HowTo "UnHack" Yourself and Hacker Prevention

[Black Tiger]

Nice howto, but I've got some comments:

Quote:

I was just restoring a DB backup, which he hacked several times. I found this is the lazy way out

Not it's in fact totaly no way out at all, not even a lazy one. It just plain and stupid giving the same possibility's back to the hacker. As you experienced.

You can do a lot of chmodding, but these things should be already automatically fine when installing and later upgrading vBulletin.
However, always take care with 777 directory's and files which are always a risk.

Quote:

Then I CHMOD the AdminCP Dir (renamed) to 0755, which gives you access to your acp. So you have access to the site, the hacker doesnt.

That's a common mistake made by many people. If you make something 755 its not writable to the world, but it is still readable to the world. So also the hacker can read. That's why the first thing to do is to put up a .htaccess file in there.

Quote:

This is a b*tch to do, and gives you a headache and takes a long time.

That depends on the knowledge of the person who is doing this. You can chmod recursive, also with an ftp program, and this can save you lots of time.
Als don't just start chmodding everything, have a look first if maybe most things not already -are- oke. A hacker can also gain access via mods which are not safe. Thats where vbulletin.org comes in, which sends security messages if it gets know a mod is not secure. Not a lot of mod sites are doing such nice things, so take care from where you download and install mods/hacks.

Most important thing to do is to get to know how the hacker gain access.

For the rest it's a very nice manual for people who take security very serious.

[businessmeet]

Thanks for this! I've had my board hacked 6 times within a week and recovered it each time. However, you don't have to restore the whole database each time. Once you recover your board again, and get it back to good working order again. Back it up, and run the "Template" table query. Drop / Create. Done. Then do the password protection of those directories/ rename of admincp and modcp. It worked for me, and took less time.

Or, go into phpMyAdmin, drop the tables of ONLY the template that was in use at the time of the hacking. If "Sam" coded my template, and I was using his template at the time of the hacking. I would only drop the tables of that template that had his name beside it. Then, go to "options" table in the database... switch the style id back to the default id. You'll get a blank page, then just run "domain.com/install/upgrade.php" or whatever.

[Angel-Wings]

Well, well

Quote:

Originally Posted by mikey1991

... I did a recursive CHMOD of 0644....

0440 or 0400 can be enough. Depends on how your Webserver is configured but in my opinion the PHP user should never be able to write anywhere inside the Webroot.
You can configure VB to use the uploads directory somewhere outside the Webroot which is much better.

Quote:

Originally Posted by mikey1991

PHPMYADMIN

Well - if that thing is installed one will for sure have other problems than securing VB - best way - remove phpMyAdmin completely specially if you

Quote:

Originally Posted by mikey1991

If you have SSH access to your server, ask your host to remove it

can use SSH to forward Database connections through a tunnel to your local host. And instead of removing SSH - ask the host if they can switch to Public Key authentication and for Gods sake keep it running.
Instead try to use SFTP and remove FTP giving you the ability to tighten up the file permissions even more.

Problem is that if you remove SSH which can be configured secure but keep phpMyAdmin running and have 0644 permissions you secure at the wrong side of the server.
General recommendation - if possible never let the PHP user write anywhere inside the Webroot if possible, mod_sec / suhosin are good if configured right to prevent RFI's / LFI's and Injections and try to remove FTP completely and rely on the much more secure SSH / SFTP with (and only with) Public Key auth.

Then you can easily configure your Webserver that admincp / modcp Logins are SSL based - maybe with a Client Cert authentication.

Please - don't misunderstand me - just phpMyAdmin as example is a thing that should be removed completely. Unsafe software won't get more secure if you make the door entry smaller - as long as it's there, it's a risk.
Same applies to FTP when SFTP is available as option and finally the problem that PHP should never write anywhere in the Webroot.
If you still decide to keep CSS related Style changes on the Webroot you can set the directory where these files are kept with:

Quote:

<directory "/where_ever_it_is/clientscript/">
php_admin_flag Engine off
</directory>

Or removing the handlers when using FastCGI. The same applies to all other folders where no PHP files are running (images, js and so on) and it should specially apply to every folder where PHP is able to do write operations such as the uploads directory.

[legacy123]

Very nice article for people who are new at security

[chick]

How do you remove phpMyAdmin completely?

[kall]

Quote:

HowTo "UnHack" Yourself

I'm seeing a lot of suggestions on prevention, but couldn't find one thing that talked about how you actually Unhacked yourself.

You mention 'fixing bugs'. Which?

[pant]

How come when you're setting up memcache file storing you're advised to CHMOD to 777 but every bit of security advice says not to?