Register Members List Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools
  #31  
Old 10 Sep 2015, 10:31
cellarius's Avatar
cellarius cellarius is offline
 
Join Date: Aug 2005
Real name: Sven
Originally Posted by loua_oz View Post
Let's see why this debate is ridiculous: because coders and VB staff participating here have not told us (may well be news to them) that plain text database admin user name and password in

/includes/config.php

are used when initially creating the database from the sheet supplied for paid install or from own notes. Some may stay with that password, most would change it.
So - now you're accusing vB staff of hacking your board? That's ridiculous. Believe me, all of your discoveries are nothing new to anyone here. Every single customer who has read the installation instructions and installed vB knows config.php and it's contents, because everyone has edited it themselves. Also, everyone who has only the slightest clue of web development knows that and why you need such files.

Just changed my cPanel, mail and database passwords and in

/includes/config.php

the password is the same as it was upon creation, should not be valid. But the site does not care
Then you did not change the password of the database vB uses. Period. If you change the database password, and do not edit it in config.php accordingly, the site will stop working and throw database errors. Just give it a try. Change your password in config.php to something random, and your site will break immediately.

That is another question: why is it then in /includes, why not in /install and removed before the site is powered up?
Because, as any other webscript, vB requires certain basic access data in order to work. If you remove config.php, your site will break. Again: Just try it. Delete (or better: rename) config.php. Your site will break immediately.

You're lashing out at everyone and everything here, making wild accusations, yet obviously having only very limited knowledge of what you're talking about.

It's sad that you have been hacked numerous times, but it will not help you at all if you're pointing at a perfectly normal file with perfectly normal contents.

You really need to understand this: If someone is able to read the contents of your config.php, you already have been hacked. It's too late.

Step back, calm down, breath through. There's people here trying to help you, and you're lashing out at them in a way that is really not called for.
__________________
Please note that there will be no further updates to my addons, especially they will not be upgraded for vB5. I'm leaving vB, since IB choose to go the banana-way yet again.

http://www.roma-antiqua.de

Last edited by cellarius; 10 Sep 2015 at 10:36.
  #32  
Old 10 Sep 2015, 12:29
loua_oz loua_oz is offline
 
Join Date: Dec 2010
True, renaming config.php stopped the site.

Then, my provider is telling me what is either not true or I don't understand

You have changed password for

ftp
mysql
mail


Sorry if I have left that taste of lashing on everyone, my apologies.
  #33  
Old 10 Sep 2015, 13:15
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Its ok loua you're frustrated, we understand and we really just want you to understand so its easier on you despite some of our comments always take them with a grain of salt my friend .

- Think of it this way, yes you're right its stored right there in the file but how can they get to it using my example above? If anyone could simply download that file hackers would be taking down sites by the second, most software vBulletin, IPB, even free phpBB forums, Wordpress, the lot of them all use some form of configuration file where the details are stored.

Regarding your issue: Yes, if you went into cpanel and changed the database users password, then nothing "automatically" changed it everywhere else for you so with that being said hurry and edit config.php with the new password and it should come right back up . Also you cannot simply rename config.php to another name unless you make other file edits, best to leave it as-is unless testing as Cell mentioned above. One other thing to mention is, whomever setup the forum initially had to manually rename config.php.new to config.php, then edit the file and enter in your database name, username, and password to the database so that is why most of us were shocked by your statements - we just couldn't figure out why this was just now surprising you... I see where you were coming from, sure its thinkable but glad we steered you in the right direction!
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
  #34  
Old 10 Sep 2015, 13:18
cellarius's Avatar
cellarius cellarius is offline
 
Join Date: Aug 2005
Real name: Sven
Without knowing what exactly you asked your provider, what you did in cpanel, and what exactly their answer was we really can't comment properly. No offense, but from the course of this thread I tend to believe that there may be some misunderstandings on your part.

It really seems your site (including the database, not only the files!) was never properly scanned for hidden backdoors etc. after the first attack. As others have speculated, I would assume that all those attacks may be follow-ups. Whatever your password, however secure, if there's some sort of backdoor present, it won't help you (since they don't have to get in, they are already in - all the time). But all of this has nothing to do with config.php, really.
__________________
Please note that there will be no further updates to my addons, especially they will not be upgraded for vB5. I'm leaving vB, since IB choose to go the banana-way yet again.

http://www.roma-antiqua.de
  #35  
Old 10 Sep 2015, 14:39
X-or X-or is offline
 
Join Date: Nov 2005
the only one time i got hacked was because i used a malicious ftp client

use only filezilla downloaded from their official site

could also be a password stealer or other types of malware on your computer

do you use cracked apps or games downloaded from p2p sites? obviously you'll answer you don't but for the record they're almost always infected with malware
  #36  
Old 10 Sep 2015, 15:10
HM666's Avatar
HM666 HM666 is offline
 
Join Date: Jan 2014
Real name: Len Kaiser
Originally Posted by X-or View Post
the only one time i got hacked was because i used a malicious ftp client

use only filezilla downloaded from their official site

could also be a password stealer or other types of malware on your computer

do you use cracked apps or games downloaded from p2p sites? obviously you'll answer you don't but for the record they're almost always infected with malware
I'm sorry but this has nothing to do with a FTP client. There are many clients that work just fine. I use FlashFXP and have used it for 15 years and NEVER had the FTP client cause an issue elsewhere on ANY server. Whatever you downloaded and installed may have had a virus in it but I would imagine it would effect your PC although I do not doubt its possible to somehow infect your server I think that it is not really probable that this is a FTP client issue for the OP.

Also cracked programs have nothing to do with what the OP is talking about. I'm not really sure where you are going here.
  #37  
Old 10 Sep 2015, 17:34
X-or X-or is offline
 
Join Date: Nov 2005
Originally Posted by squidsk View Post
That's normal because you should have an .htaccess or equivalent that denies access to files within the includes directory. Where else would you store it? You can't store it in the db because you need the db username and password to access the db.
You missed his point which is the password isn't crypted.

Originally Posted by HM666 View Post
Also cracked programs have nothing to do with what the OP is talking about. I'm not really sure where you are going here.
you don't see how malwares such as password stealers could have caused op problems? well....
  #38  
Old 10 Sep 2015, 20:40
squidsk's Avatar
squidsk squidsk is offline
 
Join Date: Nov 2010
Originally Posted by X-or View Post
You missed his point which is the password isn't crypted.
Not really you missed that point that if the file is not accessible the password within the file does not need to be encrypted because no one can access it to see it. You only need to encrypt things if you don't want others who are looking at it to be able to see what it is. Since no one can look at it, in a properly configured setup, why would it be encrypted as all that does is add unneeded overhead to every single page view.

--------------- Added 10 Sep 2015 at 20:55 ---------------

Originally Posted by loua_oz View Post
That is another question: why is it then in /includes, why not in /install and removed before the site is powered up?
Because for every action on the site, whether its to login, view a page, create a thread, make a post, all require db access, which requires the credentials (username, passoword) so the credentials need to be accessible.
  #39  
Old 10 Sep 2015, 21:12
X-or X-or is offline
 
Join Date: Nov 2005
Originally Posted by squidsk View Post
Not really you missed that point that if the file is not accessible the password within the file does not need to be encrypted because no one can access it to see it. You only need to encrypt things if you don't want others who are looking at it to be able to see what it is. Since no one can look at it, in a properly configured setup, why would it be encrypted as all that does is add unneeded overhead to every single page view.
I guess you don't know much about security

why do you think htaccess encrypts passwords? just for teh phun?

not using encrypted passwords means that if the ftp is compromised then the database is automatically compromised as well, it wouldn't be the case with encrypted password, think before you type something really stupid

the only reason i can see for vbulletin to not use encrypted passwords is for customer convenience, but convenience is often the worst enemy of security
  #40  
Old 10 Sep 2015, 21:38
alcazarx's Avatar
alcazarx alcazarx is offline
 
Join Date: Jul 2014
Do you know about security?

htaccess doesnt encrypt passwords, its just a file with some rules in it.
It can use them using htpasswd.

not using encrypted passwords means that if the ftp is compromised then the database is automatically compromised as well, it wouldn't be the case with encrypted password, think before you type something really stupid
If you read some posts before you should know that if a hacker has access to your webspace / shell / hosting panel etc. plain text files are your least problem.
Even if you would encrypt the content, it has to be decrypted to make use of it. So can the hacker, since he can find the algorithm used in the files.

And as said here, most, if not all scripts (Forum, Chat, CMS, Blog etc.) that use a database store their config data plain text in files, so its not "vB only" problem.
  #41  
Old 10 Sep 2015, 22:53
X-or X-or is offline
 
Join Date: Nov 2005
:facepalm:
  #42  
Old 10 Sep 2015, 23:02
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
Okay so let's just sum up the ways how this could of happened:
- Someone got root access on the shared server and decided to mess up a bunch of sites.
- Someone found a malicious vBulletin plugin (or a backdoored plugin) and abused this to gain access to execute commands.
- OP had his FTP/CPanel information stolen somehow. (Which is not likely unless OP has a virus/malware.)

Also even if they had access to the database information, they can't do anything with it unless: the host has a public listening MySQL server, a public reachable PHPMyAdmin installation or if they had access to creating PHP files.

Were the access logs checked by the way?

Regardless, my advice is to move host asap.
Once you lose trust in your host, you should save yourself the trouble and move.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
  #43  
Old 10 Sep 2015, 23:55
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
^ I've reviewed his reviews on exploits and other via his blog so head his advice, Dave actually knows his stuff. The rest of you geesh, argue your rears off within reason .
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
  #44  
Old 11 Sep 2015, 00:00
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
That would be a good call, Dave does know his security stuff.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
  #45  
Old 20 Sep 2015, 14:46
loua_oz loua_oz is offline
 
Join Date: Dec 2010
I don't really care about your advice although I appreciate your time to chip in.

It came before: the product, vBulletin has to be a product serviceable by a user. Not by the boffins.

That is why I bought it. But appears not to be the case.

The trivialities recommended here are laughable, all the advice. Furthermore, so called "Experts" advocating open text paswords, is it not a degeneration of the humanity?

Anyone off the street could tell you open text password is a stupidity, still, here, VB coders and developers are scolding me for sayin just that.

BTW, my humble site is working well, after I have reinstalled it and not listened to anything said in this tread.

Until someone is pleased to hack it.

Last edited by loua_oz; 20 Sep 2015 at 15:15.
Closed Thread



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 15:01.

Layout Options | Width: Wide Color: