My forum is in danger

[MNNLeafre]

Alright so I came back to my forum today to found out my pass was changed. I just woke up so I thought maybe it's just me, so I did a password reset.

I then realize there's an ad where there shouldn't be. I look at the script and it is definitely not mine.
I decide to change back the ads to my code.
Later, I realize I see another admin that I certainly did NOT make.

I proceed to delete the user. He then logs another user's account and starts talking on the shoutbox.

He continues to say
"ban me again and I'll do worse"
"[other user] your pass took me 2 min to crack"
At this point I knew he was a threat and proceeded to turn off my forum
Then HE turns it back on and says
"The forum's are fine, i'm going to sleep and in the morning if this account is no longer admin, and the forum looks any different I will wipe it from the web."
"If you turn it off again I'll cause real damage"
He then rambles on that he just wanted to see if he could hack the forum, and he will "leave us alone"
He said "I made [him] a superadmin, want me to remove that?"

So from that, I decide to check the CP Logs, and it seems that the first thing he did was go to market_item.php. This gave me the impression that the Point Market is NOT safe.
I proceed to disable it (should I uninstall instead?).

Now with that said, what do I do to prevent anything like this to happen?
I see he made several changes in templates. I'm going to uninstall then reinstall the styles for safety. as well as reverting everything back in the default style.

But the thing is, how would he be able to make people super Admins? You need FTP access for that, don't you? My login info for the forums is not the same as my FTP info.

When I stated that the market had to be part of the problem, he said "all i did was make one post in the forum, and make a few super admins"
And instantly I thought it was the one forum section I allowed HTML on.
But however I checked the admin logs and saw NOTHING of the user posting, nor any of the admins/mods deleting a post.

My forum is 4.1.6

What else should I do?

[ForceHSS]

<a href="https://vborg.vbsupport.ru/showthread.php?t=268208" target="_blank">https://vborg.vbsupport.ru/showthread.php?t=268208</a>
install this and ban his host he wont get back on

remove all custom plugins change ftp password to something hard and long updated version to 4.1.7 get logs from your host see what they say

[MNNLeafre]

Quote:

Originally Posted by ForceHSS

https://vborg.vbsupport.ru/showthread.php?t=268208
install this and ban his host he wont get back on

remove all custom plugins change ftp password to something hard and long updated version to 4.1.7 get logs from your host see what they say

Thing is, he had 3 different IPs, all from different places.
I'll do the update too.

[wat3v3r]

What i would have done is:

- Secure my Admin password. (he said he cracked you in 2mins... use special characters,numbers and upper and lower case alphabets so it cannot be brute forced easily)
- Change my DB and FTP passwords.
- If you on a vps or dedicated get CSF firewall installed.
- Open a ticket with your host if you are on a managed host. Giving them the Ip's and asking them to check server logs.
- Rename Admin and Moderator panels.
- Add a password via htaccess for the Admin Panel.

[Gunshot]

Open config.php and make sure you are the only superadmin before deleting his accounts
you could also password protect that file

[MNNLeafre]

Quote:

Originally Posted by Gunshot

Open config.php and make sure you are the only superadmin before deleting his accounts
you could also password protect that file

How?

@wat3v3r Thank you very much! I'll do that

[ForceHSS]

make a .htpasswd file
there are many things you can do to stop this from happening start reading up on security