Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > Management Articles
HowTo "UnHack" Yourself and Hacker Prevention
mikey1991's Avatar
mikey1991
Join Date: Oct 2008
Posts: 654

 

United Kingdom
Show Printable Version Email this Page Subscription
mikey1991 mikey1991 is offline 12-14-2009, 10:00 PM

Recently, one of my vBulletin powered sites was under a hacking spout, I'd fix it, and it got hacked the next day, fixed it, hacked again, fixed, hacked again.

Fortunately, he was doing the same thing each time. Up until the last time, I was just restoring a DB backup, which he hacked several times. I found this is the lazy way out

I was scratching my head over and over, "how is he getting in". I'd followed the standard safety measures and such, renamed admincp/modcp, 128bit passwords, etc.

Here's what I did, and it seems to have worked:

Firstly I did a recursive CHMOD of 0644 on every single file and folder, this will make your vBulletin bring up a "Forbidden" Message, while you work on it. Then I CHMOD the AdminCP Dir (renamed) to 0755, which gives you access to your acp. So you have access to the site, the hacker doesnt. You could also achieve this by putting an index.html in your root directory, or specifying a 301 redirect in a .htaccess.

I then fixed the bugs, using the vBulletin AdminCP, and PHPMYADMIN, I find it's more effective to remove these things at a database level (this time it was sql insertion and malicious javascript) I then went ahead and changed all my staffs passwords, sure, they'll moan, but if it protects the site, then they have to live with it.

I then went and created 128bit passwords and put .htaccess and .htpasswd's in the following directories:

admincp/ (renamed)
modcp/ (renamed)
includes/
install/

If you have SSH access to your server, ask your host to remove it also (even if just for like, a week or two), as this is another way the hacker can get in.

I then changed my Database NAME, and Database user name and password, and changed those in the config.php, I then renamed the admincp/modcp/ dirs, again, they now aren't even under /forum/, you can do that by adding your full path to any instance of "global.php". (see attachment)

Then I went and did a recursive CHMOD on all the DIRECTORIES to 0755, so all files are now sitting at 0644 and directories (folders) are at 0755. So this should be secure, vBSEO users should remember to chmod your config_vbseo.php back to 777, and if you have any mods like vbimghost, chmod 777 the image upload directory.. - this isn't needed if you used the .htaccess method.

Finally, I reviewed my raw access logs and control panel logs, and error logs, determined the IP of the hacker, and IPtabled them, they now can't access any part of the server. This is a b*tch to do, and gives you a headache and takes a long time. If you dont have the access to block them from the server, again, you can use a .htaccess to block thier IP or thier IP range.

Alot of what I've said is in all the official stuff, but eh, Hope this helps anyone.
Attached Images
File Type: jpg notepad++.jpg (93.4 KB, 0 views)
Reply With Quote
  #2  
Old 12-20-2009, 02:51 PM
Black Tiger's Avatar
Black Tiger Black Tiger is offline
 
Join Date: Apr 2004
Location: Netherlands
Posts: 957
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Nice howto, but I've got some comments:
Quote:
I was just restoring a DB backup, which he hacked several times. I found this is the lazy way out
Not it's in fact totaly no way out at all, not even a lazy one. It just plain and stupid giving the same possibility's back to the hacker. As you experienced.

You can do a lot of chmodding, but these things should be already automatically fine when installing and later upgrading vBulletin.
However, always take care with 777 directory's and files which are always a risk.

Quote:
Then I CHMOD the AdminCP Dir (renamed) to 0755, which gives you access to your acp. So you have access to the site, the hacker doesnt.
That's a common mistake made by many people. If you make something 755 its not writable to the world, but it is still readable to the world. So also the hacker can read. That's why the first thing to do is to put up a .htaccess file in there.

Quote:
This is a b*tch to do, and gives you a headache and takes a long time.
That depends on the knowledge of the person who is doing this. You can chmod recursive, also with an ftp program, and this can save you lots of time.
Als don't just start chmodding everything, have a look first if maybe most things not already -are- oke. A hacker can also gain access via mods which are not safe. Thats where vbulletin.org comes in, which sends security messages if it gets know a mod is not secure. Not a lot of mod sites are doing such nice things, so take care from where you download and install mods/hacks.

Most important thing to do is to get to know how the hacker gain access.

For the rest it's a very nice manual for people who take security very serious.
Reply With Quote
  #3  
Old 12-25-2009, 01:45 PM
businessmeet businessmeet is offline
 
Join Date: May 2009
Posts: 42
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks for this! I've had my board hacked 6 times within a week and recovered it each time. However, you don't have to restore the whole database each time. Once you recover your board again, and get it back to good working order again. Back it up, and run the "Template" table query. Drop / Create. Done. Then do the password protection of those directories/ rename of admincp and modcp. It worked for me, and took less time.

Or, go into phpMyAdmin, drop the tables of ONLY the template that was in use at the time of the hacking. If "Sam" coded my template, and I was using his template at the time of the hacking. I would only drop the tables of that template that had his name beside it. Then, go to "options" table in the database... switch the style id back to the default id. You'll get a blank page, then just run "domain.com/install/upgrade.php" or whatever.
Reply With Quote
  #4  
Old 12-27-2009, 07:28 PM
Angel-Wings's Avatar
Angel-Wings Angel-Wings is offline
 
Join Date: Sep 2007
Posts: 206
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well, well

Quote:
Originally Posted by mikey1991 View Post
... I did a recursive CHMOD of 0644....
0440 or 0400 can be enough. Depends on how your Webserver is configured but in my opinion the PHP user should never be able to write anywhere inside the Webroot.
You can configure VB to use the uploads directory somewhere outside the Webroot which is much better.

Quote:
Originally Posted by mikey1991 View Post
PHPMYADMIN
Well - if that thing is installed one will for sure have other problems than securing VB - best way - remove phpMyAdmin completely specially if you

Quote:
Originally Posted by mikey1991 View Post
If you have SSH access to your server, ask your host to remove it
can use SSH to forward Database connections through a tunnel to your local host. And instead of removing SSH - ask the host if they can switch to Public Key authentication and for Gods sake keep it running.
Instead try to use SFTP and remove FTP giving you the ability to tighten up the file permissions even more.

Problem is that if you remove SSH which can be configured secure but keep phpMyAdmin running and have 0644 permissions you secure at the wrong side of the server.
General recommendation - if possible never let the PHP user write anywhere inside the Webroot if possible, mod_sec / suhosin are good if configured right to prevent RFI's / LFI's and Injections and try to remove FTP completely and rely on the much more secure SSH / SFTP with (and only with) Public Key auth.

Then you can easily configure your Webserver that admincp / modcp Logins are SSL based - maybe with a Client Cert authentication.

Please - don't misunderstand me - just phpMyAdmin as example is a thing that should be removed completely. Unsafe software won't get more secure if you make the door entry smaller - as long as it's there, it's a risk.
Same applies to FTP when SFTP is available as option and finally the problem that PHP should never write anywhere in the Webroot.
If you still decide to keep CSS related Style changes on the Webroot you can set the directory where these files are kept with:

Quote:
<directory "/where_ever_it_is/clientscript/">
php_admin_flag Engine off
</directory>
Or removing the handlers when using FastCGI. The same applies to all other folders where no PHP files are running (images, js and so on) and it should specially apply to every folder where PHP is able to do write operations such as the uploads directory.

Reply With Quote
  #5  
Old 04-21-2010, 09:22 AM
legacy123 legacy123 is offline
 
Join Date: Feb 2010
Posts: 72
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Very nice article for people who are new at security
Reply With Quote
  #6  
Old 05-19-2010, 05:51 PM
chick's Avatar
chick chick is offline
 
Join Date: Aug 2006
Location: PI Land
Posts: 381
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

How do you remove phpMyAdmin completely?
Reply With Quote
  #7  
Old 05-19-2010, 06:23 PM
kall's Avatar
kall kall is offline
 
Join Date: Apr 2004
Location: New Zealand
Posts: 2,608
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
HowTo "UnHack" Yourself
I'm seeing a lot of suggestions on prevention, but couldn't find one thing that talked about how you actually Unhacked yourself.

You mention 'fixing bugs'. Which?
Reply With Quote
  #8  
Old 06-01-2010, 02:07 PM
pant pant is offline
 
Join Date: Mar 2010
Posts: 203
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

How come when you're setting up memcache file storing you're advised to CHMOD to 777 but every bit of security advice says not to?
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:09 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04678 seconds
  • Memory Usage 2,292KB
  • Queries Executed 24 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (8)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (1)post_thanks_box_bit
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (8)post_thanks_postbit_info
  • (7)postbit
  • (1)postbit_attachment
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete