2006-06-19, 03:12 AM
2006-06-19, 03:24 AM
How can I password protect /admin as well?
2006-06-19, 03:33 AM
I guess you could put a .htaccess as well as the current admin login
2006-06-19, 03:39 AM
Could this have been done with some sort of cross-site-scripting or cookie exploit?
2006-06-19, 03:55 AM
Could it have been a vulnerability with your hosting panel? Could your users use a script such as webadmin.php to look at your database password and hack you that way?
2006-06-19, 02:00 PM
well.. i have cpanel so i dont think so.. and i use ipanel to but those 2 are suposed to be very safe...
Edit: Again.. the user table is gone.. and this time it was only me having accecs to cpanel.. when i restored the db last night i also changed the password... and teh admin area is still password protected.. so what can be the problem then???...
Edit: Again.. the user table is gone.. and this time it was only me having accecs to cpanel.. when i restored the db last night i also changed the password... and teh admin area is still password protected.. so what can be the problem then???...
2006-06-19, 02:49 PM
orka Wrote:well.. i have cpanel so i dont think so.. and i use ipanel to but those 2 are suposed to be very safe...
Edit: Again.. the user table is gone.. and this time it was only me having accecs to cpanel.. when i restored the db last night i also changed the password... and teh admin area is still password protected.. so what can be the problem then???...
Do the following:
Place an .htaccess in your root directory that looks like this:
<Limit GET POST>
deny from all
allow from YOURIP.ADDRESS.HERE
</limit>
This will restrict access to only your IP address. Remember, this allows access via the WEB only from your IP...not from the backside (FTP, TELNET, SSH). So, this will let you know if the hacker is coming in from the web or if he/she is coming in from the backside.
Now let's put this thing to bed:
Change your password to Cpanel. Change your FTP passwords...all of them. If you can, change your FTP logins...it could be this person is getting in via ftp, setting permissions on files, then gaining access through an exploit...so it is wise to change any and every password you have that's associated with this account. Once that is accomplished, move on.
Drop your mybb database tables. Use Cpanel to change your MySQL username, and password for mysql and mybb. Make sure that NO OTHER MYSQL USERS HAVE WRITE ACCESS TO MYBB. Upload your backup database. By rule of thumb I always have a separate username/pass for each and every database. I also change the password every 3 months. Of course, I'm paranoid retarded so...anyways, let's move on.
Update the file inc/config.php to include your MySQL password change. Make sure the file is permission 0644 afterwards. It could be this guy got ahold of the file and that's how things got hacked. Make sure your /inc/ directory is permission 0755.
You should be able to connect to your site now with unfettered access to it because we limited it due to your .htaccess file. Have a friend make sure that they can't access the site (or have us here do it) because some hosting companies don't have .htaccess setup out of the gate without you asking for it. If your friend (or us here) can access it, contact your hosting company and let them know your .htaccess file isn't working and you need it to.
After you've set everything up, changed the passwords, dropped the .htaccess inside your root directory, and locked out external connections...you should be able to work in peace without the fear of being hacked. At this point, let's ensure your directory permissions are correct:
All .php files in your root directory should be 0644 permission. Make sure all your directories have 0755 permission. That includes your subdirectories as well...make sure they're all set to this permission (these are what are set initially by mybb when you upload, unzip, and preserve permissions).
Now, you should have a pretty tight ship. If you haven't updated to the latest version of MyBB, do so. Make sure your host is running the latest version of Apache, MySQL, and PHP. I've found IpowWeb to be notorious for not running current versions of things. If so, change hosts...it's that important...security cannot be something you compromise on. I recommend site5, 1and1, or lunarpages (in that order...site5 is probably one of the best hosts I've ever found).
post back with questions, comments, or concerns. Good luck!
2006-06-19, 04:27 PM
devnet Wrote:orka Wrote:well.. i have cpanel so i dont think so.. and i use ipanel to but those 2 are suposed to be very safe...
Edit: Again.. the user table is gone.. and this time it was only me having accecs to cpanel.. when i restored the db last night i also changed the password... and teh admin area is still password protected.. so what can be the problem then???...
Do the following:
Place an .htaccess in your root directory that looks like this:
<Limit GET POST> deny from all allow from YOURIP.ADDRESS.HERE </limit>
This will restrict access to only your IP address. Remember, this allows access via the WEB only from your IP...not from the backside (FTP, TELNET, SSH). So, this will let you know if the hacker is coming in from the web or if he/she is coming in from the backside.
Now let's put this thing to bed:
Change your password to Cpanel. Change your FTP passwords...all of them. If you can, change your FTP logins...it could be this person is getting in via ftp, setting permissions on files, then gaining access through an exploit...so it is wise to change any and every password you have that's associated with this account. Once that is accomplished, move on.
Drop your mybb database tables. Use Cpanel to change your MySQL username, and password for mysql and mybb. Make sure that NO OTHER MYSQL USERS HAVE WRITE ACCESS TO MYBB. Upload your backup database. By rule of thumb I always have a separate username/pass for each and every database. I also change the password every 3 months. Of course, I'm paranoid retarded so...anyways, let's move on.
Update the file inc/config.php to include your MySQL password change. Make sure the file is permission 0644 afterwards. It could be this guy got ahold of the file and that's how things got hacked. Make sure your /inc/ directory is permission 0755.
You should be able to connect to your site now with unfettered access to it because we limited it due to your .htaccess file. Have a friend make sure that they can't access the site (or have us here do it) because some hosting companies don't have .htaccess setup out of the gate without you asking for it. If your friend (or us here) can access it, contact your hosting company and let them know your .htaccess file isn't working and you need it to.
After you've set everything up, changed the passwords, dropped the .htaccess inside your root directory, and locked out external connections...you should be able to work in peace without the fear of being hacked. At this point, let's ensure your directory permissions are correct:
All .php files in your root directory should be 0644 permission. Make sure all your directories have 0755 permission. That includes your subdirectories as well...make sure they're all set to this permission (these are what are set initially by mybb when you upload, unzip, and preserve permissions).
Now, you should have a pretty tight ship. If you haven't updated to the latest version of MyBB, do so. Make sure your host is running the latest version of Apache, MySQL, and PHP. I've found IpowWeb to be notorious for not running current versions of things. If so, change hosts...it's that important...security cannot be something you compromise on. I recommend site5, 1and1, or lunarpages (in that order...site5 is probably one of the best hosts I've ever found).
post back with questions, comments, or concerns. Good luck!
Thanx for trying to help.. but after third time i did all this exept the part with the .htacces.. i even changed database... and everything have the right permissions i just checked...
2006-06-19, 04:30 PM
do the part with .htaccess...it's the most important one. It locks your public_html down to acces ONLY by your IP address.
2006-06-19, 04:44 PM
Check your administrator group and make sure it has the number you want it to...it could be that this person got access to the Admin CP as well...go to Admin CP >> Users and Groups >> Manage Groups
Go inside each group that may have access to Admin CP (I have my super moderators with admin cp access..though limited) and make sure that they're setup how you want them to be.
Go inside each group that may have access to Admin CP (I have my super moderators with admin cp access..though limited) and make sure that they're setup how you want them to be.