vBulletin hacked forums: Clean Up Time

• Background
• Step 0
• Step 1
• Step 2
• Step 3
• Step 4
• Step 5
• Step 6
• Step 7
• Step 8
• Step 9
• Step 10
• Step 11

Step 7. Close and secure access to your AdminCP using .htaccess for Apache & LiteSpeed based web servers or the equivalent for Nginx web servers. Use either user authorization with a different username and password or IP address restrictions.

If you already deleted your /install folder, you can even create an empty /install folder and .htaccess password protect that. Reason is for future upgrades you may upload the new version’s /install folder and forget to secure it. If you already created an empty /install folder which is .htaccess protected before hand, uploading the new version’s /install folder will have automatically been password protected :)

For WHM/Cpanel users you can read Cpanel documentation and/or consult with your web host.

For Centmin Mod Nginx web server users password protection can be done via Nginx HttpAuthBasicModule module. For this you can do password protect your admincp directory with the Centmin Mod included python htpasswd.py tool.

1. You need to use to either create a password file or append to an existing file (i.e. /usr/local/nginx/conf/htpasswd).
2. The password file can be named anything you like and created anywhere you like. Just do not place the file anywhere publicaly accessible i.e. not below /public web root. For this example chose /usr/local/nginx/conf/htpasswd.

To create a new /usr/local/nginx/conf/htpasswd with username and password use the following command like in SSH where you change username and password fields to one of your own choosing:

python /usr/local/nginx/conf/htpasswd.py -c -b /usr/local/nginx/conf/htpasswd username password

To append to existing /usr/local/nginx/conf/htpasswd file, remove the -c option

python /usr/local/nginx/conf/htpasswd.py -b /usr/local/nginx/conf/htpasswd username password

Then within /admincp location of Nginx vhost add the appropriate lines to /admincp location. If it doesn’t exist you need to add a specific /admincp location container for it

        auth_basic "Private";
        auth_basic_user_file /usr/local/nginx/conf/htpasswd;

For vB4 and Centmin Mod Nginx based servers

location ^~ /admincp {
        include /usr/local/nginx/conf/php.conf;
        auth_basic "Private";
        auth_basic_user_file /usr/local/nginx/conf/htpasswd;
        }

For vB5 and Centmin Mod Nginx based servers

location ^~ /admincp {
        auth_basic "Private";
        auth_basic_user_file /usr/local/nginx/conf/htpasswd;

                if (!-f $request_filename) {
                        rewrite /admincp/(.*)$ /index.php?routestring=admincp/$1 last;
                }
        }

The restart Nginx server for it to take effect:

service nginx restart

or command shortcut

ngxrestart

Directory and File permissions

Straight from Google Webmaster’s Help for hacked sites guide. Check folder and file permissions for too-lenient write privileges, such as 777 (which equates to world-writable access). Often hackers tamper with permission in hopes that if they remain undetected, they’ll have a way back into the site.

Check folders with permissions greater than 755 (rwxr-xr-x). Make sure any looser permissions are really necessary. Check with your web host for appropriate default folder/directory and file permissions for your web server setup. For example, the usual default WHM/Cpanel control panel hosted default directory and file permissions are 755 and 644 respectively with requirement for some vB directories such as vbulletin_css directory and vB datastore file to have 777 permissions. Other vB directories which may need 777 permissions include, attachments, customavatars, customgroupicons, customprofilepics, and signaturepics. For vB5 additional directory might include /core/cache/template. But this may vary depending on your web host’s server configuration and setup.

On Unix-based systems, try (change to the top level above your accounts web root is i.e. if your web root where public files is located at /home/username/public_html, then top level above it will be /home/username).

Before you start changing directory and file permissions it’s good idea to have a backup first. You may have already done that in Step 0 – Stage C suggested step. So if your account is at /home/username/public_html quick backup to perserve your entire directory and file permissions and ownerships at /home/username/public_html_backup is to run command below (remembering you’ll use double the disk space as you’re making a 2nd copy):

cp -a /home/username/public_html /home/username/public_html_backup

If you have attachments outside of public_html i.e. /home/username/attachments

cd /home/username
cp -a attachments attachments_backup

To check for directories with permissions that are not 755:

find  -type d -not -perm 755 -exec ls -ld {} \;

saving output to text file

find  -type d -not -perm 755 -exec ls -ld {} \; > listdirectorypermissions.txt

Check files with permissions greater than or not 644 (rw-r–r–). Again, make sure any looser permission are really necessary.

find  -type f -not -perm 644 -exec ls -la {} \;

saving output to text file

find  -type f -not -perm 644 -exec ls -la {} \; > listfilepermissions.txt

Also can do the reverse and remove -not option to find directories with 777 permissions

find  -type d -perm 777 -exec ls -ld {} \;

Or find files with 666, 755 or 777 permissions

find  -type f -perm 666 -exec ls -la {} \;

find  -type f -perm 755 -exec ls -la {} \;

find  -type f -perm 777 -exec ls -la {} \;

Below commands can change all directories to 0755 and files to 0644 but be sure to have a backup outlined above so you can restore or reference back to if anything goes wrong.

find  -type d -print0 | xargs -0 chmod 0755

find  -type f -print0 | xargs -0 chmod 0644