# What happened to the site yesterday....



## Frederik Magle

Dear members,

Those of you that tried to log on yesterday afternoon or evening may have noticed that the site had been hacked - twice in a row - by what appears to be a group of Turkish hackers. They replaced the main index file with a message, which I shall not repeat here. Except a few other files, fortunately nothing seems to have been broken (the database is untouched).

*This is what happened, the cause and how I fixed it...* (warning, might be a little technical ):

Yesterday afternoon I found out about the first incident. First I tried to login with ftp, but the ftp server was malfunctioning. I had to login through a primitive file browser included in the server control panel. This way I was able to replace the malicious index file and return the forum to a functioning state, but through the primitive file browser I had no way of finding out where the breach has happened. For that I would need ftp access, so I immediately opened a support ticket with the (current) hosting company, letting them know that the site had been hacked and that the ftp access didn't work (I had changed passwords etc., and could login but not retrieve the list of files, so there was nothing more I could do at that moment).

It took them 6 hours to respond to my alert and urgent need of support and over 7 hours before I had ftp access again (they had to restart the ftp server). That is not good enough, and I will be moving this site to a dedicated server under my full control soon (but that's another story).

Because of my lack of ftp access the site was then hacked again in the evening and only when I regained ftp access could I fix the problem and prevent further breaches. Luckily with ftp access I could quickly repair the damaged files and find out how the hackers got in, so I could remove all "vunerabilities". I have taken several other steps to tighten the security, but those I will not disclose.

*This is how they got in...*

It seems that some time last year, this site was changed from another software to vBulletin. In order to import users and posts from the old software a special tool was installed. But unfortunately it was not removed again after the import was done and that tool was how the hackers got access. I'm sorry that I overlooked the presence of that vulnerability when I took over the site in february and upgraded the site in March. In any case, the site should be highly secure now! (knock under wood ). I just want to add, in defence of the previous owners who installed that tool (and myself for overlooking it later on ) that it's very easy to forget about it after it has been installed. It just sits there doing nothing, looking quite harmless if you even notice it - at least until someone takes advantage of it in a bad way...

I thought you might want to know what happened and what have been done to prevent it from happening again. Let me also asure you that your user informations are safe! The database itself has not been compromised in any way.

Kind regards
Frederik


----------

