Go Back   vb.org Archive > Community Discussions > Forum and Server Management
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 09-17-2008, 11:25 AM
motaaa motaaa is offline
 
Join Date: Jun 2008
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Security issues

Questions:
1.) If someone has my SQL database, would it be possible for him to tweak it in any way to record passwords on login or anything like that. Anyway at all for them to actually "key log" or anything else malicious through altering SQL code?
2.) Someone has my FTP, he installs an exploit, I remove it. I installed a completely fresh version of vBulletin, is there anything else that he could have done to "key log" or anything else malicious through my website? **Pretty much reword of #1
3.) I have a Netgear router (kind of old) with no password protection. Does this make it easier for him to sniff my network? Can he use this to keylog me for any passwords, I know it's possible for him to log unencrypted message packets sent such as AIM but that's not what I'm worried about.
4.) Is there any way I can limit the IP that can log into my website to ONLY my IP or a small IP range around my house? Would this fully prevent anyone else from logging in knowing that I have no VPN installed on my computer.
5.) Are there any suggestions anyone can give me to how this person is doing this? I know exactly who it is, which is the sad part. He's an idiot and he's only 15 or 16 if I remember right, but he does have connections with some very notorious underground hackers from what I hear.
6.) Are there any ways I can manually check for a keylogger that my virus scanner wouldn't pick up? I need any help at ALL anyone can provide me with. Thanks!

Story of my security issues if you want to read
I had my website broken into originally 3 months ago or so and it happened ALL the time for 60 days until I could switch hosts. I found it the reason is because I run a business and a rival companies employee worked at my hosting company and was abusing his power, it was a horrible company with no encryption on the passes or anything. He completely destroyed everything very frequently and I always had to fix stuff up.

Once I switched I never noticed anything weird. However, the other business owner began laughing at me in a message he sent to me (he's extremely unprofessional, a child even) about how he has my current SQL. I told him he may have my old one when I had the bad hosting company but theres no way for him to get it now. Regardless, what is he going to do with a double MD-5 Hashed password with salt?

But more recently I noticed on my forums that many of these posts (and even PM's) had been marked read when I had never seen them. On top of that I had reports of people telling me that I was giving them certain messages on their AIM screen names when I had absolutely never sent those messages. I did a complete virus scan and got 3 reported viruses (2 of which contained possible keyloggers).

The link that the antivirus linked me to so I could view details on the virus was in the "/advisories" directory of the website, so I'm not sure if that means they were just advisories or not. Regardless, the antivirus auto removed them and would not even give me the option of restoring them because of the seriousness of the threat. After that I changed my passwords for everything and then set the option in AdminCP to record IP addresses on the "Who's online?" updates sent every minute so that I could view who's on my account since they weren't making any posts.

When I had gotten hacked originally on my bad host, it was through a proxy based in Atlanta, GA through the FDC-Servers network. He abused his power as a member of my hosting companies team to install an exploit on my server and then used it to delete everything and edit my front page on the exploit, which he logged on to through that proxy in Atlanta. Well since I ran the virus scanner and changed passwords, I got a new IP login to my account that's based in Atlanta, GA.

I also have an automatic live proxy IP rerouter to give me their regular IP so it's not through the proxy this time. However, it's still a BellSouth IP with a range of 74.160.0.0 through 74.191.255.255 so it's not exactly narrowed down too much. I really don't want to get involved in an FBI investigation, but if this happens anymore then they will be called. I actually called them before in Atlanta and they told me I had a case but I would need to call the ones in my area, and I just decided against it after thinking it over. So I want to do EVERYTHING in my power to fully prevent this so I won't have to get involved with the FBI.

Note that I have a Netgear router with no password required to login, I don't know if that means he can sniff my router a whole lot easier or not. I really have no idea how he's getting my passes constantly, read my questions at the top of this post.
Reply With Quote
  #2  
Old 09-17-2008, 12:01 PM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

1. If he has your database - that's all he has. Nothing more, nothing less.
2. No, unless he has multiple copies stored on your server.
3. You do know how hard it is to sniff someone's packets, right?
4. If you have a dynamic IP, no. But if your IP is static, yes.
5. Errrr, you already said you knew, didn't you?
6. Get another virus scanner? In any case, you won't get a virus if you're careful what you're doing online.
Reply With Quote
  #3  
Old 09-17-2008, 12:51 PM
motaaa motaaa is offline
 
Join Date: Jun 2008
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yes, I know who it i but it's not like he lives down the street so I can beat some sense into him. He lives several statelines away from me. Man all I know is I ran this virus scanner and it said it removed 3 viruses (2 of which are possible keyloggers) and I changed all my passes and he got right back in less than a day later.

I'm on GoDaddy so I can't imagine he hacked that, my password is impossible to crack at this point without running a brute force for longer than the universe has existed unless you get really lucky. I guess more than anything it's just bugging the hell out of me HOW this guy can do this to me?!?!

Also, sniffing packets is not hard - well it's incredibly easy coming from your network anyway. I don't know too much about connecting to other peoples networks and sniffing from there as I've never needed to, but if all they have to do is set an IP (and he has mine from working at my old hosting company) then it's a cakewalk. Tons and tons of message packets are sent unencrypted, but I'm not sure of any passwords (though I am most likely wrong) that are sent plain text.
Reply With Quote
  #4  
Old 09-17-2008, 01:06 PM
snakes1100 snakes1100 is offline
 
Join Date: Dec 2001
Location: Michigan
Posts: 3,733
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If your the only one that logs into the server via ssh or ftp or thru a host panel, then you can simply block all access to those ports and lock them down to your IP, simply host.deny them or set up some rules via iptables.

If this is still going on after all this time, it may be time for you to wipe and redo your OS on your puter as well, if there is still and exploit in your system, he very may well be using your own puter to do the accessing of your server.
Reply With Quote
  #5  
Old 09-18-2008, 08:32 PM
motaaa motaaa is offline
 
Join Date: Jun 2008
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I've gotten the top antivirus, top spyware scanner, top registry cleaner, top internet security, as well as bonuses like the top rootkit scanner (with VERY DEEP scans), something that checks DLL's attached to your running exe's, and several more things. I'm installing SP3 from Microsoft right now (I had SP1) and doing tons of other stuff. I changed all of my passwords on a different computer on a different IP on a school computer and I'm not logging in any of my accounts until I finish this deep scan.

The problem with reinstalling Windows is that I run a business and all of my private source codes (I sell C++ coded programs) are stored on my computer and I have been so scared of this hacking issue that I haven't felt safe putting ANY of my sources on to a remote server anywhere. My CD-Burner is broken and it's far too big for floppy drives (which is also broken, but I can get an external floppy drive.) I am just looking to fully fix this problem but the thing is I have absolutely NO idea how they're doing this.

I was coming up with some ideas on how they could have done this through the information they had as my previous host owners from before that I wanted to run past you.
-Could they possibly put something in the SQL to forward all SQL entries to another remote SQL?
-Could they have passwords sent to a remote SQL in plain text BEFORE md5(hash($hash+salt)) encryption is placed on the text strings?
-Any other possibilities?
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:19 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06787 seconds
  • Memory Usage 2,208KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (5)post_thanks_box
  • (5)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (5)post_thanks_postbit_info
  • (5)postbit
  • (5)postbit_onlinestatus
  • (5)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete