[knucklenitz]

Quote:

Originally Posted by snakes1100

If you would of done as i posted in your own thread, you wouldn't of needed to restore a backup.

1. You should of upgraded vb, hacks/addons, server backend and anything else outdated.
2. Sym linking your config.php isnt going top stop the hacker either.
3. Blocking foreign based ips isnt going to stop him either.

Seeing as you still present the injection hole for him to use, he will be back to visit you again.

I spoke with the programmer of the two mods. He indicated these mods are not accessible from anywhere but the admincp. I am not a programmer so I can't confirm. The guy has a good reputation but who can you really trust.

I am at 3.8.3 [EDIT: Actually 3.8.2]. I am not sure that 3.8.4 has any security fixes in it. I'll double check. I believe my host has the server up to date. Again, I'll double check.

I can't see how just updating as you suggested would have removed the hack they injected without me restoring the backup (note that this was a database restore only, not entire system). No matter what I did, it showed a disturbing picture and hackers text. It seems that would be in the database no matter what updates were performed.

Quote:

Originally Posted by Angel-Wings

And the logs just say the attacker isn't coming from US West coast ? Well, in a world of bot nets and open proxies it's maybe just a matter of time until the attacker found an IP that isn't blocked.
Maybe better spend your time fixing the holes - if I don't look the door and just paste a huge poster over it the door itself isn't more "secure" and this "door" is the problem, not how to hide it from someone.

I figured this wasn't a fix but a band-aid until I got the hole fixed. I also have some code in the htaccess to deny proxy and other items. Found it online and learning as I go, hope it works.

Code:

RewriteEngine on
RewriteCond %{HTTP:VIA}                 !^$ [OR]
RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
RewriteRule ^(.*)$ - [F]

Quote:

Originally Posted by Angel-Wings

You can enable the Query log in your Database but this might be a performance issue. Also protecting the Admin & Mod Panel with an Auth won't hurt - just ensure the login user and password aren't written somewhere at your board.

I have htaccess for admin and mod cp for that requires authentication.

Quote:

Originally Posted by Angel-Wings

Can also be the usual "background noise" like automatic IP scans for holes in the all-time-favorites like Joomla, phpMyAdmin, Horde and some older VB holes. Dunno how the attacking people(s) read their attack logs, maybe they just filtered for 200 replies and so wanted to see if they did any damage.
Right now, try to find out how it happened and fix the hole. Then things like IP Range blocking can be done anyways - first get the system clean and up-to-date - then additional enhancements can be done.

I guess I am taking the right steps, just out of order. I'm still at a loss for figuring out how they 'injected' in the first place. Please forgive my ignorance. From what I've read, VBulletin is pretty secure against injection as long as there aren't any mods. Is this a fact? I am using the VB default style so it shouldn't be an issue there. How would I be able to tell if the two mods I have are not secure?

Thanks again for input.