Testing Recovery

[DAN_IN_MN]

Thank again for bringing us back! I hope there are guys on here that can help out to prevent future attacks! Websites isn't one of my strengths.

I found the group that hacked this forum on facebook. It was a newly formed group with only 10-20 members as of this morning. I reported the group to FB. I'm sure they'll only make another group if this one is terminated.

 

[schor]

This wasn't kids. It was an extremely sophisticated hacker network operating throughout the net. Once they do their thing, finding what they did is like finding a needle in a haystack. You try this, and that, hoping to get it all.

They may be older but they are "script kiddies" that on their own could never do what they are doing. Someone finds a vulnerability, builds a kit and passes it around to the hackers. You'll probably never find the original group that found the hack. Some of the kiddies know enough to mod the kit and do their own damage like adding trojans etc. Seems like the slipped one in.

Glad you could restore from an older system image and then restore the database from a newer version. I hope you have all the fixes from vbulletin and with some luck the hole is fixed for hobby-machinist.

Long tough road when you get into days of problems like this that never seem to end and no-one has specific answers, just guesses.

 

[HMF]

Close the hole... This has three subparts in this instance.

1. Delete your install folder
2. Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
3. Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.

Fill the Hole... There are seven subparts in this instance.

1. Review your files for changes. You can do this under Maintenance -> Diagnostics.
2. Delete any Suspect Files.
3. Replace any files marked as "Does not contain expected contents"
4. Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
5. Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
6. Update your Addon Products.
7. Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.

Secure the Hole
Parts of this were done by closing the hole but there are still things to do here.

1. Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
2. Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
3. Create a lower permission Administrator for every day use.
4. Review your permissions in the system.
5. Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
6. Move your attachments outside the forum root directory.
7. Create a complete backup of your site. Make database backups weekly.

Vigilance
You need to keep active on the security of the site.

1. Give out the fewest permissions necessary for anyone to do their job
2. Make sure your hosting provider updates the software.
3. Update to the latest vBulletin when it is released.
4. Make sure your addons are always up to date.