Keep Being Hacked
 

Hi, I'm having issues with a hacker.

Our site, forum.pwmania.com has been hacked twice by a hacker, Boraish.

Apparently, from the looks of it, they are hacking our Style and simply overwriting it because I'm going into VB's finalupgrade.php script and I reinstall the style and then it all works again. Anybody know what the issue is and how to fix it?

change all your access passwords, for once, and deactivate the /install/directory when you do not need it...

ifthe guy have access to your style, it is because he have access to your site... think of it.

Okay, so when you say "access to the site" do you mean access directly to the server or access to the VB AdminCP? If you're referring to the AdminCP, well, the guy just hacked it a 3rd time 10 minutes ago and I'm the only administrator who has been on the last 2 times its been hacked and I'm also the only person who has access to the Styles, so that must mean he's hacked my account and was using it while I was still logged in.

From my experience, its something with VB because if the guy has access to the server, then he could take down all 8 sites we have hosted on the server but instead he's only messing with the forum, the only thing he can hack because he apparently doesn't have access to the server.

The /install/ files are non-functional until I rechmod them so I can run the finalupgrade.php file to reinstall the vbstyles.

I'm not new to these hackers, I've heard of them before and they do this stuff all the time.
http://img518.imageshack.us/img518/9554/hackaq2.jpg

Disable your modifications, use the default vBulletin style and upgrade to the latest version of vBulletin. That is the only way to reduce his success rate.

You don't need the /install/ directory once you have upgraded/installed, you should delete it once you have finished with it. (The on-screen instructions say just delete install/install.php but it is safe just to remove the entire directory, I'm pretty sure none of the files in that directory are used in standard scripts)

What version of vBulletin are you using?
Are there any other scripts running on your domain? (that are not part of default vBulletin, e.g. Wordpress or something)

They could just be editing the style directly from the database, although it is a little difficult, it is not impossible. Check the Administration Logs in the vBulletin AdminCP to see if it was edited by another Admin (he may have gained access to their account).

If you keep restoring old things he will just take it down again.

I agree you should delete most of it, but you really should keep the install directory and only these 2 files in it for later use:

Why keep them on the server? I keep a copy of my site on my home computer. I am the only one who ever does anything to vb, so I'm the only one who needs those files, therefore I just delete the whole install directory since noone else needs it.

Apparently the server has crashed or else they are dossing it because its been down for several hours now.

If I remove all the contents from the install folder, then there is nothing for me to reinstall the vbstyles, because once he hacks it, everything is screwed up. You can't login to the admincp or anything, whatsoever. I must use the finalupgrade.php Step 4 to reinstall the vbulletin-style.xml file to get it working again so I can log in.

3.6.4
There are no other scripts other than VB in the forums subdomain.

As I stated earlier, I'm the only one who has the permissions to edit styles and I'm also the only administrator who has logged in and he was hacking the forum while I was still on it. he's probably hacked it 6-7 times now.

I have to restore vbulletin-style.xml in order to get the forum working again.

EDIT:
The only other alternative I know of is that he somehow either found a flaw in the coding or else has hacked the server in some way because I found a file called update.php that they kept installing on the server that would overwrite the forum, allowing them to put that message on the board. He probably installed it two or three times and everytime I found it, I chmodded it to disable it and then he would install a new one in a different spot. Once I can get back on the server, I'll let yall see it.

It won't do any harm leaving it there. It is the other files that don't need to be there.

If I remember right, Kirby used that file for one of his hacks a while back.

If he keeps putting some update.php file on the server, then it sounds to me like he has ftp access to your site. You should change your passwords to logon to your server. Is this the only site on the server? If other sites are there and have modifications installed, maybe he is somehow using one of them to upload the file? Sorry, hacking isn't my expertise, but I would definitely start by changing all passwords and making sure the admin cp is htaccess protected.

When you say you keep installing the style again and again, are you putting up your own style, or the vbulletin default style?

Also, have you read this? http://www.vbulletin.com/forum/showthread.php?t=194701

My site actually got hacked today in much the same fashion. I am going back though it right now trying to set it straight. I am guessing a product or plugin is a possible cause.

If reinstalling the default style using tools.php solves your problem, then this indicates that 1 of the following is happening:
- The hacker is able to change your MASTER_STYLE. This style is only accessible when the board is in debug-mode. Unless you are running in debug-mode, this can only be changed by a direct edit in the database.
- The precompiled cached version of your templates is edited. Again this can only be done by direct editing of the database. The problem gets "solved" when the cache is rebuild (like is done when using tools.php).

Both of these scenario's require that the hacker has direct access to your database, so i would start by focussing on how he gained access to your database and close this gap. You might want to contact your host about this.

Yes, I was actually able to find the php file they were using to overwrite the database. Somehow, they even managed to access the config file so they could get our MySQL database information to use in their script to overwrite the forum. I do have a copy of this file, if you would like, I can send it to you.

Is it possible they found an exploit in a plugin or something that allowed them to place this file on the server and then manage to hack the config.php file, all without having to actually hack the server?

If they can place a PHP file on your server and execute it, then it is not problem to get the contents of your config.php.

I don't know how they placed that file on your server, i doubt it was done thru standard vBulletin. More likely: FTP Access/Server Control Panel, vulnerable modification,...

Or maybe a disgruntled ex-Staff member with access to the server?

We're still being hacked. We've changed the password to our server and we've upgraded our forum to the latest version and still these Saudi Arabian hackers keep hacking the forum. Earlier, in the week they were even hacking my account and taking over and now they are back at overwriting the forum skin again. I keep going in an deleting the files they place on the server that allows them to overwrite the forum and now im completely out of ideas on how to secure the forum.

If they can place files on the server, then it (most likely) indicates a problem on the server level (eg. FTP or SSH). It could also be caused by another script.