Visitors to jokersforum.com/jokersrewards.com will notice that we were hacked early this morning by some brazilian nob 'DaemonOptik' - we are the latest in a string of sites using vbbulletin to recieve his attention. The site is hosted at hostrocket, who have got the servers back online, the entire database is not damaged and is actually still there (i.e http://www.jokersforum.com/online.php? lists all the people and google bots browsing various pages linked on google) - but we have basically lost control of the front pages with his stupid hacked page in its place. I can't get into the boards admin section - it just redirects me to his page. I can't ftp for some unkown reason, despite changing passwords with the server provider. Any suggestions?
This has really narked me - who the hell just spends their time messing around with other peoples sites? some loner prat no doubt.
JB

Moving to C&C Forum.

Mabye it was some geeky wee nerd out for revenge? :searchme:

The fact that the hacker's Brazilian leads me to think this was done using SQL insertion (I've had similar problems on one of our work sites, since corrected, but the admin logs show various Brazilian script kiddies trying to get in using the same technique every week.

Email me if the above means absolutely nothing to you and I'll explain further.

Any chance you can keep it public on here rather than it going private as I`m sure some of us will be interested. TIA.

That's worrying - are there any known flaws in that version of vBulletin. Might be enough for us to put off our upgrade plans.

Yep ColinP was going to drop you a mail and advise of the situation - there are several flaws that have been highlighted in the past few weeks, doing a search on google for 'daemonOptik' indicates that at least 30 sites running the new vBulletin have been hit (although most have got over the initial attack). I will keep everyone updated as to how this pans out, but it is some form of SQL scripting that has caused the damage - scanker just about to send you an email as I don't know too much about it, and Joseph (Thucydides on here and jokersforum) is unavailable till later this evening..
thanks
JB

I'm sure google can help but the basic principle is that a hacker uses a ' (single apostrophe) in a login/password box which terminates the SQL and then runs their own.

so, for example, if you were to put "' or 1=1" (no dbl quotes) as a login you would normally get logged in as the first person in your user database, usually the person with admin rights.

To counter such attacks is very simple - just do a replace(all_submitted_info, "'", "''") - replaces single apostrophes with two single apostrophes.

I'm not sure if this is your problem, but it's sure a possibility.

As the db executes sql commands in sequence ' or 1=1: drop database, makes the db look for an entry where the username is empty or 1=1 (every entry) and then deletes your database.

Google will provide more info.

Fairly good article here: http://www.groar.org/expl/beginner/appt.txt

Don't know if this is your post but somone thats been hacked and a possible way to get it back:
http://www.vbulletin.com/forum/showthread.php?t=107649

Sure it's a vB SQL hack and not something like a PHP exploit?

No idea if it plugs any hole but 3.0.1 came out over two months ago btw, noticed your on 3.0.0 still.

3.0.1 didn't contain any security fixes.

Just noticed the link I posted was to the vB2 board, so it looks to me like it's not a vB security flaw.
Also 'daemonOptik' is doing hundreds of sites a day, a high percentageof those sites arn't on vB.

My money is on an Apache exploit. What version have u got?

Fixed now - apparently it was a server issue rather than vbulletin. Need to find more details though.