Register Members List Search Today's Posts Mark Forums Read

Reply
 
Article Options
Preventative - How to avoid being Hacked by TeamPS i.e. p0wersurge
TheLastSuperman
Join Date: Sep 2008
Posts: 4,828

Hey vb.org members and coders! Not much to say except I have a beautiful wife, three fantastic kids, and I develop Websites and Forums for a living 40+ hours a week.

North Carolina
by TheLastSuperman TheLastSuperman is offline 20 Dec 2011

No doubt some of you have already been defaced at some point in the past, what I aim to do is make a quick post letting you know a few simple tips to avoid or recover from this and also help you re-secure your site if you've recently recovered from such activity.

Lately what I've noticed is on older versions namely pre 4.1.4 a group of hackers have been exploiting the Admin Username and Password through member groups and the search feature, granting them access to the forum in question to do so as they wish. The main goal of the information outlined below is to help you prevent this from happening by adding in some additional security to your admin and moderator control panels with .htaccess. Initially newer versions were not affected by this however after a recent post on vBulletin.org I'm not sure what other methods they are using - http://www.vbulletin.org/forum/showthread.php?t=275715 so let's go ahead and remedy this shall we?

____________________

If your currently secure:
1) .htaccess protect your admincp and modcp here are some useful links;
.htaccess authentication generator:
http://www.htaccesstools.com/htaccess-authentication/
.htaccess password generator:
http://www.htaccesstools.com/htpasswd-generator/

Now if they are able to somehow obtain your primary admin account username and password they can only do so much damage... why? Well your admin control panel now requires a completely different username and password before you can even login, without server/ftp access they can never bypass this.

____________________

If you've been defaced:
1) Try restoring to a backup before you were hacked, if not possible recover the best way you can.
2) Change database passwords *Don't forget to update the config.php files for vBulletin and any other software running on your site.
3) Change FTP account passwords.
4) Change admin account passwords.
5) .htaccess protect your admincp and modcp here are some useful links;
.htaccess authentication generator:
http://www.htaccesstools.com/htaccess-authentication/
.htaccess password generator:
http://www.htaccesstools.com/htpasswd-generator/
6) Check to see if they added any admin accounts, on one site they changed the primary admin account name to what they desired and went so far as to re-create the admin accounts w/ the same details but no admin permissions to throw the site owners off for a little bit.
7) Use this guide and ensure your site is 100% clean - http://www.vbulletin.com/forum/blogs...iller/3934768-

___________________

*Use a entirely different username and complex password when creating the .htaccess and .htpasswd files. Also on that note, be sure the .htpasswd is stored above public_html i.e. in /home/accountnamehere/.htpasswds

**Wayne Luke of the vBulletin.com team also posted some very sound advice here, please take the time to read his post - https://www.vbulletin.com/forum/show...=1#post2245651

Last edited by TheLastSuperman : 04 Mar 2013 at 04:30.
Views: 24634
Reply With Quote
Comments
  #2  
Old 22 Dec 2011, 17:41
ReFuZe's Avatar
ReFuZe ReFuZe is offline
 
Join Date: Sep 2011
lolz that doesnt secure you at all it only secures the admincp but not that good theres tools for it I know becuase ive seen people do it and i had it all you need is a good hosting with alot of security cloudflare htaccess and no vuln and all that thats how you get secured
__________________
http://feargamerz.com/forum.php
Reply With Quote
  #3  
Old 22 Dec 2011, 19:58
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Originally Posted by ReFuZe View Post
lolz that doesnt secure you at all it only secures the admincp but not that good theres tools for it I know becuase ive seen people do it and i had it all you need is a good hosting with alot of security cloudflare htaccess and no vuln and all that thats how you get secured
I've never understood posts like the one above ^ - Not trying to be rude but either post "How-To" or don't post comments like that at all in my threads please, anywhere else go ahead however imo it does help if the one gaining access to your site knows nothing more than the context of the tutorial or video he/she is viewing correct? Case in point.

Your exactly right though, there's other ways that are much better however in my initial post above I clearly stated:

what I aim to do is make a quick post letting you know a few simple tips
Pay attention and read between the lines so your not presented with a response like this in the future, everyone should be well prepared .
__________________
Anti-Spam Methods and Resources
InnovationByInstinct.com - Custom vBulletin Modifications, Styles, and Services.
Skype: innovationbyinstinct

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #4  
Old 24 Dec 2011, 10:25
socialteenz's Avatar
socialteenz socialteenz is offline
 
Join Date: May 2011
Great article. You are definitely a superman.
__________________
>>51<<
Pm me if you need any custom work to be done on your forum


Last edited by socialteenz : 24 Dec 2011 at 13:27.
Reply With Quote
  #5  
Old 24 Dec 2011, 18:50
CharlieDelta CharlieDelta is offline
 
Join Date: Apr 2010
Originally Posted by socialteenz View Post
Great article. You are definitely a superman.
No he is not....he is the LAST SUPERMAN!!

Thank you for this article.
Reply With Quote
  #6  
Old 26 Dec 2011, 14:25
ReFuZe's Avatar
ReFuZe ReFuZe is offline
 
Join Date: Sep 2011
Check my Article out that secures your site from Shells. plus Im working a tool that scans and when finds shells it removes them me and relevant are doing it so once its done it will be out to public but in the mean time use my article look at my threads

--------------- Added 26 Dec 2011 at 14:26 ---------------

Im a pro hacker and a pro secure I know alot of basic but vb4.1.9 had too many LFI and RFI docks in them so thats why they are easir plus thats why I made my thread on how to block shells ill make a tut later


Sorry for my grammer just woke up
__________________
http://feargamerz.com/forum.php
Reply With Quote
  #7  
Old 01 Jan 2012, 01:10
JimxJNM JimxJNM is offline
 
Join Date: Sep 2011
Real name: Jimmy
Originally Posted by ReFuZe View Post
Check my Article out that secures your site from Shells. plus Im working a tool that scans and when finds shells it removes them me and relevant are doing it so once its done it will be out to public but in the mean time use my article look at my threads

--------------- Added 26 Dec 2011 at 14:26 ---------------

Im a pro hacker and a pro secure I know alot of basic but vb4.1.9 had too many LFI and RFI docks in them so thats why they are easir plus thats why I made my thread on how to block shells ill make a tut later


Sorry for my grammer just woke up

Basically vBulletin websites doesn't have RFI / LFI Injections... In based the files aren't supporting these kind of LFI or RFI injections... Just letting you know
Reply With Quote
  #8  
Old 08 Jan 2012, 19:49
ReFuZe's Avatar
ReFuZe ReFuZe is offline
 
Join Date: Sep 2011
Yeah I know, I thought they where. Tm currently working on my tool to prevent hacking and shells. It might be possible but my other coder said it will take time.
__________________
http://feargamerz.com/forum.php
Reply With Quote
  #9  
Old 29 Jan 2012, 11:42
Eslob Eslob is offline
 
Join Date: May 2010
the best method is to encypt the config.php & class_core.php.

and keep a backup on ur pc.

and disable html in posts.

and change the path for config.php & change admincp folder to other and keeping the old name as an ambush.
__________________
Eslob Forums, base of information & discussion..
منتديات | عالم حواء | يوتيوب | خواطر | سبق | صور سيارات
Reply With Quote
  #10  
Old 06 May 2012, 15:44
Angel-Wings's Avatar
Angel-Wings Angel-Wings is offline
 
Join Date: Sep 2007
Originally Posted by Eslob View Post
the best method is to encypt the config.php & class_core.php.
Sorry but someone who could access your server to have read rights for config.php (meaning the code) would have no problems with a simple copy & paste and then decode everything.

One thing to add maybe - if the site got defaced then the usual way would be to do a complete reinstall. Just copying in backups would also copy the security issue again someone used for the defacement.
Reply With Quote
  #11  
Old 30 Aug 2012, 18:45
SVTOA SVTOA is offline
 
Join Date: Oct 2002
Lightbulb

Having gone thru this, they also modify your templates and plugins to upload a shell.

Search in templates for $execcod

Also check plugins for malicious code.
Reply With Quote
  #12  
Old 13 Nov 2012, 21:36
Black Snow Black Snow is offline
 
Join Date: Jul 2012
So what is the best way to secure a vB installation?
Reply With Quote
  #13  
Old 19 Feb 2013, 04:05
Inspector G Inspector G is offline
 
Join Date: Dec 2012
I wish I knew...lol
MY site IS CURRENTLY DOWN big time...

I got hit by ENO7 this am but the funny thing

I was warned by a member a week ago... so I did do a complete site from sub root up and IT will be fixed but I still wonder how they injected a msql code in by doing table querys or some other method to hit my database insert
html pages in to the FTP protected Public area...

My FTP which I am crazy about locking and other security..
I had in place such as FTP Locks on the basic four folders with renames for the admin cp and Mod cp htacces lock down and all...

They rolled through in minutes and poof...
If I had not received a warning, which I also find very odd, and the IP of a user that help as around a bit was also shown on the user account that warned me however they claim to know each other and be at war against each other...I also received another warning last night that it would be within a day...
I have 51 or should I say HAD 51 members with 34 fake ones I created...with no passwords that would have made sense to anyone...

I figured I was ok but I had worked about 60 hours this weekend typing tutorials up for users on my site since I am building it and added a few extra forums, luckily I have emails from the three new members that just joined and I remember their user names I will have to give them new pw and then send them email explaining that there was a DB error the freaked my site up ...how do you say ..we got hacked the folks go running away...

So who is the best and what is the best solution for a Noob like me with all of that said..Give up Never, get hacked every day and have to reinstall every night and weekends..ok if I must...
any help is welcomed...right now the server is waiting for my ftp of the back up of the complete account lucky for the warning I got...

So how can I prevent this from happening again?
Who can I trust when I do not know enough about this to stop it?
Thanks Just need to know these answers...
Reply With Quote
  #14  
Old 19 Feb 2013, 14:23
Black Snow Black Snow is offline
 
Join Date: Jul 2012
Hi Inspector G,

Like you I got hacked. I took my forums offline, and went to work by securing everything with htaccess, renaming files, encoding/encrypting files, everything. A few days later and BAM! Hacked again. Then my laptop broke and my site was offline for 2 months. I got it back up and within a week it was hacked again. During the time I was hacked, I found out who the people were that hacked me and started talking to them.

They explained how they managed to get into my forum and hack me. Some of it was through SQL injection but most of the time it was not. If you use shared hosting, which most of use do, then if they can gain access to the server you are on through someone else's website that is hosted on your server, they can then hack you by using SHELL or something. I am no good at hacking or preventing it so I can't say how exactly they do it, but I got around it.

I went to LeetHost and they are dedicated to stopping the hacking scandal. The guy who runs the hosting site is very friendly and very helpful. I contacted him (I now have him on skype, talk to him daily and help him with his own vB forum) as the 3 hosting packages I found were not suitable for me and he made me a custom package at a price I decided that we could both agree on.

He is the best hosting provider I have dealt with to date and I have had no problems with him. As far as I know, it is just one guy who is running the site. If you want your site to be online all the time and to not be hacked then I defo suggest you sign up for this hosting. I can tell you that you will not be disappointed with the service.

Edit by Staff:
Your "affiliate" link to LeetHost was removed it now simple directs to said site - TheLastSuperman

Last edited by TheLastSuperman : 16 Apr 2013 at 22:37.
Reply With Quote
  #15  
Old 19 Feb 2013, 14:51
Inspector G Inspector G is offline
 
Join Date: Dec 2012
so How exactly did you find out who the people were.
Kinda defeats the purpose of slamming a site huh?
were they by chance on this site?
was it profit driven or motivated?
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Article Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
Forum Jump


New To Site? Need Help?

All times are GMT. The time now is 19:14.

Layout Options | Width: Wide Color: