PDA

View Full Version : Site Hacked


danielc2384
15 Jun 2008, 13:41
I logged onto my forum a few minutes ago www.dollhousetvforum.com and it looks like I was hacked. A pop up box appears saying "you niggers got ******".
I'm really not sure what has happened or what to do.

I contacted my host and they basically offered no help.

What should I do?

Thanks

Baldilocks
15 Jun 2008, 13:43
Did you try re-uploading your index.php file?

danielc2384
15 Jun 2008, 14:29
Yep. No luck.

SEOvB
15 Jun 2008, 14:47
remove any .htaccess file and make sure you dont have any extra plugins that shouldn't be at global start

MTA-RP
15 Jun 2008, 14:47
Edit the .httaccess or w/e it's called.

danielc2384
15 Jun 2008, 14:52
I removed the .htaccess file from /public_html/
Still no luck.

My forum is stored in /public_html/dollhousetvforum/ and there is no .htaccess file in there.

ssslippy
15 Jun 2008, 15:04
I recomend you reupload all your files, and check for mods with security issues. Make sure you are also running the latest vb.

You can put a password require inside php files.

danielc2384
15 Jun 2008, 15:09
I recomend you reupload all your files, and check for mods with security issues. Make sure you are also running the latest vb.

You can put a password require inside php files.

In the process of upgrading from 3.7.0 to 3.7.1 now.
*crosses fingers*

How could they set up this password require without ftp access?

If they have the ftp info wouldn't they have changed the passwords and done more damage?

ssslippy
15 Jun 2008, 15:12
They dont always change the passwords. They could of also done a file insert cause you have HTML enabled somewhere on your forums. Lots of things can be done.

You should change your passwords.

Also what mods are you running?

danielc2384
15 Jun 2008, 15:16
They dont always change the passwords. They could of also done a file insert cause you have HTML enabled somewhere on your forums. Lots of things can be done.

You should change your passwords.

Also what mods are you running?

Thanks for the info.

Passwords have all been changed.



-------------------


Here is a list of the mods:

Admin Log In As User 3.0 This hack will allow admins to log in as any user.

Automatic Welcome PM 1.0.4 This Hack will automatically send welcome PMs to new members.

Bills PayPal Donate 1.32.366 Bills PayPal Donate

BuRaCH Gölgeli Kullanıcı Başlıgı 3.6.x.1.0.0 Sitenizdeki Kullanıcı isimlerini gölgeli yapar.

Cyb - Advanced 'New Posts' 2.1 Cyb - Advanced 'New Posts'

Cyb - Auto Birthday Greeter 1.3 Cyb - Auto Birthday Greeter

Cyb - ChatBox 1.9.9 Cyb - ChatBox

Cyb - Sub-Forum Manager 2.5 Cyb - Sub-Forum Manager

EzIRC 1.0.3 IRC Chat Addon for vBulletin

Fake Users 1.0.0 Fake Users

Flashchat Integration 3.55 Integration of Flashchat and vBulletin 3.6

Form Hack 4.0 Create a form.

FractalizeR: Registration Form AJAX Enchancements 1.0 Enchances registration form with AJAX

HelpCenter 1.00 RC 1 A Support Ticket System!

Image Resizer 1.0.2 Automatically resizes images in posts!

Inferno vBShout Lite 2.5.0 Real time shoutbox

JustJoin 1.0.0 Just join us

KC - Announcement 1.0.0 Announcements by Kiril Cvetkov

Limited Guest Viewing 1.0.6 Limit guests to view a set number of threads before being locked out.

Members who have Visited 3.7.003 Display members who have visited the forum.

passiveVid 1.1.2 Automaticlly turns video links like youtube, myspace videos, google vidoes into the video players.

PhotoPlog 2.0.7 PhotoPlog: The Lite Gallery

Post Thank You Hack 7.4 Post Thank You Hack

Quick Reply Add On. 3.6.x Add On Editor Tools for Quickreply.

Site Life Status 1.0.4 This will tell you how long your site has been up and running.

Time Greeting 0.06 Changes "Welcome" to "Good Morning/Afternoon/Evening" in the navbar

UA sidebar 3.0.7

Usergroup Color Bar 1.0.0

v3 Arcade 1.0.7 A multiplayer gaming system for your vBulletin forum.

vB News Ticker 1.2 Latest News in a Ticker

vBExperience 3.7.12 Calculate activity of your users

vBExperience Level 2.0 vBExperience Level

Video Gallery 3.0B A video gallery hack that uses Video Sharing sites for hosting.

Yet Another Award System 3.6 2.1.4 Admin can give members awards, and award

ZH - No Avatar 1.0.0 If a member doesn't have an avatar a no avatar image appears

Zoints Profile System 2.1.4 The Zoints client forum profile linking system.

[Sniper] - Mood Manager 1.2.5 Allows users to manage there mood

--------------- Added 1213544292 at 1213544292 ---------------

I am currently updating to 3.7.1 and while uploading files I returned to the index page and the popup authorization box seems to have gone. The IP displayed on the popup authorization was 67.228.190.70

Instead of the page saying "done" when finished loading on the bottom left hand side of the browser, it says "connecting to 67.228.190.70".

hmmm

ssslippy
15 Jun 2008, 16:07
I recomend this, go through all your mods. See if they are in the graveyard. Update as needed. Also check your admin email for mysql errors.

danielc2384
15 Jun 2008, 16:15
I recomend this, go through all your mods. See if they are in the graveyard. Update as needed. Also check your admin email for mysql errors.

I hadn't checked my email for a few days and just found that my inbox is full of sql errors.
At least 100 emails saying "vBulletin Database Error!".

The emails read:

"Database error in vBulletin :

mysql_connect() [<a
href='function.mysql-connect'>function.mysql-connect</a>]: Can't
connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
/home/********/public_html/dollhousetvforum/includes/class_core.php on line 311

MySQL Error :
Error Number :
Request Date : Thursday, June 12th 2008 @ 01:40:44 AM
Error Date : Thursday, June 12th 2008 @ 01:40:44 AM
Script : [B]http://www.dollhousetvforum.com/infernoshout.php[/url]
Referrer : http://www.dollhousetvforum.com/index.php
IP Address : *********
Username :
Classname : **********
MySQL Version :




Ok, I think we may be on to something.
"infernoshout.php" is a mod. Could that be causing the problem?

The latest message in the shout box was:



Shoutbox

Active Users: 0

Shoutbox Notice:
[Today 05:43 AM] *****:
[Today 05:42 AM] *****:
[Today 05:41 AM] *****:


That member (censored his name as ****) was banned by a moderator today.
He was the last person active in the shoutbox.
I'm guessing he did something through the shoutbox.



edit:

I just uninstalled the shoutbox and I am now receiving this email:

Database error in vBulletin 3.7.1:

Invalid SQL:

select s.*, u.username, u.displaygroupid, u.usergroupid, u.userid, o.*
from vb_infernoshout s
left join vb_user u on (u.userid = s.s_user)
left join vb_infernoshoutusers o on (o.s_user = s.s_user)
where
(
(s.s_private = -1)
OR
(s.s_private = '1')
OR
(s.s_private <> -1 AND s.s_user = '1')
)


order by s.s_time desc
limit 20;

MySQL Error : Table '******_vbulletin.vb_infernoshout' doesn't exist
Error Number : 1146
Request Date : Sunday, June 15th 2008 @ 09:23:54 AM
Error Date : Sunday, June 15th 2008 @ 09:23:54 AM
Script : http://www.dollhousetvforum.com/infernoshout.php
Referrer : ***************
IP Address : *****
Username : *****
Classname : ******
MySQL Version : 5.0.45-community

ssslippy
15 Jun 2008, 16:36
There is no exploits that I know of infernoshout however I would recomend you update to the latest version.

If you are uninstalling it you should also remove all the files associated with it.

danielc2384
15 Jun 2008, 16:50
There is no exploits that I know of infernoshout however I would recomend you update to the latest version.

If you are uninstalling it you should also remove all the files associated with it.

I don't think I'm going to bring it back since all my emails are linked to it.

I was running the 3.6 version of the mod. I then upgraded vBulletin to 3.7 and forgot to update the shoutbox. Not sure if that caused the problem.

Thanks for the help.

Much appreciated :)

ssslippy
15 Jun 2008, 17:26
I am part of the support team for infernotech and the mod runs fine however the 3.6 version which is no longer supported was not fully compatible with 3.7 due to the changes made in vb on how you could store options. Only issue I know of.

danielc2384
15 Jun 2008, 17:46
By reading this error code that was sent to my inbox, are you able to see what could have gone wrong with the shoutbox?

mysql_connect() [<a
href='function.mysql-connect'>function.mysql-connect</a>]: Can't
connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
/home/******/public_html/dollhousetvforum/includes/class_core.php on line 311

MySQL Error :
Error Number :
Request Date : Thursday, June 12th 2008 @ 01:40:41 AM
Error Date : Thursday, June 12th 2008 @ 01:40:41 AM
Script : http://www.dollhousetvforum.com/infernoshout.php
Referrer : http://www.dollhousetvforum.com/index.php
IP Address : *******
Username :
Classname : *******
MySQL Version :

Scared56
15 Jun 2008, 21:44
All I can figure out is that it isn't connecting to your mySQL database correctly.

Possible problems could be the information was not entered correctly or the mySQL process was down. (Process as in where it was being hosted)

SEOvB
15 Jun 2008, 21:48
By reading this error code that was sent to my inbox, are you able to see what could have gone wrong with the shoutbox?

mysql_connect() [<a
href='function.mysql-connect'>function.mysql-connect</a>]: Can't
connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
/home/******/public_html/dollhousetvforum/includes/class_core.php on line 311

MySQL Error :
Error Number :
Request Date : Thursday, June 12th 2008 @ 01:40:41 AM
Error Date : Thursday, June 12th 2008 @ 01:40:41 AM
Script : http://www.dollhousetvforum.com/infernoshout.php
Referrer : http://www.dollhousetvforum.com/index.php
IP Address : *******
Username :
Classname : *******
MySQL Version :

your mysql server was down, not running, or lost its connection.

Vackrick
16 Jun 2008, 03:15
I Think U Got Ddos Attack

danielc2384
16 Jun 2008, 03:20
Thanks everyone for the info.

Question, if it was a Ddos Attack, is there a way of preventing them?

Boofo
16 Jun 2008, 04:23
Get a good firewall router or software firewall.

Dismounted
16 Jun 2008, 07:13
It is not necessarily a DDoS attack. The error simply implies that the MySQL daemon was down.

underdog1954
17 Jun 2008, 04:28
If you were running 3.6 before, be sure your config.php is the one that came with the 3.7 version... There is a difference, and that might be part of it, however, I've found that a lot of the older 3.6 mods are not compatible with 3.7... I recommend uninstalling your mods, and using only those that are 3.7 compatible... You'd be surprised and the difference they make. Just a suggestion...

:)

underdog

karnevil
17 Jun 2008, 04:46
Hi

We had that same error messsage getting progressively more regular - logging everyone out and putting the site down for up to five minutes a time.

''lost connection to mysql etc class_core line 311.''

We unistalled all our mods etc tried everything but still happened. We have moved to a different mysql server and thats fixed it, with all our mods back on.


I dont think its DDoS - we had a DDoS and our server host shut our site down for too much traffic. Which was helpful not.

ssslippy
17 Jun 2008, 22:40
It sounds like your MySQL was down or you could of hit a limit that your host has put in. Since shoutboxes tend to refresh often especially if you are running with AOP on it will rip your server up.

geevest.com
19 Jun 2008, 02:22
danielc u installed so many plugin in ur site.

Angel-Wings
22 Jun 2008, 16:37
Well - it's no dDOS attack - how to attack MySQL socket ? If it's really dDOS - which I highly doubt - it's an attack on the webserver though it seems that was running.
Second - don't waste your time with a firewall - this won't help at all against script based attacks and for sure not against Denial of Service attacks - except you block everything ;)
About the problem - reupload all files taken from the original sources and only from there. Then try to run some MySQL optimization scripts to see if there's a bottleneck somewhere.
Also - check if HTML is enabled anywhere (Posts, Signatures etc.) - if so - it maybe wasn't a real attack, someone could post:


<html>
<head>
<script type="text/javascript">
alert("You got hacked");
</script>
</head>
<body></body></html>


Which is neither a security problem nor a hack. ;)

adamenty
07 Sep 2008, 07:46
Glad to see your forum is back up :)

gdoner
14 Sep 2008, 01:14
you are using too many mods.

Kinneas
16 Sep 2008, 10:51
you are using too many mods.
Says who?