1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Hack attempt on the forum http://www.indianwebmaster.org

Discussion in 'Security' started by invincible.vib, Nov 3, 2006.

0
  1. #1
    invincible.vib, Nov 3, 2006 IP
  2. Finale

    Finale Peon

    Messages:
    204
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Reinstall your forum software?
     
    Finale, Nov 3, 2006 IP
  3. invincible.vib

    invincible.vib Peon

    Messages:
    244
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Well i fixed that prob...reinstalling is the extreme case!!!
    I just removed instances of "mustim" from the DB and now the forum comes up fine:)
    Seems he signed up and exploited any of vbulletin code, i checked vbforum site and they seem to say its server problem on most issues rather than to accept that there can be security holes in php based codes.
    I think any mods or pluggin needs an update!

    I've also found this info in DB regarding the user mustim (may be username "hacked"
    IP ADDRESS : 88.229.10.160

    So finally i got my forum up and running:)
    (But i still don't know how it was hacked, so need to put some time in resolving that security loophole!)
     
    invincible.vib, Nov 3, 2006 IP
  4. roy77

    roy77 Active Member

    Messages:
    1,088
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    78
    #4
    glad to see that you solved the problem, check your fourm security, so it wont happen next time :)
     
    roy77, Jan 6, 2007 IP
  5. thuonghieu

    thuonghieu Peon

    Messages:
    105
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    I still access your site. Maybe your PC infect malware. Check it
     
    thuonghieu, Jan 6, 2007 IP
  6. hans

    hans Well-Known Member

    Messages:
    2,923
    Likes Received:
    126
    Best Answers:
    1
    Trophy Points:
    173
    #6
    if you know the user account thru which changes were made - then search your entire access_log files from the past MANY months back and extract any access to that account using

    zgrep "mustim" access_log.gz >mustim_access.txt

    replace "mustim" by a precise work that always occurs in the URL string for all logins and replace the precise access_log file-name

    then find the first visits of the user "mustim"
    where did he first visit your site
    referral ( exact Google search string ! if he used G before hitting your site)
    then walk thru his path of site visit
    where - what precise folder - did he place his files

    his files may have file names equal to common files existing on your site - I found on my site after a hacker intrusion a year ago files such as index.php - but that file contained hacker script and NOTHING like common index files!! I also found other common file names such as php-info.php and other similar common files that usually always reside on a server - hence files that never arise any suspicion - unless you open them and see that the script content is totally different from what it normally would be.

    finding exact entry and weak security hole may be a matter of dozens of hours of researching all kinds of access_log, messages-log, warn-log, error_log files

    Good luck
     
    hans, Jan 22, 2007 IP