The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#31
|
||||
|
||||
Yes, you could have a modification installed that is open to SQL injection attack. This is the most likely method.
|
#32
|
||||
|
||||
Quote:
If that is done, every "hacker" will be able to read that file as well. Better spend your time keeping your VB & Plugins up-to-date and use things like mod_security / suhosin and the typical setups like chroot / jail. That's more time consuming but no "security by obscurity" when moving some files just to have a work-around that VB can read them. And make sure your VB files aren't writeable by PHP itself, if you store uploads in the filesystem, move that directory outside the webroot and additionally some directories like images / signaturepics - don't need PHP because there just images are stored. Something simple like: Quote:
Finally - mod_security & suhosin should be used. First starting them both in logging mode to collect a whitelist, highly depends on how your forum is used, and once that whitelist is completed to sort out false-positives set both in blocking mode. And - as last addition - you can setup an IDS system that creates checksum of your VB files and alerts you if there're any changes. Yes - I can do this It won't even cost much |
#33
|
|||
|
|||
I hate to hjack this thread but Angel-Wings has got my attention.
I found that the person that attacked with SQL injection came from overseas, I am in the US. Since ALL of my traffic is actually on the west coast, I used htaccess to block all but US traffic. Appears to be working so far according to my logs. On the SQL injection note, I restored my backup database so the hacked database is gone. I have contacted the programmed of the only two mods I have installed and he indicated they work on the admincp level so injection isn't possible. Since I'm a newbie in this area, I can't confirm. Is there any way to track database activity so I can find out how they got in? It appears the last two actions (many other http/file.php attempts before that) were the hacker going to sendmessage.php and then 45 minutes later, them going to the index probably to check that their hack worked. I have since disabled the sendmessage.php in the contact vb options. Thanks for any input. |
#34
|
|||
|
|||
If you would of done as i posted in your own thread, you wouldn't of needed to restore a backup.
1. You should of upgraded vb, hacks/addons, server backend and anything else outdated. 2. Sym linking your config.php isnt going top stop the hacker either. 3. Blocking foreign based ips isnt going to stop him either. Seeing as you still present the injection hole for him to use, he will be back to visit you again. |
#35
|
||||
|
||||
Quote:
Maybe better spend your time fixing the holes - if I don't look the door and just paste a huge poster over it the door itself isn't more "secure" and this "door" is the problem, not how to hide it from someone. Quote:
Quote:
Right now, try to find out how it happened and fix the hole. Then things like IP Range blocking can be done anyways - first get the system clean and up-to-date - then additional enhancements can be done. |
#36
|
||||
|
||||
Quote:
I am at 3.8.3 [EDIT: Actually 3.8.2]. I am not sure that 3.8.4 has any security fixes in it. I'll double check. I believe my host has the server up to date. Again, I'll double check. I can't see how just updating as you suggested would have removed the hack they injected without me restoring the backup (note that this was a database restore only, not entire system). No matter what I did, it showed a disturbing picture and hackers text. It seems that would be in the database no matter what updates were performed. Quote:
Code:
RewriteEngine on RewriteCond %{HTTP:VIA} !^$ [OR] RewriteCond %{HTTP:FORWARDED} !^$ [OR] RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR] RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR] RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR] RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR] RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR] RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$ RewriteRule ^(.*)$ - [F] Quote:
Quote:
Thanks again for input. |
#37
|
||||
|
||||
We had about a dozen of cases in the past week from our clients of websites with vBulletin that were hacked. Anyhow, it turned out all of them had been hacked through a Wordpress installed on the server. Some of our clients had old WP installation they had forgotten about, others did not upgrade as they were recommend to, and script kids entered through WP, took the passwd file, and decrypted passwords, gaining FTP access.
There are many ways to prevent this; keep your system always updated; keep your applications always updated; and then do everything you can to secure your system. The best way to prevent attacks that write files to a directory to execute them is to have a system like SELinux in place, or GRSecurity. There are wonderful linux distributions that, for a few bucks per year, provide a secured kernel with many layers of protection applied - from modsecurity to granular permissions, and everything in between. |
#38
|
|||
|
|||
The reason i stated you didnt need to restore from a back up is that you could of just removed the code they injected, which was likely a base64 code into a template, most likely spacer_open.
As stated, you haven't plugged the hole and your not going to stop him from revisiting your forum doing a IP block or symlinking your config file. Unless you know for sure that everything on your site/server is secure, your at risk @Carlito, excellent point on the WP, thats why i told him everything needs to be upgraded. |
#39
|
|||
|
|||
Quote:
I just upgraded to 3.8.4. I'm not familiar with the coding of databases. Is it something I can check now to see if there is a hole and the 'base64 code into a template, most likely spacer_open' can be used again? How does one check for these vulnerabilities? No Wordpress on my side but I did talk to my host and this being a shared server, I guess there is always a possiblity of someone hacking another database or application on the other virtuals and affecting my system? |
#40
|
||||
|
||||
Quote:
Really depends on how their machines are configured so blaming them might be too early - still yes, it's possible. Hope you still have the logs saved - maybe they'll like to see them for analysis. Oh - and you htaccess just blocks proxies that shout out to the world they are proxies. No "real" hacker would use such anyways. Like said - really recommend mod_sec to block things you don't want - beginning with direct IP access and ending with filtering bad useragents or injection attacks. |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|