My forum hacked - any help appreciated

[knucklenitz]

I have changed my CPanel password. I don't see any files with recent date changes. I am definitely not a wizard with this stuff but it seems that it must be in the database. I am requesting additional logs from my host, if they're available.

My http access logs show activity from IPs from overseas. Below are some of the entries, site name changed:

188.92.74.172 - - [24/Sep/2009:01:09:59 -0600] "GET /forums/register.php? HTTP/1.0" 200 15855 "http://sitename.com/register.php?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Netscape/8.0.4"

188.48.189.22 - - [24/Sep/2009:01:49:20 -0600] "GET /forums/cron.php?rand=1253778547 HTTP/1.1" 200 364 "http://sitename.com/forums/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; Embedded Web Browser from: http://bsalsa.com/; .NET CLR 2.0.50727)"

188.48.189.22 - - [24/Sep/2009:01:54:49 -0600] "POST /forums/login.php?do=login HTTP/1.1" 200 3575 "http://sitename.com/forums/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; Embedded Web Browser from: http://bsalsa.com/; .NET CLR 2.0.50727)"

--------------- Added [DATE]1253850415[/DATE] at [TIME]1253850415[/TIME] ---------------

So I restored SQL databases to yesterday afternoon and the hack is gone. It was somewhere in the database.

Anyone have any idea how they could have modified the database or inserted the hack? I'm not even sure where it was or what.

I did a search of Mr. Azoz on google and this guy apparently is a hack machine as there are a bunch out there.

Again, any help appreciated...

--------------- Added [DATE]1253852775[/DATE] at [TIME]1253852775[/TIME] ---------------

Is it possible to move the config.php file to a non-public area?

--------------- Added [DATE]1253894760[/DATE] at [TIME]1253894760[/TIME] ---------------

I am now convinced it was SQL injection. The last thing I can tell they attempted to access was "GET /forums/ HTTP/1.1" 200 4072 "http://sitename.com/forums/sendmessage.php"

From what I've read this morning, the injection is usually done on a user input form. The only modifications I have are used to create new forums and automatically email users. I don't know much about sql and I did talk to the guy that made the mods for me. He indicated the mods are based on the admincp and have no exposure to SQL injection.

I can see that the attacker somehow found out what my admin and mod control panel names are (I had renamed them in config in the past). I know this can be found in the source, IF you are logged in. Not sure how they found it without being logged in.

I created a HTACCESS file in the interim to block all IPs originating from outside the US and block proxy servers. See the file below, does it look ok? Also, would anyone be willing to help me determine how they broke in whether it's a vbulletin issue or the mods? Thanks!

# block proxy servers from site access
# saved from - http://perishablepress.com/press/200...-via-htaccess/

RewriteEngine on
RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule ^(.*)$ - [F]

# block ranges of IPs outside of the United States

<Limit GET HEAD POST>
order allow,deny
deny from 85.94.160.0/19
deny from 91.187.64.0/19
deny from 194.158.64.0/19
deny from 80.227.0.0/16
EXTREMELY LONG LIST OF IP ADDRESSES CONTINUES HERE
allow from all
</LIMIT>