Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions

Reply
 
Thread Tools Display Modes
  #1  
Old 02-28-2008, 12:45 PM
Daniel Thomas Daniel Thomas is offline
 
Join Date: Jul 2005
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Keep Being Hacked

Hi, I'm having issues with a hacker.

Our site, forum.pwmania.com has been hacked twice by a hacker, Boraish.

Apparently, from the looks of it, they are hacking our Style and simply overwriting it because I'm going into VB's finalupgrade.php script and I reinstall the style and then it all works again. Anybody know what the issue is and how to fix it?
Reply With Quote
  #2  
Old 02-28-2008, 01:18 PM
nexialys
Guest
 
Posts: n/a
Default

change all your access passwords, for once, and deactivate the /install/directory when you do not need it...

ifthe guy have access to your style, it is because he have access to your site... think of it.
Reply With Quote
  #3  
Old 02-28-2008, 02:40 PM
Daniel Thomas Daniel Thomas is offline
 
Join Date: Jul 2005
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Okay, so when you say "access to the site" do you mean access directly to the server or access to the VB AdminCP? If you're referring to the AdminCP, well, the guy just hacked it a 3rd time 10 minutes ago and I'm the only administrator who has been on the last 2 times its been hacked and I'm also the only person who has access to the Styles, so that must mean he's hacked my account and was using it while I was still logged in.

From my experience, its something with VB because if the guy has access to the server, then he could take down all 8 sites we have hosted on the server but instead he's only messing with the forum, the only thing he can hack because he apparently doesn't have access to the server.

The /install/ files are non-functional until I rechmod them so I can run the finalupgrade.php file to reinstall the vbstyles.

I'm not new to these hackers, I've heard of them before and they do this stuff all the time.
Reply With Quote
  #4  
Old 02-28-2008, 04:21 PM
Opserty Opserty is offline
 
Join Date: Apr 2007
Posts: 4,103
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Disable your modifications, use the default vBulletin style and upgrade to the latest version of vBulletin. That is the only way to reduce his success rate.

You don't need the /install/ directory once you have upgraded/installed, you should delete it once you have finished with it. (The on-screen instructions say just delete install/install.php but it is safe just to remove the entire directory, I'm pretty sure none of the files in that directory are used in standard scripts)

What version of vBulletin are you using?
Are there any other scripts running on your domain? (that are not part of default vBulletin, e.g. Wordpress or something)

They could just be editing the style directly from the database, although it is a little difficult, it is not impossible. Check the Administration Logs in the vBulletin AdminCP to see if it was edited by another Admin (he may have gained access to their account).

If you keep restoring old things he will just take it down again.
Reply With Quote
  #5  
Old 02-28-2008, 04:25 PM
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Location: Des Moines, IA (USA)
Posts: 15,776
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Opserty View Post
You don't need the /install/ directory once you have upgraded/installed, you should delete it once you have finished with it. (The on-screen instructions say just delete install/install.php but it is safe just to remove the entire directory, I'm pretty sure none of the files in that directory are used in standard scripts)
I agree you should delete most of it, but you really should keep the install directory and only these 2 files in it for later use:

Quote:
index.html (1 byte)
mysql-schema.php
Reply With Quote
  #6  
Old 02-28-2008, 05:15 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Boofo View Post
I agree you should delete most of it, but you really should keep the install directory and only these 2 files in it for later use:
Why keep them on the server? I keep a copy of my site on my home computer. I am the only one who ever does anything to vb, so I'm the only one who needs those files, therefore I just delete the whole install directory since noone else needs it.
Reply With Quote
  #7  
Old 02-28-2008, 05:36 PM
Daniel Thomas Daniel Thomas is offline
 
Join Date: Jul 2005
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Apparently the server has crashed or else they are dossing it because its been down for several hours now.

Quote:
You don't need the /install/ directory once you have upgraded/installed, you should delete it once you have finished with it.
If I remove all the contents from the install folder, then there is nothing for me to reinstall the vbstyles, because once he hacks it, everything is screwed up. You can't login to the admincp or anything, whatsoever. I must use the finalupgrade.php Step 4 to reinstall the vbulletin-style.xml file to get it working again so I can log in.

Quote:
What version of vBulletin are you using?
Are there any other scripts running on your domain? (that are not part of default vBulletin, e.g. Wordpress or something)
3.6.4
There are no other scripts other than VB in the forums subdomain.

Quote:
They could just be editing the style directly from the database, although it is a little difficult, it is not impossible. Check the Administration Logs in the vBulletin AdminCP to see if it was edited by another Admin (he may have gained access to their account).
As I stated earlier, I'm the only one who has the permissions to edit styles and I'm also the only administrator who has logged in and he was hacking the forum while I was still on it. he's probably hacked it 6-7 times now.

Quote:
If you keep restoring old things he will just take it down again.
I have to restore vbulletin-style.xml in order to get the forum working again.

EDIT:
The only other alternative I know of is that he somehow either found a flaw in the coding or else has hacked the server in some way because I found a file called update.php that they kept installing on the server that would overwrite the forum, allowing them to put that message on the board. He probably installed it two or three times and everytime I found it, I chmodded it to disable it and then he would install a new one in a different spot. Once I can get back on the server, I'll let yall see it.
Reply With Quote
  #8  
Old 02-28-2008, 06:27 PM
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Location: Des Moines, IA (USA)
Posts: 15,776
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Lynne View Post
Why keep them on the server? I keep a copy of my site on my home computer. I am the only one who ever does anything to vb, so I'm the only one who needs those files, therefore I just delete the whole install directory since noone else needs it.
It won't do any harm leaving it there. It is the other files that don't need to be there.

If I remember right, Kirby used that file for one of his hacks a while back.
Reply With Quote
  #9  
Old 02-28-2008, 07:36 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If he keeps putting some update.php file on the server, then it sounds to me like he has ftp access to your site. You should change your passwords to logon to your server. Is this the only site on the server? If other sites are there and have modifications installed, maybe he is somehow using one of them to upload the file? Sorry, hacking isn't my expertise, but I would definitely start by changing all passwords and making sure the admin cp is htaccess protected.

When you say you keep installing the style again and again, are you putting up your own style, or the vbulletin default style?

Also, have you read this? http://www.vbulletin.com/forum/showthread.php?t=194701
Reply With Quote
  #10  
Old 02-28-2008, 09:58 PM
dfdems dfdems is offline
 
Join Date: Jan 2005
Posts: 30
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

My site actually got hacked today in much the same fashion. I am going back though it right now trying to set it straight. I am guessing a product or plugin is a possible cause.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:06 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04322 seconds
  • Memory Usage 2,248KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (8)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (9)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete