Security issue

If your traffic is down and not picking up, go to your google webmasters account and ask for re inclusion.
They took 15 days to do my forum. To give some idea of the time frame involved.
Believe me, I had no idea I had been hacked and spent a week playing with the forum prior to asking for re inclusion.
The reply you get is very vague and I still have no idea if I passed their requirements.

i have refrained from looking at the impact on Diesel Bombers - Diesel Forum - High Performance, Cummins, Duramax, Powerstroke, TDI in google analytics untill just now and let me say that this has been detrimental to my site i went from over 5,000 visits from google every day before Feb 20th and from Feb 20th until now im lucky to be 1500 .

This is very bad. i have sent in a reconsideration to Google and my fingers are crossed , i still have links on Google so i guess Im not Black Listed or what ever but the effect on my site starting Feb 20th is unimaginable.

And to think that there are Other people just like me WHO DONT KNOW THIS IS HAPPENING and nobody is giving them a heads up is a DISSERVICE TO OUR FELLOW WEBMASTERS !

I will pray that Google lets my traffic ge back like it was because it has yet to rebound in days after fixing the redirect.

No matter who is responsible we need to let everyone know about this , the more people we have looking and confirming the issue the better chance we have for the software developers of getting the information they need to fix it .

Quit dragging your feet do something about this PLEASE!

Originally Posted by DieselMinded

i have refrained from looking at the impact on Diesel Bombers - Diesel Forum - High Performance, Cummins, Duramax, Powerstroke, TDI in google analytics untill just now and let me say that this has been detrimental to my site i went from over 5,000 visits from google every day before Feb 20th and from Feb 20th until now im lucky to be 1500 .

This is very bad. i have sent in a reconsideration to Google and my fingers are crossed , i still have links on Google so i guess Im not Black Listed or what ever but the effect on my site starting Feb 20th is unimaginable.

And to think that there are Other people just like me WHO DONT KNOW THIS IS HAPPENING and nobody is giving them a heads up is a DISSERVICE TO OUR FELLOW WEBMASTERS !

I will pray that Google lets my traffic ge back like it was because it has yet to rebound in days after fixing the redirect.

No matter who is responsible we need to let everyone know about this , the more people we have looking and confirming the issue the better chance we have for the software developers of getting the information they need to fix it .

Quit dragging your feet do something about this PLEASE!

I am not sure why actually you are posting this message here. As other users confirmed this issue happens on boards that don't have vBSEO installed which clearly shows this is NOT a security hole in vBSEO. Even on that condition you can clearly see our efforts on identifying the issue so our customers will not get effected with this but yet you still post messages like this which makes me think are we actually doing the right thing tho assist you guys even currently it's not our responsibility.

VBSEO is my life line to Search Engine Traffic , So when it drops off to nearly totally this is where i come to get help , and it shows you guys are doing everything you can , and i Thank you for your efforts.

when it comes to search engine success , VBSEO is the place for discussion so when something happens to vbulletin that hijacks all the search engine traffic i figured vbseo would be the spear head on the fix rather vbseo was responsible or not , as the hack seems to be on multiple platforms

Thanks Again and Good Luck we are pulling for you

If the attacks are happening through the admin cp area.
In idiot terms and a simple method.
How can we password protect the admin folder?
The term shutting the gate after the horse has bolted springs to mind in my own case, but if it needs doing.

Thanks for any help on this one guys.

Just to get this out of the way do you use Smart FTP ? i seen they had an update today Just Curious

Originally Posted by Lee G

If the attacks are happening through the admin cp area.

What the Team here found in my Log´s it look like. Thanks for your investigation.
But how they get all the passwords - were is the hole they get the passwords of so many forums.

And they use a invisible Admin. The Admin i normal Use do not have the full rights. (Can not delete Admin Log)
But the "one and only" Admin is the one with ID#1. So I am going to make ID #1 a normal User and us a different User as Super Admin.

I am going to protect the AdminCP with .htaccess.

Christian

I'm doing a bit of research on ways to protect the admin area.

So far a simple htacess file looks the best option. IP protect the area. These area what I have found so far, in simple ways

PHP Code:

<Files *>
Order Deny,Allow
Deny from all
Allow from localhost
Allow from 00.111.22.123
</Files> 


Or

PHP Code:

<Files index.php>
Order Deny,Allow
Deny from all
Allow from localhost
Allow from 00.111.22.123
</Files> 


Replacing the ip with your own and any other admin.
Which is OK, as long as you accessing the admin area from your home computer all the time and not another location. I have had to do this in the past.

Originally Posted by Lee G

I'm doing a bit of research on ways to protect the admin area.

So far a simple htacess file looks the best option. IP protect the area. These area what I have found so far, in simple ways

PHP Code:

<Files *>
Order Deny,Allow
Deny from all
Allow from localhost
Allow from 00.111.22.123
</Files> 


Or

PHP Code:

<Files index.php>
Order Deny,Allow
Deny from all
Allow from localhost
Allow from 00.111.22.123
</Files> 


Replacing the ip with your own and any other admin.
Which is OK, as long as you accessing the admin area from your home computer all the time and not another location. I have had to do this in the past.

If I am not mistaken, can't they also directly look at plugin.php (Seems you are only blocking index.php in the admincp)

I have tried the first one Michael

PHP Code:

<Files *>
Order Deny,Allow
Deny from all
Allow from localhost
Allow from 00.111.22.123
</Files> 


From what I can see, it works, unless there are other ways or better ways
Or other files for that matter, which need extra security added.
It does mean that you can only access the area from the ip´s you enter, but it must take out the possibility of having another password cracked.

I'm open to any suggestions at present

The whole directory should be protected.

directions are here:
http://www.vbseo.com/f3/security-iss...tml#post261549

Originally Posted by Lee G

If your traffic is down and not picking up, go to your google webmasters account and ask for re inclusion.
They took 15 days to do my forum. To give some idea of the time frame involved.
Believe me, I had no idea I had been hacked and spent a week playing with the forum prior to asking for re inclusion.
The reply you get is very vague and I still have no idea if I passed their requirements.

Hi tehre

I would like to add something to this, you shouldnt be asking for a reconsideration from google unless you have been banned from Google or broken the rules, simply if you type the name of your site in google and its still indexed then theres no point asking for a reconsideration as your still listed in google and therefore not banned !

I too have been hit by this, and I too was baffled as to where all my traffic has gone and also my links !!

Unfortunatly there is no easy way back from this, it will just take time to get your site back to where it was, theres no point putting in re-consdierations to google for this, it wont help sorry if this isnt what you want to hear but its true.

I too would like more practical information on how to avoid this again, as its hurt my sites pretty badly, the information that is on here seems to be pretty complicated, so are there any simple things we can do to stop something like this happening again ?

Hope this helps

Woc

Originally Posted by usearchme

so are there any simple things we can do to stop something like this happening again ?

It look like that they use the Admin with the ID#1 on my site.
even that this one is not visible as Admin and i don´t use this Admin.

So i think it help to go way form defaults:

• Rename AdminCP
• Protect AdminCP
• Make User with ID#1 a normal User
• No Admin have the rights to delete AdminLog ($config['SpecialUsers']['canpruneadminlog'] = ''

Not on this Problem but anyway Protect UserFiles Folders (customavatars e.t.c)

Code:

<Files ~ "\.(php\d*|cgi|pl|phtml)$">
   order allow,deny
   deny from all
</Files>

And if its true that they simply us a normal Admin CP Login we need ton find out how they get so many Logins and Passwords at the same time and all form vBulletins Forums.

Best regards Christian

And on Google.
I think is a penalty only, no site was removed from the Index but send about 50 or 100 places back. So if they see that the problem was solved they hopfully remove the penalty and the site come back to the old place. And as fare as I see it is only for the infected URL, my Joomla Pages, same Domain, remains at the expected place.

I have submitted ticket 2976-EJXM-9276 with site logs ..





I have also added .htaccess protection to my admincp directory

Why hasnt my traffic went back up once i fixed the issue? is there a penalty ? is it google caffeine related?