Hacked!!

[dansnutz]

Yes, I am pretty new to hosting a board, yet I thought I had a handle on things until I pulled up my board yesterday and found that I had been hacked. Last night I deleted every single file on my host and reinstalled vbulletin however when going back to my homepage I found that the same hacked message was still showing. Couple of questions:

1) What is the easiest way to recover from this and will I still have my database intact
2) How do I prevent this from happening again. VERY frustrating!!!

Any help anyone can give would be hugely appreciated.

[peterska2]

ok, so when you say you have been hacked, do you actually mean hacked or defaced?

If you go to your forum homepage is is showing different to going to say [forums url]/faq.php ?

Can you access your admincp?

What version of vB are you running?

Do you have any modifications installed?

If you have multiple styles, are they all affected or just one?

Are you on shared or dedicated hosting?

[dansnutz]

Being that this is the first time, I believe it has been hacked as opposed to defaced. You can see for yourself here. http://www.publicseye.com the admincp was still accessible as of last night. Being that the board has only been up about a week or so I deleted all files from my host and attempted to reinstall vB. After reinstalling I still saw the message that you see now when clicking on my page, which really confused me. Is my database corrupt now? who knows. But after my reinstall there were some viewing issues with the admincp which I think might have just been an error in files transferring over.

I'm running 3.5.x no modifications other than a few new styles.

Any help you'd be able to provide me would be great!!

[peterska2]

ok, not a big problem this.

Revert your forumhome template on your big red fixed style.

Change your admincp password to something that is a combination of letters, numbers, and preferably special characters, making sure that you use both upper and lower case.

Check your admin log to see who was the last person to access the style manager. It should be datestamped, so we are looking for the time before you reverted the templates when you enter it now.

If you have any other admins, remove their access, and do not reinstate it until they have also changed their password to something more secure.

Consider placing a htaccess file in your admincp directory to add additional security.

Finally, never give your admin password to anyone, if someone requires access to your site for any reason, set up an admin account for them, giving them just the permissions that they need. Ensure that the account is reverted to member once they have finished what they are doing with it. If anyone requires access to your FTP at any point, always change the password for it when you they have finished the task that they needed it for.

(BTW, you have just been defaced not hacked. and don't forget the images for your styles, at the moment they are full of broken images.)

[dansnutz]

I'm glad the problem doesnt seem to be as bad as I initially thought. You can imagine my feelings the first time I saw that yesterday. Anyway what I'm assuming you mean is to go back into my admincp and change the styles back. As far as the broken images go, I assume I can just upload that styles image folder again?

[peterska2]

yes, just make sure that every single file is reuploaded (except of course install/install.php)

FYI, removing the files generally doesn't do anything as they have touched your database not your files in most cases.

[dansnutz]

I just logged into my admincp and all the styles are already set to big red. Is it the template that I actually need to alter? I apologize as I'm a bit new to this.

[peterska2]

yes, in the style manager, click on <<>> next to big red fixed then double click forumhome templates, here you will have a template called FORUMHOME (in red writing) highlight this by clicking it once, then on the right there is a button labelled revert. Click that button and agree to the confirmation message.

[Nxs]

Ouch nasty business - took a quick look at the front page / admincp. Looks like this was just someone who gained access to the admincp and reset the default style ?

Would just like to ensure my own forums are protected from the same attack (I do have a password protected htaccess on admin and modcp)

[ramprage]

Have your hosting company review the logs for your website to see what type of hack the attacker users. Let me know, I can write some mod_security rules to stop it from happening agian.