Register Members List Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools
  #16  
Old 09 Sep 2015, 02:46
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Originally Posted by loua_oz View Post
.htaccess
file missing and that does not come with fresh install.
It does however its located in the do_not_upload folder, despite the folders name you do actually upload one of the .htaccess files in said sub-folders depending on your setup. So yes upon initial installation its not there, now lets say someone wanted to use Mod Rewrite Friendly URL's instead of the basic ones, they would have upon installation uploaded the .htaccess file required to make mod rewrite friendly URL's work in vBulletin.

So this may or may not simply be a case of a missing .htaccess file, also yes removal of or changes to an .htaccess file can make the site display wonky as if the formatting is off. Also bear in mind that over the course of a ten year span with being hacked upwards of four times... the settings and such despite it being vanilla in regards to modifications could still have template edits or other changes made internally that do not show nor are reflected in the actual files. So a call to a site or a file inserted into a template could be your backdoor here as well, I'd go through the database and use the queries in our blog posts to see if anything comes up.

Edit: Here are two links, backup your database if not already before doing anything;
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/artic...vbulletin-site

Edit yet again! Per your second screenshot, looks as if you had the CMS setup in the root folder, and all the forum files uploaded to /forums/ so make sure you do the same setup again if that was the case. If a pertinent file is missing such as index.php (and nothing else such as an index.html file exist) then it has no way to render a missing file and will therefor list the contents of the directory. Basically to sum it up, servers are typically setup to look in a certain order for important files or well I should phrase it "looks for commonly known files such as index.php and index.html index.aspx or similar as they render content to browsers", usually it looks for index.php first then looks for index.html which by the way can be changed i.e. the order but in your case seems as if some files were not uploaded properly after restoring.
*****Just make sure you grasp that, you had setup the CMS in the root and the forums into /forums/ then read the info on how to setup the CMS in root and forums in a folder and ensure its all done correct and you *should* be back to normal unless of course like I initially suspected and the hacker modified the actual database.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!

Last edited by TheLastSuperman; 09 Sep 2015 at 03:30.
  #17  
Old 09 Sep 2015, 03:26
bremereric's Avatar
bremereric bremereric is offline
 
Join Date: Aug 2011
Real name: Eric Bremer
I just stepped up to Surcuri's cloud proxy firewall. After the 5th time I have been hacked.
__________________
F Body Mopar Lover &
VB4.1.3 Newbie

  #18  
Old 09 Sep 2015, 04:28
HM666's Avatar
HM666 HM666 is offline
 
Join Date: Jan 2014
Real name: Len Kaiser
Yeah my thought was after all files had been deleted the only thing left is something put into the database. I've seen client sites that were hacked not only in the physical files but they also somehow gained access into the admin panel and put some weird non-vb stuff in the templates mainly calling their hack into the site instead of your regular vBulletin front page or other pages. Then if you make a full backup of your database after that hack happens its still lodged in there and you restore and voila the hacker is back. This is definitely something you should check when trying to completely rid yourself of the hack and get your site back on track. The thing here is if this is in your database then even if you switch hosts the hack will follow you. So there are some things that you really need to check out first before decided to make a move to a new hosts.

Not too long ago there was a hacker that went around gaining access to vB web sites via this kind of hack. They would upload files on the site and put stuff in the templates. To know if you had this kind of hack was pretty simple. You all of a sudden out of nowhere had a newly registered member that was an admin and had access to your ACP and there were admins other than the ones you had in place logging into the panel. Simply deleting their account and deleting the physical files did not kill the hack because they had put some hacker code into random templates.

Now if that is not the case and you do not remember deleting any random weird rogue admin accounts then as others have said its possible there is something else going on or the hack is elsewhere. Its best to make 100% sure that if you switch hosts that this hack is not lurking about in your database before preceding.
  #19  
Old 09 Sep 2015, 05:56
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Thank you,
The hacked directory (root and subdirectories) were saved by the provider as soon as I requested them to down the site (it was displaying hackers' message and I could not get into admin to shut it down).

Just went in and chmod to 000 what they saved, thanks for that. Poking around the site there is nothing visibly wrong.

If a file or directory are touched, it shows the timestamp that sticks out when the directories are listed.
Several times I saw things like "maill.php" that was inserted without harming the site contents.

Indeed, as I am on the shared server, could be 100s of sites hosted on one physical machine.
However disciplined I might be, a slacky site owner on the server may invite a trouble for all ?

Is there some tool to check the database? The cPanel provided by webhostinghub.com has "database repair" and it ran cleanly.

--------------- Added 09 Sep 2015 at 06:16 ---------------

Just remembered. In

./includes/config.php

there is hardcoded database name and password, in plain sight, unencripted

// ****** MASTER DATABASE USERNAME & PASSWORD ******
// This is the username and password you use to access MySQL.
// These must be obtained through your webhost.
$config['MasterServer']['username'] = 'dbname_admin';
$config['MasterServer']['password'] = 'unencripted_password';


Is that how it should be? Never seen that in my life.
  #20  
Old 09 Sep 2015, 17:25
alcazarx's Avatar
alcazarx alcazarx is offline
 
Join Date: Jul 2014
Most webscripts store config data in plain text, under normal conditions users cant view/use them.
If a hacker has access to the files of your script it doesnt matter if the data is encrypted or not, he can get it by decrypting them (unless its one-way-encryption).

As for the DB, you have to check it manually if its ok (or send it to an expert here), the "repair" functions that the DB or Hostings offer are to fix damaged tables or db's, not to removed unwanted elements.
  #21  
Old 09 Sep 2015, 19:19
squidsk's Avatar
squidsk squidsk is offline
 
Join Date: Nov 2010
Originally Posted by loua_oz View Post
Just remembered. In

./includes/config.php

there is hardcoded database name and password, in plain sight, unencripted

// ****** MASTER DATABASE USERNAME & PASSWORD ******
// This is the username and password you use to access MySQL.
// These must be obtained through your webhost.
$config['MasterServer']['username'] = 'dbname_admin';
$config['MasterServer']['password'] = 'unencripted_password';


Is that how it should be? Never seen that in my life.
That's normal because you should have an .htaccess or equivalent that denies access to files within the includes directory. Where else would you store it? You can't store it in the db because you need the db username and password to access the db.
  #22  
Old 09 Sep 2015, 23:33
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Originally Posted by alcazarx View Post
As for the DB, you have to check it manually if its ok (or send it to an expert here), the "repair" functions that the DB or Hostings offer are to fix damaged tables or db's, not to removed unwanted elements.
What experts? Those telling me that plain password in ascii file is normal?
And what after "experts" have checked the db? A hacker capable of getting into my site would just have to go and copy/paste DB admin user name and password offered on a plate.

For decades Unix has /etc/passwd and /etc/shadow files where encrypted passwords are stored.
  #23  
Old 10 Sep 2015, 00:01
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
That is why you should protect files via .htaccess
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
  #24  
Old 10 Sep 2015, 00:13
loua_oz loua_oz is offline
 
Join Date: Dec 2010
.htaccess does not come with vanilla install.

People off the street would not know what it is but would know that plain text passwords are bad idea.

Ridiculous: it is like saying that your house will be broken into one way or another if someone really wants to do that so no need to lock it up.
  #25  
Old 10 Sep 2015, 01:07
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
The same could be said for people having to be told to put locks on their houses. Bottom line is do your research.

But I seriously doubt that is why you have been hacked so many times. If that was the case, this site, van.com as well as millions of other site would be hit as often as yours, if not on a daily basis.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
  #26  
Old 10 Sep 2015, 04:18
loua_oz loua_oz is offline
 
Join Date: Dec 2010
There are 100s of VB sites hacked daily, the most hacked product in board software history is exactly VB 4. My hosting provider could be targeted and vulnerable, I came just a s a run off the mill together with other sites. Once there, they have plain text DB admin user and password.

What research should I do and why? I bought a product that should work like a fridge, without researching anything about it.

Oponents of VB would have a field day reading what "experts" here are advocating.
  #27  
Old 10 Sep 2015, 04:31
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Originally Posted by loua_oz View Post
Oponents of VB would have a field day reading what "experts" here are advocating.
Which is nothing. We're simply trying to steer you in the right direction i.e. cleanup so your site is back to normal.

Go ahead, visit your site and type in the path to the config file, lets use vbulletin.org as an example: http://www.vbulletin.org/forum/includes/config.php

Even if there was no .htaccess protection, based on how the site serves content you could not download the file as it sits on the server, only save a copy of the file after its rendered therefor you cannot know the files content (original contents i.e. code only what is parsed afterwards).

Another example from http://www.thebiggestboards.com/vbulletin-forums.php would be ConceptArt.org so go ahead, visit this url then download the config.php file or however you would go about it... now tell us all the database username and password - I'll be waiting.

Long story short, I would be waiting a very long time. You seem to know a little based on what you've spent time researching but clearly do not know what you're talking about no offense intended just simple fact - I applaud your effort don't get me wrong, I wish half those I dealt with would take the time to do the research you did and I can explain all this to you above ^ but I can't understand it for you. I need you to take more time and do more research before speaking like you did above, I tell you this because I would want someone to tell me if a booger was hanging out my nose instead of letting me walk into a crowded room and speak highly about a subject while not knowing how I looked to others.

Remember if you need clarification on something just ask but being sore over a hacked site because you feel something is wrong with the software when you do not understand it, is not the way to go about things.

Edit: I assume you've already added a new user to the database with all privileges then removed the old user and updated the config.php file? If not please do so, the hacker more than likely knows your database details now since he hacked you - if you left these the same after the first time you were hacked then its no surprise he/she hacked you again.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!

Last edited by TheLastSuperman; 10 Sep 2015 at 04:45.
  #28  
Old 10 Sep 2015, 04:32
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Real name: Richie
It doesn't work that way. A website is not a "Fridge". It requires updates and care and maintenance.

I would be willing to bet that you really only got hacked once from failure to do a patch or something like that and you just never fixed it correctly. Now they can come and go as they wish.

I have had vbulletin sites for years and only got hacked once many, many years ago when I did not know what I was doing. Keep up to date, be careful with your plug ins and file permissions and take some precautions and you will be less likely to get hacked.

--------------- Added 09 Sep 2015 at 23:33 ---------------

I would be interested in knowing what version got hacked originally.

--------------- Added 09 Sep 2015 at 23:35 ---------------

Also, what are you talking about "plain test passwords"? Passwords are not stored anywhere as text.##OK, I see you are talking about the file system. Every script I have used, wordpress, joomla and countless others have a config file with this information. That file should never be seen by anyone unless using ftp and if a hacker already is that far than you have already been hacked.

--------------- Added 09 Sep 2015 at 23:36 ---------------

Originally Posted by loua_oz View Post
Thank you,
The hacked directory (root and subdirectories) were saved by the provider as soon as I requested them to down the site (it was displaying hackers' message and I could not get into admin to shut it down).

Just went in and chmod to 000 what they saved, thanks for that. Poking around the site there is nothing visibly wrong.

If a file or directory are touched, it shows the timestamp that sticks out when the directories are listed.
Several times I saw things like "maill.php" that was inserted without harming the site contents.

Indeed, as I am on the shared server, could be 100s of sites hosted on one physical machine.
However disciplined I might be, a slacky site owner on the server may invite a trouble for all ?

Is there some tool to check the database? The cPanel provided by webhostinghub.com has "database repair" and it ran cleanly.

--------------- Added 09 Sep 2015 at 01:16 ---------------

Just remembered. In

./includes/config.php

there is hardcoded database name and password, in plain sight, unencripted

// ****** MASTER DATABASE USERNAME & PASSWORD ******
// This is the username and password you use to access MySQL.
// These must be obtained through your webhost.
$config['MasterServer']['username'] = 'dbname_admin';
$config['MasterServer']['password'] = 'unencripted_password';


Is that how it should be? Never seen that in my life.
Nobody should ever be able to see that if your file permissions are correct. If you can see that in plain site you have a problem with your file permissions. Most files should be at 644.
__________________

Let us take care of your forum, seo, seo reports, maintenance, what ever you need.


Last edited by RichieBoy67; 10 Sep 2015 at 04:39.
  #29  
Old 10 Sep 2015, 08:30
cellarius's Avatar
cellarius cellarius is offline
 
Join Date: Aug 2005
Real name: Sven
This debate is ridicoulous. Every webscript I have ever used has database credentials in plain text in a config file. There's just no other way to do it, since the script has to be able to access this information. Of course you could encrypt it, but since the script needs to be able to decrypt it again to use it, you'd have to store the key somewhere. As others have pointed out, the config file can't be accessed from the outside. If an attacker has access to your ftp or shell, it's really too late.
__________________
Please note that there will be no further updates to my addons, especially they will not be upgraded for vB5. I'm leaving vB, since IB choose to go the banana-way yet again.

http://www.roma-antiqua.de
  #30  
Old 10 Sep 2015, 08:42
loua_oz loua_oz is offline
 
Join Date: Dec 2010
My site is back to normal, has been since first 3-4 posts here and without anyone's help.
- File permissions are 644, directories 755.
- Originally it was 4.1 hacked in 2010. That was before warning "remove install directory" was issued, even specialist installation by VB staff left it onsite. Site re-provisioned.
- Months of experimenting with the site, Mods, plugins, messing...wiped the site and got another specialist installation (May 2011, Jake Bunce did it).
- over years, 6 times found (using Maintenance - Diagnostics) .php files that are not part of VB, a glance through and they seemed to be spam mailers.
- 2 times webhostinghub.com located and quarantined spam mailers (since they upgraded their software 3 months ago)
- 1 time found (last week) a file "class.php" in the includes directory
- on Monday the site was hacked and taken down

Keep on changing passwords into 40 characters long, spaces, mixed letters.

Daily run of Diagnostics. Daily backups.

--------------- Added 10 Sep 2015 at 08:50 ---------------

Originally Posted by cellarius View Post
This debate is ridicoulous. Every webscript I have ever used has database credentials in plain text in a config file. There's just no other way to do it, since the script has to be able to access this information. Of course you could encrypt it, but since the script needs to be able to decrypt it again to use it, you'd have to store the key somewhere. As others have pointed out, the config file can't be accessed from the outside. If an attacker has access to your ftp or shell, it's really too late.
Let's see why this debate is ridiculous: because coders and VB staff participating here have not told us (may well be news to them) that plain text database admin user name and password in

/includes/config.php

are used when initially creating the database from the sheet supplied for paid install or from own notes. Some may stay with that password, most would change it.

Just changed my cPanel, mail and database passwords and in

/includes/config.php

the password is the same as it was upon creation, should not be valid. But the site does not care.

That is another question: why is it then in /includes, why not in /install and removed before the site is powered up?
Closed Thread



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 20:31.

Layout Options | Width: Wide Color: