Website hacked!

[Zachery]

What proof of this do you have specificly? Have you done security audits? Have you uninstalled all of your modifications and ran with only the default vBulletin code? If not you cannot say beyond a doubt that there was not something else aside from vBulletin allowing you access.

[Heidrich]

Quote:

Originally Posted by christianb

Heidrich, I was on phpNuke when I was brutally hacked and from the way it is being described, my attack was similar to yours. One thing I took note of was SSH traffic. I had previously been hacked once before, a minor defacing, but I made note of the SSH traffic on that as well. This time it was much larger. It was then I requested my SSH and telnet disabled - in fact, all avenues of access other than ftp and http closed. Knock on wood, I've not had anything happen since. It was this last hacking that I had decided to move to vbulletin - away from phpNuke. Fortunately, since I worked for my ISP, and we were going to migrate to a newer box anyways, I built our next hosting box. The crack had corrupted the old mysql database. Even recreating the site wouldn't fix it. I hope your fix is easier than mine was.

All the hacking with PHPnuke made me move to vBulletin aswell. I have been hacked 5 times with PHPnuke. Everytime it was bugs in the script that needed fixing. The last one was so intensive i had to rebuild my site. So i moved to vBulletin, it's reputation and history pulled this one over. But it's harse to see it happen again...

As vBadvanced main website is still running i'll guess that script is more then okay. The only factor remaining is Download and Links manager. Do any users of this hack have any problems?

About SSH i believe my host doesn't allow telenet or ssh connections to the database. I'll check. I have went through the corrupt backup and found in the admin logs that they changed my templates to my board.

If i understand correctly there are no back-up programs (software) for mysql available?

Thanks for the help sofar all!!

[Zachery]

Oh goodness no, there are tons, via ssh is the best way with the mysqldump utility. vBulletin also provides a backup feature via the admincp but its not 100% reliable due to php/webserver restrictions. Make a dump and check the last few lines, vBulletin will tell you if it had completed

[Heidrich]

Quote:

Originally Posted by Zachery

Oh goodness no, there are tons, via ssh is the best way with the mysqldump utility. vBulletin also provides a backup feature via the admincp but its not 100% reliable due to php/webserver restrictions. Make a dump and check the last few lines, vBulletin will tell you if it had completed

Can you please point me to a good tut. for ssh as i'm new to it.

-> edit: just saw Marco's post. Will check those out thanks.

[Shazz]

Ive had the same problem..
Thats why im the only admin
________
List of Chrysler engines specifications

Quote:

Originally Posted by Shazz

Ive had the same problem..
Thats why im the only admin

I've never had the problem, but I do have a howto written up that relates to this thread:

https://vborg.vbsupport.ru/showthread.php?p=877421

[Heidrich]

my webiste is on a windows server and .htaccess won't work. Are there any other like htaccess, but for windows server?

Ow i don't know if it's allowed to post, but i take my changes:

The IP of the guy that "hacked" me:

88.240.173.99

Here is what he did:

Quote:

INSERT INTO `adminlog` VALUES (2419,1,1151358777,'template.php','modify','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2420,1,1151358800,'template.php','modify','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2421,1,1151358862,'template.php','modify','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2422,1,1151358886,'template.php','edit','style id = 0','88.240.173.99');
INSERT INTO `adminlog` VALUES (2423,1,1151358898,'template.php','updatetemplate' ,'style id = 2','88.240.173.99');
INSERT INTO `adminlog` VALUES (2424,1,1151358948,'template.php','edit','style id = 0','88.240.173.99');
INSERT INTO `adminlog` VALUES (2425,1,1151358959,'template.php','updatetemplate' ,'style id = 2','88.240.173.99');
INSERT INTO `adminlog` VALUES (2426,1,1151358991,'options.php','','','88.240.173 .99');
INSERT INTO `adminlog` VALUES (2427,1,1151358991,'options.php','','','88.240.173 .99');
INSERT INTO `adminlog` VALUES (2428,1,1151359008,'backup.php','choose','','88.24 0.173.99');
INSERT INTO `adminlog` VALUES (2429,1,1151359035,'attachment.php','intro','','88 .240.173.99');
INSERT INTO `adminlog` VALUES (2430,1,1151359080,'usergroup.php','modify','','88 .240.173.99');
INSERT INTO `adminlog` VALUES (2431,1,1151359168,'admincalendar.php','modify','' ,'88.240.173.99');
INSERT INTO `adminlog` VALUES (2432,1,1151359171,'announcement.php','modify','', '88.240.173.99');
INSERT INTO `adminlog` VALUES (2433,1,1151359177,'language.php','modify','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2434,1,1151359225,'options.php','searchtype','',' 88.240.173.99');
INSERT INTO `adminlog` VALUES (2435,1,1151359370,'template.php','modify','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2436,1,1151359371,'template.php','modify','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2437,1,1151359374,'template.php','search','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2438,1,1151359378,'replacement.php','modify','',' 88.240.173.99');
INSERT INTO `adminlog` VALUES (2439,1,1151359380,'template.php','files','','88.2 40.173.99');
INSERT INTO `adminlog` VALUES (2440,1,1151359390,'language.php','modify','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2441,1,1151359395,'language.php','files','','88.2 40.173.99');
INSERT INTO `adminlog` VALUES (2442,1,1151359519,'options.php','','','88.240.173 .99');
INSERT INTO `adminlog` VALUES (2443,1,1151359526,'options.php','options','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2444,1,1151359537,'options.php','dooptions','','8 8.240.173.99');
INSERT INTO `adminlog` VALUES (2445,1,1151359541,'options.php','options','','88. 240.173.99');
INSERT INTO `adminlog` VALUES (2446,1,1151359550,'language.php','files','','88.2 40.173.99');
INSERT INTO `adminlog` VALUES (2447,1,1151359710,'template.php','modify','','88. 240.173.99');

He even took a copy of my database...

[davidw]

I'm going to run that IP by a friend of mine who was hacked 2-3 weeks ago. It looks familiar.

[Revpolar]

Quote:

As vBadvanced main website is still running i'll guess that script is more then okay. The only factor remaining is Download and Links manager. Do any users of this hack have any problems?

I run my site as a private one and tried the links and downloads hack and had security problems with it so I removed it. The first thing I noyiced was that the downloads page was ignoring Vbulletin login and security. The second thing was that every item on my downloads page showed up in search engines and bots and spiders flocked to it like a super magnet. I dont know why that hack did that but I got rid of it real quick.

[Heidrich]

Quote:

Originally Posted by Revpolar

I run my site as a private one and tried the links and downloads hack and had security problems with it so I removed it. The first thing I noyiced was that the downloads page was ignoring Vbulletin login and security. The second thing was that every item on my downloads page showed up in search engines and bots and spiders flocked to it like a super magnet. I dont know why that hack did that but I got rid of it real quick.

Okay you got me scared... I'm removing it now. I'll wait and see. What is best for downloads? Doesn't need to be all that. Just need to offer a few links for my members.

Maybe an idea for vBulletin.org to seperate all downloads in two. Secure and issues? Because time goes by and looking at all the mods in here you don't really know what you can use and what you can't.