[HOW-TO] "UnHack" yourself and hacker prevention

Discussion in 'vBulletin Discussions' started by Mikey, Nov 7, 2009.

  1. Mikey

    Mikey Mikeylicio.us

    Joined:
    Sep 12, 2009
    Messages:
    484
    Likes Received:
    92
    Location:
    United Kingdom
    Recently, one of my vBulletin powered sites was under a hacking spout, I'd fix it, and it got hacked the next day, fixed it, hacked again, fixed, hacked again.

    Fortunately, he was doing the same thing each time. Up until the last time, I was just restoring a DB backup, which he hacked several times. I found this is the lazy way out

    I was scratching my head over and over, "how is he getting in". I'd followed the standard safety measures and such, renamed admincp/modcp, 128bit passwords, etc.

    Here's what I did, and it seems to have worked (in b4 i get hacked for posting this :D)

    Firstly I did a recursive CHMOD of 0644 on every single file and folder, this will make your vBulletin bring up a "Forbidden" Message, while you work on it. Then I CHMOD the AdminCP Dir (renamed) to 0755, which gives you access to your acp. So you have access to the site, the hacker doesnt.

    I then fixed the bugs, using the vBulletin AdminCP, and PHPMYADMIN, I find it's more effective to remove these things at a database level (this time it was sql insertion and malicious javascript) I then went ahead and changed all my staffs passwords, sure, they'll moan, but if it protects the site, then they have to live with it.

    I then went and created 128bit passwords and put .htaccess and .htpasswd's in the following directories:

    admincp/ (renamed)
    modcp/ (renamed)
    includes/
    install/

    If you have SSH access to your server, ask your host to remove it also (even if just for like, a week or two), as this is another way the hacker can get in.

    I then changed my Database NAME, and Database user name and password, and changed those in the config.php, I then renamed the admincp/modcp/ dirs, again, they now aren't even under /forum/, you can do that by adding your full path to any instance of "global.php".

    Then I went and did a recursive CHMOD on all the DIRECTORIES to 0755, so all files are now sitting at 0644 and directories (folders) are at 0755. So this should be secure, remember to chmod your config_vbseo.php back to 777, and if you have any mods like vbimghost, chmod 777 the image upload directory..

    Finally, I reviewed my raw access logs and control panel logs, and error logs, determined the IP of the hacker, and IPtabled them, they now can't access any part of the server. This is a b*tch to do, and gives you a headache and takes a long time.

    Alot of what I've said is in all the official stuff, but eh, Hope this helps anyone.
     
    5 people like this.
  2. Nick

    Nick Regular Member

    Joined:
    Jul 27, 2008
    Messages:
    7,444
    Likes Received:
    219
    Great thread; "Stickied"! :)
     
    2 people like this.
  3. Michael

    Michael Regular Member

    Joined:
    Jan 18, 2004
    Messages:
    166
    Likes Received:
    35
    Great article :D We were hacked once due to poor server security within a shared environment and I did the same as you, just put a backup back up and the hacker hacked us within just minutes. He was able to upload scripts to perform CHMOD, uploads etc whenever he wanted, I still have the same file somewhere which he was using to perform his hacking.

    When checking our logs I noticed he was running the dokill forum script to delete each forum from the admincp, it has always made me wonder if he actually had one of our passwords but our PC's scanned clean of keyloggers etc I wonder if someone knows if it is possible to run such a script without needing admincp/passworded access.
     
    2 people like this.
  4. Mikey

    Mikey Mikeylicio.us

    Joined:
    Sep 12, 2009
    Messages:
    484
    Likes Received:
    92
    Location:
    United Kingdom
    Well, this has been happening to me all week, so I documented what I did and threw it up here, cheers for the sticky Nick! Fingers and toes and everything else crossed, it doesn't happen again!
     
  5. David

    David Regular Member

    Joined:
    May 30, 2003
    Messages:
    1,088
    Likes Received:
    133
    Location:
    Australia
    You only need 2 files from the install folder present, and thats only if something mucks up and you have to run repairs.

    I usually completely remove the install folder, and then if its needed, reupload the files.
     
  6. SimpleMan

    SimpleMan Adept

    Joined:
    Nov 2, 2009
    Messages:
    112
    Likes Received:
    28
    You could actually simplify this a good bit.

    Just use an .htaccess directive to restrict access to the site for everyone but you while you make the necessary changes. This would make all of the chmodding unnecessary while you investigated. If you run the server (or if your host does), a good firewall should be installed - CSF and APF are excellent where you don't have to use iptables, which can get confusing for those who don't use it often enough.

    777 anything - files or directories - should be avoided at all costs, that's the single greatest cause of hacks outside of scripts that haven't been updated.

    If anyone would like for me to explain the above or elaborate, let me know.
     
    2 people like this.
  7. MjrNuT

    MjrNuT Grand Master

    Joined:
    Oct 14, 2009
    Messages:
    579
    Likes Received:
    36
    Mikey,

    Was this on a shared environment?
     
  8. Mikey

    Mikey Mikeylicio.us

    Joined:
    Sep 12, 2009
    Messages:
    484
    Likes Received:
    92
    Location:
    United Kingdom
    No, it was on a dedicated server, so some of these options I said wouldn't be avaliable to you, like dropping the ip of the hacker from the server etc.

    Thanks CrazyTech
     
  9. SimpleMan

    SimpleMan Adept

    Joined:
    Nov 2, 2009
    Messages:
    112
    Likes Received:
    28
    Actually it is -- in a way. Use .htaccess to block individual IPs. Google for some tutorials, but let me know in the future if you need help. Also, you should be able to place a ticket to your host to have the IPs blocked.
     
    2 people like this.
  10. Metura

    Metura Newcomer

    Joined:
    Apr 21, 2010
    Messages:
    5
    Likes Received:
    0
    First Name:
    Angel
    $execode allows any smart hacker access to upload a shell so everything you did would just annoy them check your plugins and also do not forget to check your styles... After that run a Diagnostic on your files in-case any of them have been modified to decrypt passwords and put them into a .txt document for him to download / read...
     

Share This Page