[lafsunlmtd]

Wanted to share an experience and help others from our dilemma. One of our other forums is in a highly competitive area. We support satellite receiver manufacturers. We had a hacker try and take down our site and we think he was paid by one of the receiver manufacturers.

Dude was intense, he was able to log in as my name, mess with the site, and then wipe out the admin log. I have the db backed up every hour because the site is so big so it wasn't that big of an ordeal with him erasing info or changing settings.

It was crazy though because he wouldn't do anything like catastrophic like wipe out the forum contents, he would go and change permissions to forums and post as other users.

So we would ban the ip addresses as we would see them come on, of course he was using a proxy so we had to just stay on it. We further changed the location of the admincp. I would suggest everyone do this. Instead of making it forum/admincp make it something totally unique. Also, its useless to change the location of it, if you don't also remove the link from the footer. It leads you right to it.

For an added level of protection, put an htacess in the admincp folder and password and ip block access to allow only those who should be allowed. Many times sites will only have one or two admins so it is not a big deal.

Once we limited the admincp to only certain ip's the attacks died down to him logging in as other users and posting bogus info. We just had to stay on it and block the ip's as we saw him log on.

Here are some other tips that i learned through this 5 day ordeal.

1. If you don't use a plugin or addon anymore, don't just disable it, remove it
2. Go through and remove files from previos versions of Vbulletin or other hacks that aren't used. You can check this by going into the maintenance section of the admincp and going through "Suspect File Versions" It lists all of the files and compares them with what should be in the original package. We had stuff in the directory from 2004
3. Remove all of the upgrade and install files in your /install folder. these can be used to gain access or mess with your db. Just delete them!
4. Require your mods and admins to change their passwords every few months. Many times people will use one password for multiple sites, if one of these is hacked, the hacker then has access to everything they can find. Its as easy as searching for the username on google to see where else the hacker can try the password.
5. Change the location of your admincp. Make it something unique. Remove the code in the footer that dynamically creates a link to your admincp so it can't be found.
6. Create an .htaccess file for your admincp and protect the directory by requiring a un/pw and by only allowing certain ip addresses.
7. Be careful to give mods, super mods, and admins, only the powers that they need. The less the better, because if their account gets hacked you are in more danger if they have powers enabled that they don't even use.
8. Do a search for your mods and admins usernames with google to see if you can find a password with their username for another site. If you can, just change their password and have them reset it.

I'll post more as i think of it, but it was quite an ordeal we went through and i think this sums up the steps we took. Anywho, please protect yourselves so this doesn't happen to you.

[Moelman]

Thanks for sharing that Eric. A lot of good advice to keep your forum secure. I just went and removed some plugins that were disabled but still installed. I also had some users who had their passwords the same as their usernames which comes up if you have the latest version of vB, so I reset all their passwords and sent emails out. None of them were mods or admins though. I also have it set to force me to change my password every few months.

[lafsunlmtd]

excellent.......

[DannyH]

I did it so all my members had to change their passwords every 2 months, however a few reported that the page where it asks you to change your password didn't exist.

Anyway, thanks for the tips
I'm gonna make a few changes to my forum on Sunday, and they will be on of them

[BamaStangGuy]

I do this on my largest site.

[Jolteon]

Nice list of things to check and fix there, thanks.

Quote:

Originally Posted by lafsunlmtd

excellent.......

you're doing it wrong, see here for reference, kay? http://heylarryhughespleasestoptakin...-excellent.jpg

[Cool_Guy]

Good advise.

I would also recommend that you tell you admins the adminCP location in a email or IM, not in a forum post or PM.

[spurssheriff]

Damn.. I wish I had read this a few months ago. Some a-holes came in and wiped our forum clean. They deleted the whole site, nothing is left. The owner called his hosting company and asked them for a back up. They told him it was extra so they don't have one. We've asked several people to help and they tried but couldn't recover anything. The owner stumbled upon a back up hidden away from 2007. I told him to re-install it and he did but he's having a lot of trouble with bringing the site back up... what a mess.

Those people don't realize SpursReport.com is a business not just a fan forum. What repercussions can be done if we find out who actually did this?

Any help or advice would be appreciated.

Thanks.