Go Back   vb.org Archive > Community Discussions > Forum and Server Management
Reload this Page Forum Hack Cleanup
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 08-22-2011, 08:19 PM
Crad Crad is offline
 
Join Date: Sep 2009
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Forum Hack Cleanup
My forum was recently hacked, which really was my wake-up call towards security on my server.

Somehow, possibly through an SQL Injection in another Plugin or by impersonating administrator credentials (although I can't be sure), the hacker was able to gain access to the Admin CP (via an Admin's account), and add a plugin titled "vb_ajax" that contained an encrypted string.

Once decrypted, the string would inject a check for $_REQUEST['mode'], which it would then use to run a large variety of exploits, including running shell commands and executing certain SQL queries. The parameter 'ws_ver' would identify this plugin as "WebShell PHP Server v3.2".

Thankfully, like all "good" hackers (thank god they weren't purely malicious), they made it clear that they had gained access to the ACP and the database by editing our templates to display something similar to "LOL IVE HACKED YOUR SITE, HERE'S A LINK TO YOUR USERS SQL DUMP!"; otherwise I might not have found out.

--

Anyways, I have no Admin experience, at all. I took over the site because all the other Admins left. I do have some experience as a Junior Programmer in the games industry, but that about covers it.

I've since gotten the site back online (pretty easily), and have had my plugins disabled. Some of the things I've done to help secure the board:
  • New Database User Name
  • New Database User Password (much higher complexity)
  • New Administrator Passwords
  • New Moderator Passwords
  • New FTP Password
  • New cPanel Password
  • Restricted AdminCP Access with .htaccess
  • AdminCP .htpassword Password
  • ModeratorCP .htpassword Password (different)
  • Disabled every plugin except the absolutely essential
  • Restricted access to core files with chmod
  • Flushed the FTP to a new install of vBulletin
  • Alerted users to please change their passwords

What I'm worried about is:

Q: If the password salt is stored in the database, and the database was compromised (very likely), do I need to re-salt it? Won't that destroy everyone's passwords?

Q: Do you have any recommended tips on what to do next?

Q: Do you have any recommended reading to become a better Admin? So far I'm boning up on my PHP, but I'm sure there are highly recommended resources that I'm unaware of.

A lot of text for very few questions... Thanks for taking the time to read them though.
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 12:16 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03564 seconds
  • Memory Usage 2,153KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete