vBFirewall v1.0

This is my first mod for vBulletin and I have tried to make it as better as I could.

Click Install If You Use it!!

What is vBFirewall?
Its a PHP script which blocks all kinds of attacks on your vBulletin Forum! Like: URL Poisoning, Remote File Inclusion, SQL Injection, XSS and other kinds of attacks.

I have tested each and every function of this mod before releasing it and have used it myself for 1 month

It has a attacker logger, which logs the IP and many details of the attacker so that you can reach him

This is still in beta version and I will add more features in it to make your vBulletin more secure Suggestions are always welcome.


How to install?

1) Go to Admin and Import the xml file product-firewall_vb_rs.xml using the plugin manager.
2) Keep an eye on the log file which can be found here: www.yourvbforumurl.com/logfile_worms.txt (This file will only be created when a attack occour)
3) Your website is now secure from hackers



Thanks

[michi123]

Quote:

Originally Posted by Galex55

LoL i get an hack Attack today, The Plugin send me an email with his IP adress etc.. Many Thanks

if u got many attacks, ask your webspace provider for the webserver logs (specially of the attackers ip!), goto http://www.db.ripe.net/whois type in the ip of the attacker and look for the abuse email! write the logs (vbfirewall + webserver logs if u can get them) to the abuse team, with the exact time and date + time zone, and voala - this was the last time, that the same attacker will attack u again ! i also started to do this, and the hacker are reduced to a minimum !

btw - its impossible to open new pm notifications in an extra window - the vbfirewall thinks, that this is some attack! how can i fix this?

[Notorious Jay]

Well I installed this the other night to see if it worked, it did send me some emails saying there were hack attempts, but all of them except for 1 were legitimate board request. How can I be so sure, well my i.p. created them.

Since then None of my members can log into the site and I keep getting error messages non stop literally for the past 14 hours. I had 24000 new error emails when I logged in to my gmail account.

So my question to you is could this be because the information in the config.php file does not correspond with the real password for the root directory. t.b.h. I am not sure if it is still correct or not as we do not own the server that we run the boards on and we do not have permission to access the root directory. We only have permission to access the forums directory and lower. I messaged the server owner, hopefully he will know if the passwords match up and maybe be able to fix them if this is the case. Here is the message maybe you can tell me for sure if it could even be created by your hack or if I should be looking into another problem.

Database error in vBulletin :

Cannot use database XXX_XXXXXX <--- where XXX = directory of forum location & XXXXXX = forum home directory

MySQL Error : Access denied for user 'XXX_XXXXXX'@'localhost' to database 'XXX_XXXXXX' ^
Error Number : 1044
Request Date : Friday, February 20th 2009 @ 11:26:12 PM
Error Date : Friday, February 20th 2009 @ 11:26:12 PM
Script : Varies Obviously with what the user is trying to do
Referrer :
IP Address : varies obviously by user
Username :
Classname : vb_database
MySQL Version :

Oh and to conclude, since the problem I've uninstalled the hack and am still getting the same problem...

[michi123]

first, i think this error msg hasnt todo anything with the firewall! this looks like u changed the /includes/config.php name and/or path! https://vborg.vbsupport.ru/showthread.php?t=198856 i think u didnt change the xxxxx to the new path/name of your config.php!

u shud post the script!

Code:

Script : Varies Obviously with what the user is trying to do

if u dont do that, noone can help u! vbfirewall is blocking some internous board things like pm in new pop up window - in that pop up window u get the vbfirewall hack attempt message, and thread subscriptions etc.. but u can fix this by configuring the firewall - its hard todo that if u duno anything about it, but its easy if u look over it - easy to understand!

[Notorious Jay]

^ Yeah, I am not even sure myself if it was caused by firewall... but we never had that problem until it was installed. Config.php is still /includes/config.php

the script has literally been everything... every time someone tries to do anything at all(post or view a thread or even log in they are getting an error)...
some examples
/index.php
/forums/icash.php?do=donate&to=xxx
/forums/search.php?do=finduser&userid=8427&searchthreadid= 45331
/forums/showthread.php?p=241423
/forums/misc.php?do=whoposted&t=40409
/forums/showthread.php?goto=newpost&t=28640

and on and on and on

the server owner has fixed the password so they match and now I'm not getting the errors but now it's like I have two databases... :-X

the old database loads in ie (by old I mean the one that was current until the problem.)
and the new database loads in mozilla.... (by new I mean the database as it was save last on the server and all new posts that have happened since the server owner changed the information in config)

it's one of the weirdest problems I've encountered and I haven't figrued out what could have caused it. Nothing on the board has changed in the past week except installing vBFirewall :-X...

I'm hoping I don't have to dump the database and start from scratch.

[Notorious Jay]

nvm. I found the plugin that didn't remove itself.

[michi123]

which plugin was the prob???

[gmerin]

i had an issue just now that is solved by disabling vbfirewall: with the mod enabled, when i attempt to go to admincp-> vb options -> cookies & http header options i get a white screen and this message: 1||1235333916||||||||Error Opening Logfile. (see post attachment)

On a v3.7.3 system i get this message:

1||1235334329||nnn.nnn.nnn.nnn||do=options&dogroup =http||http://www.blahblah.com/admincp/opti...0||Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6Access Denied, you have been logged.

Disabling the mod fixes the issue. Tested on two separate v3.8.1 systems and one v3.7.3 system

[desirulez]

1||1235352914||||||||
1||1235353109||||||||
1||1235353127||||||||

what is this means

[Jim Pauley]

trying to access the adminlogs I get this error


1||1235350146||72.171.0.145||do=view&script=&u=2||http://mastercatters2.com/admincp/ad...y||Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)Access Denied, you have been logged.

other than that it does a great job of logging and emailing me with the hack attempt

turned it off and the error goes away and I can access the logs

config.php was set up properly for me and the other two admins 1,2,3

and I retained my 2 as the superadmin

[Notorious Jay]

Quote:

Originally Posted by michi123

which plugin was the prob???

TBH I don't remember what the plugin was called :-X
sorry...

When I removed the entire mod it left a stray plugin on the board. I went to plugin manager and it was the only one left under the heading vBFirewall. Since I uninstalled it I haven't had any problems.

I still can't say for sure what caused the problem. I would venture to guess there must be a clash with another mod that we have installed or with the type of server we have. ? ? ?

It's strange that people are getting an error to view their admin logs, that is one error I didn't receive. I check them everytime that I log in so I would have noticed.