[HOW-TO] "UnHack" yourself and hacker prevention

[Mikey]

Recently, one of my vBulletin powered sites was under a hacking spout, I'd fix it, and it got hacked the next day, fixed it, hacked again, fixed, hacked again.

Fortunately, he was doing the same thing each time. Up until the last time, I was just restoring a DB backup, which he hacked several times. I found this is the lazy way out

I was scratching my head over and over, "how is he getting in". I'd followed the standard safety measures and such, renamed admincp/modcp, 128bit passwords, etc.

Here's what I did, and it seems to have worked (in b4 i get hacked for posting this )

Firstly I did a recursive CHMOD of 0644 on every single file and folder, this will make your vBulletin bring up a "Forbidden" Message, while you work on it. Then I CHMOD the AdminCP Dir (renamed) to 0755, which gives you access to your acp. So you have access to the site, the hacker doesnt.

I then fixed the bugs, using the vBulletin AdminCP, and PHPMYADMIN, I find it's more effective to remove these things at a database level (this time it was sql insertion and malicious javascript) I then went ahead and changed all my staffs passwords, sure, they'll moan, but if it protects the site, then they have to live with it.

I then went and created 128bit passwords and put .htaccess and .htpasswd's in the following directories:

admincp/ (renamed)
modcp/ (renamed)
includes/
install/

If you have SSH access to your server, ask your host to remove it also (even if just for like, a week or two), as this is another way the hacker can get in.

I then changed my Database NAME, and Database user name and password, and changed those in the config.php, I then renamed the admincp/modcp/ dirs, again, they now aren't even under /forum/, you can do that by adding your full path to any instance of "global.php".

Then I went and did a recursive CHMOD on all the DIRECTORIES to 0755, so all files are now sitting at 0644 and directories (folders) are at 0755. So this should be secure, remember to chmod your config_vbseo.php back to 777, and if you have any mods like vbimghost, chmod 777 the image upload directory..

Finally, I reviewed my raw access logs and control panel logs, and error logs, determined the IP of the hacker, and IPtabled them, they now can't access any part of the server. This is a b*tch to do, and gives you a headache and takes a long time.

Alot of what I've said is in all the official stuff, but eh, Hope this helps anyone.

[Nick]

Great thread; "Stickied"!

[Michael]

Great article We were hacked once due to poor server security within a shared environment and I did the same as you, just put a backup back up and the hacker hacked us within just minutes. He was able to upload scripts to perform CHMOD, uploads etc whenever he wanted, I still have the same file somewhere which he was using to perform his hacking.

When checking our logs I noticed he was running the dokill forum script to delete each forum from the admincp, it has always made me wonder if he actually had one of our passwords but our PC's scanned clean of keyloggers etc I wonder if someone knows if it is possible to run such a script without needing admincp/passworded access.

[Mikey]

Well, this has been happening to me all week, so I documented what I did and threw it up here, cheers for the sticky Nick! Fingers and toes and everything else crossed, it doesn't happen again!

[David McHenry]

You only need 2 files from the install folder present, and thats only if something mucks up and you have to run repairs.

I usually completely remove the install folder, and then if its needed, reupload the files.

[CrazyTech]

You could actually simplify this a good bit.

Just use an .htaccess directive to restrict access to the site for everyone but you while you make the necessary changes. This would make all of the chmodding unnecessary while you investigated. If you run the server (or if your host does), a good firewall should be installed - CSF and APF are excellent where you don't have to use iptables, which can get confusing for those who don't use it often enough.

777 anything - files or directories - should be avoided at all costs, that's the single greatest cause of hacks outside of scripts that haven't been updated.

If anyone would like for me to explain the above or elaborate, let me know.

[MjrNuT]

Mikey,

Was this on a shared environment?

[Mikey]

No, it was on a dedicated server, so some of these options I said wouldn't be avaliable to you, like dropping the ip of the hacker from the server etc.

Thanks CrazyTech

[CrazyTech]

Quote:

No, it was on a dedicated server, so some of these options I said wouldn't be avaliable to you, like dropping the ip of the hacker from the server etc.

Actually it is -- in a way. Use .htaccess to block individual IPs. Google for some tutorials, but let me know in the future if you need help. Also, you should be able to place a ticket to your host to have the IPs blocked.

[Metura]

$execode allows any smart hacker access to upload a shell so everything you did would just annoy them check your plugins and also do not forget to check your styles... After that run a Diagnostic on your files in-case any of them have been modified to decrypt passwords and put them into a .txt document for him to download / read...