MyBB Community Forums

Full Version: Vulnerability Scan
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
Hello, my forum got hacked a while ago and i THINK it was by SQL injection as they deleted a database and uploaded 2 files which were virus's.

but i had backup's (luckily) and now its backup but this was a while ago.

The person who was the messenger boy between me and the attackers said that they just wanted me to pay them for hosting (they are a web hosting company but not popular)

So i said no, and now they have stopped.. now, i thought it was SQL injection as i thought this was the only way to hack a forum? Messenger also told me that they cannot do it without having a account with admin powers on it so now i am the only admin but i can't be worried about being hacked 24/7.

I now have my own server but i am not experienced at all.

It has a firewall named config server security or something similar and it uses iptables. My host installed this for me as i can't use SSH whatsoever.

Do you have any idea what plugins are a major risk? also, do you know any good free vulnerability scanners as i know they exist but are not free also people do this manually? how? wouldn't you have to go through every single file?

Thanks, my URL is not posted as i did not think it was needed and also because it looks nasty as i am editing the theme Toungue

Thanks, Again.
You can't upload a file via SQL injection. Perhaps your server got hacked?
no but maybe they got passwords from db? well, i was on shared hosting at the time.. i don't think a web hosting company's server is hackable although it would be difficult it they was.
(2012-02-16, 01:07 PM)AlliedManiac Wrote: [ -> ]no but maybe they got passwords from db?
As long as you haven't stored the FTP password in the database, no.
Well, i don't know.. How in the hell did my forum be able to get hacked anyway?! Sad

Good job backups exist
What hosts do you use?
Well, considering i mentioned.. i now have my own server, the host is irrelevant in this case as my server is unmanaged.
Host does matter. The hosts which might not have good securities gets hacked which in most cases is so.
Hosts do get hacked. Happens all the time. If they don't proper secure the server or jail the accounts you can have problems when another account gets compromised.
SQL Injection is not the only way for a forum to get hacked. There are numerous points of entry and do not live with the assumption that a hosting company's server is not hackable, they are just as vulnerable, if not more as any other server on the internet.

However, what worries me more is this:

(2012-02-16, 10:40 AM)AlliedManiac Wrote: [ -> ]I now have my own server but i am not experienced at all.

(2012-02-16, 02:01 PM)AlliedManiac Wrote: [ -> ]Well, considering i mentioned.. i now have my own server, the host is irrelevant in this case as my server is unmanaged.

If you do not have any experience in setting up and maintaining a server then get a managed server, otherwise I see this move as jumping from the frying pan in to the fire. If you don't know how to manage a server how can you be sure that it is setup in a secure way? You might just be making things worse for yourself.

Lastly vulnerability scanners, at least with web apps, are not very reliable, they only check for the very basic stuff and will give you loads of false positives.
Pages: 1 2