Been Hacked.. :(

[ercollins]

mine is a dedicated server and no I had no security setup. I learned the hardway.... but now I know and I am locked up tighter than hillary clintons underoos.......

[space?]

Another possiblity: You used this password on another forum/service, thus got hacked, so they got your password. Don't laugh, this is happening!

Quote:

Originally Posted by ercollins

mine is a dedicated server and no I had no security setup. I learned the hardway.... but now I know and I am locked up tighter than hillary clintons underoos.......

Goal for you. You learned something, and that's the most important thing in the world.

bw,
Stefan

[Angel-Wings]

Quote:

Originally Posted by ercollins

I was hacked 27 times last month, spread across 4 domains. Took out all my forums.

2 forums was phpbb3 with no mods, one was SMF, and 1 modded phpbb3.

And you checked all files for hidden backdoors ?

Quote:

Originally Posted by ercollins

If you want to protect your server lock it down. install a firewall, put timeouts in place of anyone trying to access anything pw protected.

Just that a firewall can't protect you from bruteforce attacks unless you block HTTP - blocking ports which aren't used is a little bit useless.
Other tools like fail2ban that scan logs for possible bruteforce attacks and block IP's can do a lot of damage - Logfile injection as example so you've a nice SelfDoS. Also, in a world of bot nets where private comps are abused blocking IP's usually hits the wrong people - the real attacker simply uses the next comp, another IP and continues.

Generally - check all files on your server and compare them with the original ones from trusted sources. Both the PHP files and the OS files.

Then changing Passwords may be useful - all this just in case some hidden backdoor has been installed

[joethaman]

Yah, I had the same problem with someone attacking my forum with the sniper_sa. Here is the post I had made with the same. I'm am assuming they were using the script to grab either my admin login/pw or database login/pw. I also have a list of files that I found.

https://vborg.vbsupport.ru/showthread.php?t=192151

[Dismounted]

Unless they can crack your password (which would take years), they don't know it. If they could upload files directly though, though could just create a new user as admin, or log themselves in as you if they knew how vBulletin worked well enough.

[iogames]

Quote:

Originally Posted by Dismounted

Unless they can crack your password (which would take years), they don't know it. If they could upload files directly though, though could just create a new user as admin, or log themselves in as you if they knew how vBulletin worked well enough.

That's what it puzzle me... I got a gooood password and then they enter, they changed, but I used that password in bank accounts and many services [now are changed] how is that they don't block the way to cPanel? change emails, steal domains, in fact steal everything from you...

do they really get your password? or just they got a way to enter?
because I just saw the extra files, a cronjob, a new email account, and a few ftp transfers, and I got thousands worth of domains and scripts....

[joethaman]

I uploaded the sni.php to another server that I own and played around with it. It allows you to upload, download and edit files on on the server. so if they can find config.php they can download it and view it's contents (ie db login/pw) and then use the sni.php to enter the login/pw to access the db. It also allows you to use sendmail, FTP (if login/pw known) and some other stuff.. it can be very damaging in the wrong hands.

[iogames]

Now tell me the good news!
how we can avoid that?

how many files of this kind there's?

[Dismounted]

Quote:

Originally Posted by iogames

do they really get your password? or just they got a way to enter?

They can just initiate a login process - they don't know your password, but they are logged in as you. Similar to the "Admin Log In As User" modification.

Quote:

Originally Posted by iogames

how we can avoid that?

how many files of this kind there's?

How can you avoid it? Don't let anyone be able to upload files files directly. (Attachments are OK, they are correctly stored by vBulletin.)
How many of these files are there? There are probably thousands of shells available to freely download.

[joethaman]

I did some more searching over the last couple days and there were some issues, exploits, vulnerabilities or whatever, where files (other than images) can be uploaded using vbpicgallery, photpost classifieds, and photopost vbgallery, and vbadvanced cmps. All of them seem to have been resolved except for vbadvanced cmps, or at least not that I could find. It's kind of my fault that I haven't been keeping up with the updates, but I haven't been receiving any notifications that any new updates have been released.

What I've been doing over the last few days is using woopra to track all of the visitors whose languages are arabic, and banning those IP's. So far, using those IP's and searching the logs, they've been attempting to access the directories where the old sniper_sa scripts were and have also helped me locate where other scripts have been placed within my site. After a few days of watching, I've done an IP ban on the internet provider that this guy has been using, which is also a very common ip used by hackers and spammers.. 213.0.0.0/8. This pretty much blocks all IP's from 213.0.0.0 to 213.255.255.255. if you do a reverse IP lookup on the spammer/hacker you can sometimes view the ISP's info and it will tell you the IP's that they cover, in this case, start IP was 213.0.0.0 to 213.255.255.255.

If you're not familiar with how to block IP's, here is how you do it. If you search for .htaccess and deny IP you can find some documentation on it.

<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 212.14.224.2
deny from 84.41.118.98
deny from 213.0.0.0/8
deny from 193.0.19.25