My forum hacked - any help appreciated

[knucklenitz]

Hi -

My forum was hacked sometime between last night and 9am this morning. An image is displayed when going to the main page or to the admin panel. The image says it's been hacked and gives the hackers email address. The source shows two websites, one for the image and another that I'm not sure what it means but it says embed src="website address here". I'm not exactly sure but the source doesn't appear to show any clue to what the hack is.

I have checked my index.php and even uploaded new. I have my admin and mod cp renamed and have my install and include directories password protected with htaccess. I have gone through all of my files and don't see any with new dates. My config file doesn't have anything new added from what I can tell. Only my name is set as unchangeable admin. This all leads me to believe it's a database issue. I do have a backup of the database from yesterday 5pm and this morning at 5am, although I think the 5am is compromised.

From what I have for security, how could someone get in? Also, what is the best step to repair...and make it even more secure.

Thanks, slightly panicking since this is used for our customers.

[snakes1100]

1. Could be any number of ways in, from an installed unsecure hack to just a poorly written one, could also be a server security hole as well.

I would suggest you view your web server logs for any details of injection or other wise.

2. Due to the hacker changes, it could anything from a db change to a template change to a file change. You will have to check all 3 to see what was added.

3. There is no need to import any backups.

4. I would suggest you upgrade vb and all hacks/addons you have installed.

5. Upgrade the server backend, as well as apache, sql & php.

[knucklenitz]

I have changed my CPanel password. I don't see any files with recent date changes. I am definitely not a wizard with this stuff but it seems that it must be in the database. I am requesting additional logs from my host, if they're available.

My http access logs show activity from IPs from overseas. Below are some of the entries, site name changed:

188.92.74.172 - - [24/Sep/2009:01:09:59 -0600] "GET /forums/register.php? HTTP/1.0" 200 15855 "http://sitename.com/register.php?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Netscape/8.0.4"

188.48.189.22 - - [24/Sep/2009:01:49:20 -0600] "GET /forums/cron.php?rand=1253778547 HTTP/1.1" 200 364 "http://sitename.com/forums/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; Embedded Web Browser from: http://bsalsa.com/; .NET CLR 2.0.50727)"

188.48.189.22 - - [24/Sep/2009:01:54:49 -0600] "POST /forums/login.php?do=login HTTP/1.1" 200 3575 "http://sitename.com/forums/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; Embedded Web Browser from: http://bsalsa.com/; .NET CLR 2.0.50727)"

--------------- Added [DATE]1253850415[/DATE] at [TIME]1253850415[/TIME] ---------------

So I restored SQL databases to yesterday afternoon and the hack is gone. It was somewhere in the database.

Anyone have any idea how they could have modified the database or inserted the hack? I'm not even sure where it was or what.

I did a search of Mr. Azoz on google and this guy apparently is a hack machine as there are a bunch out there.

Again, any help appreciated...

--------------- Added [DATE]1253852775[/DATE] at [TIME]1253852775[/TIME] ---------------

Is it possible to move the config.php file to a non-public area?

--------------- Added [DATE]1253894760[/DATE] at [TIME]1253894760[/TIME] ---------------

I am now convinced it was SQL injection. The last thing I can tell they attempted to access was "GET /forums/ HTTP/1.1" 200 4072 "http://sitename.com/forums/sendmessage.php"

From what I've read this morning, the injection is usually done on a user input form. The only modifications I have are used to create new forums and automatically email users. I don't know much about sql and I did talk to the guy that made the mods for me. He indicated the mods are based on the admincp and have no exposure to SQL injection.

I can see that the attacker somehow found out what my admin and mod control panel names are (I had renamed them in config in the past). I know this can be found in the source, IF you are logged in. Not sure how they found it without being logged in.

I created a HTACCESS file in the interim to block all IPs originating from outside the US and block proxy servers. See the file below, does it look ok? Also, would anyone be willing to help me determine how they broke in whether it's a vbulletin issue or the mods? Thanks!

# block proxy servers from site access
# saved from - http://perishablepress.com/press/200...-via-htaccess/

RewriteEngine on
RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule ^(.*)$ - [F]

# block ranges of IPs outside of the United States

<Limit GET HEAD POST>
order allow,deny
deny from 85.94.160.0/19
deny from 91.187.64.0/19
deny from 194.158.64.0/19
deny from 80.227.0.0/16
EXTREMELY LONG LIST OF IP ADDRESSES CONTINUES HERE
allow from all
</LIMIT>

[knucklenitz]

Would someone be willing to review my access log listing with me to determine if there are clues in how they got in?

One thing that is strange, I have a log, somehow, that shows they did a search of my host IP to see what other vbulletin forums were hosted there. I'm now wondering if another forum was hacked and they got in some backdoor to mine. Prior to that, it looks like they hit the index, then the registration. Regristration is disabled. They then hit the login and index and then the other entries look like they were in to the site. Since a few minutes later they hit my admin and mod cps that had names changed, they somehow must have been in the database or broke in through another server.

[flasher33]

most hacks come from upload centers installed on the server.
I had a reseller account with over 40 sites and all of them got hacked
turns out to be through the pic upload center one of my clients had installed.

[Michael.A]

i want to get hacked here is my link http://coderz4life.com give that to the guy that hacked you or you think he hacked you...

[ChopSuey]

Quote:

Originally Posted by MAD--DOG

i want to get hacked here is my link http://coderz4life.com give that to the guy that hacked you or you think he hacked you...

Why in the world would you want to get hacked?

[Michael.A]

i have been online forever and i never see it happen...
this is what i think he did ether he given hes pass out or installed a bad mod that gives him a databases error...

[knucklenitz]

Quote:

Originally Posted by MAD--DOG

i have been online forever and i never see it happen...
this is what i think he did ether he given hes pass out or installed a bad mod that gives him a databases error...

I have two custom mods that, to my knowledge, don't have vulnerabilities. I am the only admin and don't allow registration.

Clearly you must have security I don't or on a dedicated server?

[Michael.A]

yes am use my Dada hosting and no don't have security.. buc there isn't any
see man some one must have access to an ftp to ur hosting thats the only way some one can add an index page with an image that says that you been hacked
and dont say never it cud be one of the staff members on ur hosting company.. "i didnt say anything"

so if you call that hacking i call it playing games...