Forum being defaced rapidly

[GamblerZ]

<a href="http://westtexasimports.net" target="_blank">http://westtexasimports.net</a> has been hacked 4 times in recent history, including two times today. The only thing that has not changed (until now) is we have been using the RedBar style. 3 of them were caused by injecting base64 code into spacer_open. The other one was a deface of template_home (I believe).

I have changed the sql db password, upgraded to 3.8, and disabled all hacks/plug-ins. I've looked through the logs and they're not getting in through SSH or through my password.

Thoughts?

[Dismounted]

You must remove all the files of modification as well as uninstalling them from the Admin CP. Also look for malicious files inside your directories and reupload all vBulletin files.

[Golzarion]

The really important notice :
Change the password of database and edit config.php

/
/

I suggest you try this plugin : https://vborg.vbsupport.ru/showthrea...04#post1687304

It may help may be Not.

put a password on your " includes" folder and never use the folder with ch mod 777.

Are you on shared server ??

--------------- Added [DATE]1231690094[/DATE] at [TIME]1231690094[/TIME] ---------------

One more thing :

see your server log " log access raw " search for suspected logs and may be sql _injection !

Everything recorded on server log try to find how the hacker acted.

[GamblerZ]

Quote:

Originally Posted by Golzarion

The really important notice :
Change the password of database and edit config.php

/
/

I suggest you try this plugin : https://vborg.vbsupport.ru/showthrea...04#post1687304

It may help may be Not.

put a password on your " includes" folder and never use the folder with ch mod 777.

Are you on shared server ??

--------------- Added [DATE]1231690094[/DATE] at [TIME]1231690094[/TIME] ---------------

One more thing :

see your server log " log access raw " search for suspected logs and may be sql _injection !

Everything recorded on server log try to find how the hacker acted.

Thank you but I have tried all of the above.

Dismounted -- I will remove all files from this directory and reupload just the vbulletin files.

And this server is shared, but only amongst my websites. I have one website in particular that I do a lot of testing on and I have thought that possibly that is the problem, but after digging through it I am certain that there is nothing there that is allowing people to do this defacing.

[CarlitoBrigante]

You got all good suggestions here. We worked on stuff like this a lot of times, and, in order, most of the times the issues were caused:

1 - Installed scripts forgotten by the owner, like phpmyadmin and/or old outdated mods
2 - 777 directories in shared environment - if this is a possibility, report it to the hosting provider
3 - Bad DB password in shared environment
4 - Fully compromised system. Somebody got your root access in some way and can do whatever he wants on your server until you reinstall everything and overwrite possible backdoors
5 - Very rarely, guy hired by the webmaster in the past having fun thanks to unchanged passwords. But keep all your login passwords fresh, rotate them as frequently as possible

[Golzarion]

Of course a list of good suggestion so far .


@ GamblerZ : Did you check the Server log ? If you want I can check all the logs of " log access raw " within this 24 hours. ( the time your forum was hacked ) just pm me the log file if you like.

I had 2 forums on Shared servers and it happened the same case but an other forum on dedicated server never hacked! although all of them were the same plugins and ...

see here it may help you .

one more thing that doesn't relate to this case did you ever use " Separate Sticky and Normal Threads " by any chance ?

--------------- Added [DATE]1231704492[/DATE] at [TIME]1231704492[/TIME] ---------------

oh, I forgot another thing , .. Ask your host : is the phpMyadmin password protected ?

[GamblerZ]

Quote:

@ GamblerZ : Did you check the Server log ? If you want I can check all the logs of " log access raw " within this 24 hours. ( the time your forum was hacked ) just pm me the log file if you like.

Yes, and I was unable to find anything of any value at all.

Quote:

I had 2 forums on Shared servers and it happened the same case but an other forum on dedicated server never hacked! although all of them were the same plugins and ...

see here it may help you .

one more thing that doesn't relate to this case did you ever use " Separate Sticky and Normal Threads " by any chance ?

No, I did not.

Quote:

oh, I forgot another thing , .. Ask your host : is the phpMyadmin password protected ?

phpMyAdmin is protected. We've removed the RedBar style, and disabled everything and have not been hacked again.

What highly frustrates me is I talked with the server admins and they could only suggest: Update vBulletin. ugh, worthless!

[Golzarion]

I believe it is because of shared hosting weak security. one of my friends has a hosting reseller service told me that it happen by phpshell uploading on other shared acounts... ( that prove the above sentences )

But the real is that I don't know the exact reason of hacking template " spacer_open" ... but just happen on shared hosting.

I really eager to know the exact reason... and hope it would be clear some day.

[GamblerZ]

I appreciate your time Golzarion -- You maybe right about the shared account. I'm going to get after the server admin's to fix this problem, as if I were in their sight right now I would kick them in the face for being no help!