Back to Management Articles

HowTo "UnHack" Yourself and Hacker Prevention
by mikey1991 15 Dec 2009

Recently, one of my vBulletin powered sites was under a hacking spout, I'd fix it, and it got hacked the next day, fixed it, hacked again, fixed, hacked again.

Fortunately, he was doing the same thing each time. Up until the last time, I was just restoring a DB backup, which he hacked several times. I found this is the lazy way out

I was scratching my head over and over, "how is he getting in". I'd followed the standard safety measures and such, renamed admincp/modcp, 128bit passwords, etc.

Here's what I did, and it seems to have worked:

Firstly I did a recursive CHMOD of 0644 on every single file and folder, this will make your vBulletin bring up a "Forbidden" Message, while you work on it. Then I CHMOD the AdminCP Dir (renamed) to 0755, which gives you access to your acp. So you have access to the site, the hacker doesnt. You could also achieve this by putting an index.html in your root directory, or specifying a 301 redirect in a .htaccess.

I then fixed the bugs, using the vBulletin AdminCP, and PHPMYADMIN, I find it's more effective to remove these things at a database level (this time it was sql insertion and malicious javascript) I then went ahead and changed all my staffs passwords, sure, they'll moan, but if it protects the site, then they have to live with it.

I then went and created 128bit passwords and put .htaccess and .htpasswd's in the following directories:

admincp/ (renamed)
modcp/ (renamed)
includes/
install/

If you have SSH access to your server, ask your host to remove it also (even if just for like, a week or two), as this is another way the hacker can get in.

I then changed my Database NAME, and Database user name and password, and changed those in the config.php, I then renamed the admincp/modcp/ dirs, again, they now aren't even under /forum/, you can do that by adding your full path to any instance of "global.php". (see attachment)

Then I went and did a recursive CHMOD on all the DIRECTORIES to 0755, so all files are now sitting at 0644 and directories (folders) are at 0755. So this should be secure, vBSEO users should remember to chmod your config_vbseo.php back to 777, and if you have any mods like vbimghost, chmod 777 the image upload directory.. - this isn't needed if you used the .htaccess method.

Finally, I reviewed my raw access logs and control panel logs, and error logs, determined the IP of the hacker, and IPtabled them, they now can't access any part of the server. This is a b*tch to do, and gives you a headache and takes a long time. If you dont have the access to block them from the server, again, you can use a .htaccess to block thier IP or thier IP range.

Alot of what I've said is in all the official stuff, but eh, Hope this helps anyone.
Attached Thumbnails
Click image for larger version
Name:	notepad++.jpg
Views:	223
Size:	93.4 KB
ID:	107565  

Similar Mods

[HowTo] [3.0.0] Place and optimize the "Mark Forums Read - View Forum Leaders" bar. vBulletin 3.0 Template Modifications

vblts.ru supports vBulletin®, 2022-2024