Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla Forum Hacked

Well, my Vanilla forum has been hacked, and i come here for some suggestions. Pretty much all of the threads on my forum has been closed, and the title has been modified to state perverted content. Needless to say i swiftly I took my site offline.

  1. Contacted my web host. They have provided me with a backup of my database (not sure how recent it is), and they also said they did a check on my site and found no viruses on it.

  2. After getting that info i assumed that someone must of hacked into my admin account using a brute force script since all of my threads titles were closed. However, upon logging in my password details were the same. If they did hack my admin account then i will assume they would also locked me out. Also, it appears like a new user was made that is locking all of my threads. The user has the permission of a member.

  3. I realize i can delete my forum and import the details of my database, but the thing is i dont know wtf caused my forum to get hacked. If i dont know then what stops them from doing this again or exploiting some other loopholes.

I know that its extremely hard to assist me in this situation but any thoughts would be appreciated. I did have plugins customized designed for my forum, so that could be a vulnerability but right now i have no idea. I can only assume is some type of sql injection exploit as i do allow users to upload files.



  • Options
    businessdadbusinessdad Stealth contributor MVP

    Sorry to hear that your forum got hacked. Unfortunately, this risk is always around the corner. As next step, I agree that you should take a clean backup and start from there, bringing back the forum.

    Answering the question of how the forum was hacked might be more difficult:

    • The custom plugins you got developed could be a possible vulnerability. Plugins execute code that can do (almost) anything, the only way to know if they could have been the culprit would be analysing their code.
    • Brute force attacks are more common than one may think, and they are guaranteed to succeed if passwords are not complex and long enough. Unfortunately, Vanilla doesn't provide a built-in mechanism for throttling failed logins, that's why I had to develop a plugin for it.
    • The fact that you have not been locked out is not so strange. Hacker scripts don't need a lot of time to do their damage, and, by creating a separate account, they are able to do it without you noticing. Some frameworks warn Administrators if someone else is logged in with the same account, creating a secondary one can grant hackers a bit more time to mess things up.
    • The User who closed the threads might well have been a Member with additional permissions. That's not hard to set up, one simply has to grant the "Close Discussions" permissions to the Member role and all Members get it automatically.

    Suggestions to secure the forum

    • Just recently, some Users shared their security tips for Vanilla. You can read that discussion and follow the recommendation to strengthen the security.
    • Make sure that you use strong and complex passwords for the Administrators account(s).
    • Don't use the custom plugins until you inspected them. I'm not saying that Vanilla is an impenetrable stronghold, but it makes sense to first make sure that 3rd party code didn't introduce vulnerabilities.
    • Make sure that Users can't upload malicious files. Even if your host told you that your site doesn't contain any hacking script/shell, you can't be sure someone won't try to upload one in the future.

    The above is not intended as a comprehensive guide, but I think it will be useful to get started.

  • Options

    These are solid suggestions, thanks for that. I'll be more than happy to upload the custom plugins to the site to share, but i dont want potential users installing them if there is a potential vulnerability in them. Is there a place that coders can review code here?

  • Options
    422422 Developer MVP

    Yes theres a developers area, contact @underdog for info

    There was an error rendering this rich post.

  • Options

    I've been in a situation like this few times and it seems that the bad guy put some shell script on my site disguised as an image file.
    So, I suggest that you scan your sites for suspicious files.

  • Options
    mcu_hqmcu_hq yippie ki-yay ✭✭✭

    You should look at your apache log as well as your FTP daemon log

  • Options

    i would recommend cloudflare for his bruteforce jerks

Sign In or Register to comment.