includes
adminfunctions_links.php File not recognized as part of vBulletin
adminfunctions_vba_cmps.php File not recognized as part of vBulletin
bitfield_sr_classifieds.xml File not recognized as part of vBulletin
class_dm_itrader.php File not recognized as part of vBulletin
class_ucs_core.php File not recognized as part of vBulletin
cpnav_sr_classifieds.xml File not recognized as part of vBulletin
datastore_cache.php File not recognized as part of vBulletin
functions_itrader.php File not recognized as part of vBulletin
functions_links.php File not recognized as part of vBulletin
functions_ucs_shared.php File not recognized as part of vBulletin
functions_ushop.php File not recognized as part of vBulletin
global_ushop.php File not recognized as part of vBulletin
vba_cmps_include_bottom.php File not recognized as part of vBulletin
vba_cmps_include_error.php File not recognized as part of vBulletin
vba_cmps_include_template.php File not recognized as part of vBulletin
vba_cmps_include_top.php File not recognized as part of vBulletin
vba_cmps_plugin_newpost.php File not recognized as part of vBulletin
vba_global_error.php File not recognized as part of vBulletin
Scanned 26 files
./includes/cron
articlebot_vbcron.php File not recognized as part of vBulletin
links_search.php File not recognized as part of vBulletin
links_subscriptions.php File not recognized as part of vBulletin
rsvp_notify.php File not recognized as part of vBulletin
sr_classifieds.php File not recognized as part of vBulletin
ucash_paycheck.php File not recognized as part of vBulletin
ushop_expiration.php File not recognized as part of vBulletin
ushop_misc.php File not recognized as part of vBulletin
Scanned 8 files
./includes/paymentapi
Scanned 26 files
./includes/xml
bitfield_comments.xml File not recognized as part of vBulletin
bitfield_itrader.xml File not recognized as part of vBulletin
bitfield_journalhack.xml File not recognized as part of vBulletin
bitfield_profileviews.xml File not recognized as part of vBulletin
bitfield_sr_classifieds.xml File not recognized as part of vBulletin
bitfield_vbpunch.xml File not recognized as part of vBulletin
cpnav_arcade.xml File not recognized as part of vBulletin
cpnav_articlebot.xml File not recognized as part of vBulletin
cpnav_itrader.xml File not recognized as part of vBulletin
cpnav_journalhack.xml File not recognized as part of vBulletin
cpnav_rpm.xml File not recognized as part of vBulletin
cpnav_sr_classifieds.xml File not recognized as part of vBulletin
cpnav_ucs.xml File not recognized as part of vBulletin
cpnav_vbacmps.xml File not recognized as part of vBulletin
cpnav_vbalinks.xml File not recognized as part of vBulletin
hooks_ibproarcade.xml File not recognized as part of vBulletin
hooks_sr_classifieds.xml File not recognized as part of vBulletin
hooks_v3arcade.xml File not recognized as part of vBulletin
product-ibproarcade.xml File not recognized as part of vBulletin
Scanned 70 files
./install
Scanned 11 files
./modcp
vba_links.php

Now, anything look out of whack? lol I appreciate your feedback!

Did u say just a FEW hacks :rolleyes:

Go over to vBulletin, there is a thread there somewhere that tells you things to do to make your board more secure, like re-naming the admincp folder to another name and you can also make use of .htaccess files to require two logins for the admin area. You should also use .htaccess file to protect folders like the CGI-BIN. So cgi scripts cannot be run from there.

Also dont forget to change your cpanel password

The first attachment says: May god ++++ your forums, enough of this you dog your tiring me, watch me admin.

Second attachment says: ill play Bank admin, Your disappointing forum has been hacked, i will now change the index file, wait a while.

just wanted to help, don't take this the wrong way, if you do. Sorry...

this happened to me and you cant stop it no matter how hard you try. Once they have injected the database that is it. I had to restart fresh :(

ok, here's the latest, I installed a backup from two weeks ago, 7/11/07. I then updated to the newest versions, I changed all the pws, I then changed the names of my admin and modcp folders etc in the config. I set my admins id #'s in the config file so they can not be edited etc. I dont allow html etc. Now, for the .htpassword or whatever, how do I do that, Im not too familar with it. Should i password protect anything else etc.

Cpanel contains a utility that helps you with that click "password protect directorys" also you have two installers in a web accessible location that's asking to mess your board up delete those installers !!

Look in cpanel for password protect directorys

actually i just saw that and am trying and testing that now.

Ok, i just pw protected my cgi-bin folder, my admin and modcp folders. anything else?

I think I might have it pretty tight now, unless you guys can recommend anything else

WOW, talk about a security risk. Why have these installation files not been deleted? Thats asking to be hacked - handed on a plate!

K, those have been deleted. MRGTB, im not a coding pro etc, I posted on here for your help and I appreciate everyone's responses, as I feel my site is 100x more secured now because of your help.

well, lastnight, after i did the security fixes etc, I got the big...you've been hacked page on the index page. figured that was coming. I uploaded a backup etc, did all the security fixes etc. Anyone here experienced to look at my database and see if any files are there which arent supposed to be, there must be something there for them to keep getting access to the backend. I have it locked up tight, it's a pain even for me to get there lol

my aim is TN Zazza

I just removed the install and installer folders from my server, just downloaded them to my pc and removed them from online. Figured this would be a potential place to try and mess up

What i did is delete alot of mods that I was not really using anymore etc and am trying to clean up the board some. Here is my diagnostics list now, see anything bad, let me know:

Root:
arcade.php
fixoptions.php
mm_menu.js
modelapp.php
template.htm
vbfavorites.php
vbgarage.php

Clientscript:
activecell.htc
ncode_imageresizer.js

Admin:
arcade.php
vba_cmps_admin.php

Includes:
adminfunctions_links.php
adminfunctions_vba_cmps.php
class_dm_itrader.php
class_ucs_core.php
datastore_cache.php
functions_links.php
functions_ucs_shared.php
vba_cmps_include_bottom.php
vba_cmps_include_error.php
vba_cmps_include_template.php
vba_cmps_include_top.php
vba_cmps_plugin_newpost.php

Includes/Cron:
articlebot_vbcron.php
links_search.php
links_subscriptions.php
rsvp_notify.php
vba_global_error.php

Includes/XML:
bitfield_comments.xml
bitfield_profileviews.xml
cpnav_arcade.xml
cpnav_rpm.xml
cpnav_ucs.xml
cpnav_vbacmps.xml
hooks_ibproarcade.xml
hooks_v3arcade.xml
product-ibproarcade.xml

These are the ones that get the "File not recognized as part of vBulletin" message when I run the diagnostics. As you can see, a bunch of them are from my vbadvanced being installed.

Appreciate the input.

got a link to that thread? :)