Check out the FREE chatroom mod for IPB 3.x

A while back I posted that I got hacked

I patched the shoutbox, and I thought all was well.


But now i got hacked again.


He used the SAME method too, I got the password recovery email, and then got hacked.

So what the hell should I do?


I havn't upgraded to 2.1.7 yet, but its impossible that by not upgrading I have made a new security hole.

The only thing i've found out is that both times my cpanel has said "Last login from: 127.0.0.1"

I asked my host and he said there's only two people that could access the server and leave it like that so it couldn't be my host.


So whats going on???

Luckily this time I had the admin cp restrict IP so he couldn't change anything.

But he still could use my super mod powers and go crazy!


I really need some help!


I've done some googling and it appears the IP is a public proxy, which makes sense because last time I got hacked I banned his IP area.

This post has been edited by bart5986: Jul 17 2006, 12:04 AM

Well not sure what mods you have installed or what vulnerabilities they have etc. But if you have upgraded your board since the last attack and he is using the same explot successfully it seems to me that your system itself may still be compromised from the last attack.

I would check all your directories for any .php or binary files that clearly should not be there. I would start with the folders that are chmodded 777 (such as your uploads directory). Also make sure there are no users in the database with admin privs and change the passwords on all the legit admin accounts. I would also chang the db pass to be absolutly safe.

If he somehow managed to gain ssh or root on the server itself then your problems are a bit bigger then your website but that would be a problem for your host to solve.

I am sure someone else is better qualified to help you here but there is my suggestions good luck

I think I remember the shoutbox being reported as having an exploit in it. Not entirely sure about that but ask Dean if you need to.

I already fixed the shoutbox exploit.

I have already scanned my ftp directory for virus's using the IPB tool and found nothing.

All the passwords were already changed to 20 character random passwords last time I got hacked.

My server doesn't give SSH access I don't think, I don't have it in my cpanel and its not offered by my host anyway.


I'm convinced this is something to do with the password recovery thing, but i'm not sure.


Also, the guy put this in my sig.



ffs, he has the potential to delete everything by me having supermod powers.

Do I have to demote myself to protect myself?

This post has been edited by sully: Jul 17 2006, 03:57 AM

can anyone help?

I'm not sure what to do...

Please do not bump your own topic within 24 hours, this is against the Board Guidelines and will get the topic locked if you continue to bump it within 24 hours.

Have you followed the instructions in the pinned topic, in regards to upgrading and checking for files?

Also, there is only one new patch in IPBV2.1.7 and a new feature - Virus Scanner (similar to the tools released earlier by Matt) but its still worth upgrading as outlined in the pinned topics.

Other then that, I cant see how they are still hacking you.

have you changed your password and used the option, make new salt?

Because it seems that he simply still has the cookie with your loginkey.

But still, without looking into your logs or see the situation ourselves, there isn't much we can do to help you.

This post has been edited by athlonkmf: Jul 17 2006, 09:52 AM

use .htacess and protect ur shoutbox folder from being accessed by everyone.
yes, folder, not files, but folder

This post has been edited by Clonxy: Jul 17 2006, 02:15 PM

nevermind I found out what it was..

I was just coming here to post that. There is no security patch for the Shoutbox Mod, I dunno where you got that from?

Also; Thats most likely the cause of the problem.

Hey if you havent put ips in the ip restirction mod it wont do anything. You have to enter your ip and any other member that you want to have access to the admin cp. Becareful tho because if you put it in wrong you can lock yourself out so and then you have to delete the admin cp and put it back. maybethis guy is hacking your ftp and removing the ip restricition mod if you have ips in it. that is the only posssile way he could be getting in. Also I think you should install the LSS mod Login Security System. I have it and if someone enters the password wrong what ever amount of times you pick you can make it so they are locked out for a certain amount of time or email verfication. I have the email verfication and 4 wrong passwords. If you set it to time it wont really prove it is the real member. Also maybe install the BAX Admin Mod.THis mod shows you how to change the name of the acp so even if one of the admin account that has acp access gets hacked when they click the link it say a not found error for the admin.php. The only weay he can access your acp is if he can figure out the file name but if you make it random it will be very difficult.

Just tought this mite help.

-JcLusso-