FreeAdz Hacked

Hi guys,

Yesterday, FreeAdz was hacked by someone called 'DA078!!2@'.

I have a back up being installed now, but is there any real way for me to protect my forum in the future?

 

See this page: How To Make My Forums More Secure - vBulletin Community Forum

Do you know what exactly they did and how?

 

They have somehow managed to change psswords, including my own, and they have messed up all the drop down menu's, etc.... My password is not an easy one to break, as it's 9 alpha numeric characters.

 

x.x Good luck dude!

 

Good luck with recovering from the backup

 

Did anyone else have admin access/ability to change passwords? Just wondering if it could have been an inside job. Good luck getting everything back to normal!

 

But how did they get in and hack? That's my question...

 

By the way since you use Vbulletin I have a recommendation, for cases like this not to happen anymore.
In your config.php file you will see this line:

Code:

$config['SpecialUsers']['undeletableusers'] = '';

Just add your user ID and your account will not be editable anymore, so nobody will be able to change your password anymore.

Edit:
Also your Admin and mod CPs are at their default locations, you should really rename them for more security.
To do that still in your config.php file you can find the following lines:

Code:

$config['Misc']['admincpdir'] = 'admincp';
$config['Misc']['modcpdir'] = 'modcp';

Just change the values for something else and then juste rename the directories to the chosen value.
And I would also add an .htaccess in those directories as well to further password protect them.

Edit 2:
And if you want even more security you might also want to move/rename the config.php file as it contains your mysql dbname/username/password.
To do that open the file named class_core.php (it is also in the includes directory) and find:

Code:

include(CWD . '/includes/config.php');

if (sizeof($config) == 0)
{
if (file_exists(CWD. '/includes/config.php'))
{
// config.php exists, but does not define $config
die('<br /><br /><strong>Configuration</strong>: includes/config.php exists, but is not in the 3.6+ format. Please convert your config file via the new config.php.new.');
}
else
{
die('<br /><br /><strong>Configuration</strong>: includes/config.php does not exist. Please fill out the data in config.php.new and rename it to config.php');
}
}

Now replaces the 2 instances of "/includes/config.php" by what ever path/name you want and then using your ftp client move/rename the file.
If you do this modification (move/rename the config file) you will need to reedit the class_core.php file after each update.

 

Nick: I'm still unsure how they got in, but I'm convinced it wasn't a brute force attack, as all the admin passwords were long and random.

GreenCat: Thanks for those tips. I'll implement them once the back up has been restored.

 

Your welcome, always happy to help with things I know.

 

Good Luck my site was hacked after six months of growing large and when i started to really enjoy it - then the site was hacked but i did all the things mentioned above changed admincp etc etc and haven't been hacked since.

 

I'm a bit of a freak when it comes to anything security-related, and as such, I strongly recommend changing your passwords on a weekly basis (if not daily - I've been known to do this). They may be long and random, but that's not always important - change is key.

 

How do you remember all those passwords if you change them every week? If you're using an algorithm are you working the date in there somehow?

 

I keep all of 'em in a Word document - it's actually quite handy, and an excellent way of storing these passwords in an organized fashion.

 

lol Chris I though I was the only one to do that, I also change them on a weekly basis.

 

Nope, you're not the only one. I've been doing so for the past three years.

 

After this experience I bet Bandit will really focus on security in his Admin Training School

 

Good thinking; I'm sure he will devise a class (or lesson -- I'm not sure how he does it) just for security.

 

Yup, security has now been improved. Although I have since found out that it was one of my junior admins that did it. He messed up all the style templates, deleted some etc..

So it was an inside job, and not an out right brute force attack.

 

You can always CHMOD 600 the Config.php