Not sure where to post this.. thought WHT would be the best place to ask..

Well.. never thought it would happen to mine..

But someone, which I know, hacked into one of my sites..

We have the guy's home info, from doing a WHOIS on one his domain names..

He hacked into my account on my vBulletin.. which allowed him to view everyones passwords..

Then started posting childish crap on the front page (whole site is integrated w/ vB.. using vBPortal)

What should I do now? Contact his ISP?

What I believe that their ISP will simply said that you'd better take a legal action.

If you have a lot of money, I'd suggest you to talk with your lawyer about this.

If your site was technically hacked, ie someone breached the security, bute forced in, etc.... you can always contact the FBI to file a report. They may not do much but if you have the person's contact info, they may very well send an agent over to talk to them and see if its a simple enough case.... that alone would scare the hell out of most people and who knows, it may end up in an arrest.

Originally posted by sodapopinski
If you have a lot of money, I'd suggest you to talk with your lawyer about this.

Why talk to a lawyer? What you should do is talk to the police (if the culprit is the US, report it to the FBI).

Yes.. culprit lives in TN actually..

So where do I go exactly? FBI page.. etc..?

http://www.nipc.gov/incident/incident.htm

I'd call them! This need to be taken seriously, even though the FBI may not do anything about it! Also, make the guy aware that you have reported it. He'll never come to your site again!

*cough* Actually, the FBI specifically request that you do not contact the person behind attacks, since it makes their investigations much harder.

Hacked vBulletin, gotta deal with FBI.
Wow, spooky...

Originally posted by cperciva
*cough* Actually, the FBI specifically request that you do not contact the person behind attacks, since it makes their investigations much harder.

Yeah, you're right. I just fear the FBI will do nothing about it, and that doesn't help you when you've lost your forum, and all it's members. I mean, what you want is to get rid of this guy, so that he won't return. Probably some kid messing around. Fear and threats works! I know, Im doing it every day!:)

Originally posted by Quill
Hacked vBulletin, gotta deal with FBI.
Wow, spooky...


agreed
i'm sure the fbi have better things to do then to deal with some guys silly website.

I'm not so sure the FBI wouldn't get involved. If the hacker now has email address and password info, that is enough to do personal and financial damage if forum members use the same password for everything they do online. When contacting the FBI, I'd point that out to make it sound more serious.

I think the main reason the FBI would get involved would be that people who crack into servers rarely stop at one. The evidence you have of criminal activity is sufficient for them to seize equipment, and at that point they would likely uncover evidence of numerous other attacks.

Originally posted by Matt 26z
I'm not so sure the FBI wouldn't get involved. If the hacker now has email address and password info, that is enough to do personal and financial damage if forum members use the same password for everything they do online. When contacting the FBI, I'd point that out to make it sound more serious.


gee, i didn't know vbulletin asked you for your personal info
e.g. home address
e.g. city
e.g. state
e.g. anything that could do damage
it asks you about your interests, bio, etc.
not anything that could harm people

My personal experience has been that most hackers are kids. FBI may or may not do anything. However you can easily call the kids parents and inform this. I'm sure that'll scare the kid.... ;-)

The more important thing is to prepare for the future. Do not let anyone else hack your site. Make it secure. Do not leave any back doors open... That is a safe bet. In the end you need your site to be running....

Have a great day :)

regards
amar

Originally posted by bobcares
My personal experience has been that most hackers are kids. FBI may or may not do anything. However you can easily call the kids parents and inform this. I'm sure that'll scare the kid.... ;-)

The more important thing is to prepare for the future. Do not let anyone else hack your site. Make it secure. Do not leave any back doors open... That is a safe bet. In the end you need your site to be running....

Have a great day :)

regards
amar


My god, would you guys give it up with the "hackers"

They aren't hackers, they are just kiddies. Any 3 year old can get into a message board. I'm sure the password was REALLY easy. It's not ilke he broke into the server, or went on a rm -rf'ing spree.

Some people just don't understand

gee, i didn't know vbulletin asked you for your personal info

Clocker1996, you are not thinking. Here is just a couple examples...

Suppose the hacker would head over to PayPal and try all the email addys and passwords he got off the forum DB? Some people are bound to use the same.

No personal info? Suppose some of the members run websites, and make this known. Domain lookup gives personal info. A quick check of larger area banks and their online banking against the known usernames and passwords could be dangerous if they use the same.

Sure, all of this would take time. But, to some teenager with nothing else better to do and a little luck...

Well if people use the same *USERNAME* and the same *password* for their online banking, then thats their own fault.

If you aren't smart enough to know that you shouldn't use the same username and password for things like online banking then you deserve whatever comes to you, or maybe you shouldn't be using online banking.

Besides, show me a website where they have fields like "username, password" for logging into online banks.

I dont think banks are that simple.....Like mine for instance, they make you enter more then that, debit card #, assigned password, etc.

So please don't tell me that bull about those poor people who are careless, they deserve it.

I think saying what u said about those people is uncalled for, is it smart, no, but not everyone thinks like you. As for online banking, with your bank account, that is not so realisitc, but with paypal, I think it is. Honestly to some people chooseing a password you use over and over does not seem bad to them. I bet if you take the users passwords and try them for their email address 50% or more would work.

Originally posted by davidb
I think saying what u said about those people is uncalled for, is it smart, no, but not everyone thinks like you. As for online banking, with your bank account, that is not so realisitc, but with paypal, I think it is. Honestly to some people chooseing a password you use over and over does not seem bad to them. I bet if you take the users passwords and try them for their email address 50% or more would work.

I agree with you about the paypal that is more likely to happen.

Just a side note:

In my experince, if you haven't lost more than $500 dollars in revenue due to the attack, they won't even look at the incident report....


Call the guys ISP and send them logs of what he did....
Then I would call the little prick and have some fun with him, but thats me :D And I'm evil like that...

Originally posted by The Prohacker

Then I would call the little prick and have some fun with him, but thats me :D And I'm evil like that...

http://www.pranknet.org/gaypride.mp3 :D :) :D :)

Originally posted by bobcares
My personal experience has been that most hackers are kids. FBI may or may not do anything. However you can easily call the kids parents and inform this. I'm sure that'll scare the kid.... ;-)

The more important thing is to prepare for the future. Do not let anyone else hack your site. Make it secure. Do not leave any back doors open... That is a safe bet. In the end you need your site to be running....

Have a great day :)

regards
amar

This guy isn't a kid.. he's 36 or somewhere around there..

Originally posted by Lawny


This guy isn't a kid.. he's 36 or somewhere around there..

Uh,

who are you talking about? The guy who started this thread, or the guy who is responsible for the damage?

I hope your talking about the guy who started this thread, otherwise I would really wonder about you.

Originally posted by clocker1996

I dont think banks are that simple.....Like mine for instance, they make you enter more then that, debit card #, assigned password, etc.

It is as simple as it sounds. I use Chase Bank, with their online banking all you have to do is enter your username and password, and you are in. Though, before you actually get a username you have to provide your account #, pin etc.
Peep it: https://chaseonline.chase.com/chaseonline/logon/sso_logon.jsp

So please don't tell me that bull about those poor people who are careless, they deserve it.

People make mistakes, just because a person uses same user and password it does not mean that they deserve to be punished.

Chicken: good luck with trying to log into my account. :D


...jk.

true
but you see, you are just proving my point with the banking system online

as you clearly said
its not as simple as username/pass

you have to know alot more :P

I think you are mistaking captain. Before you actually start online banking they require all your info, but once you open it you can use your username and password to log in. You do not need to know/have anything about the person but their user/pass.


Real true hackers will not bother with small fish, you can all sleep safe. BUT there is a bunch of wannabe's that you need to protect yourself from. Once they attack, squash them like a little boogers.

Originally posted by clocker1996
http://www.pranknet.org/gaypride.mp3 :D :) :D :)

Originally posted by The Prohacker
Then I would call the little prick and have some fun with him, but thats me :D And I'm evil like that...

When I worked for a software company, I was tasked by the CEO to track down some pirates that were posting our software in a binaries usenet group.

I had some great conversations with some scared people, and only wish that I had recorded them. So don't forget to record them for posterity's sake, if not for evidence. :)

www.pranknet.org/happypride.mp3 :)

Other than "scream" and run around the office like a crazed nut :D ...j/k

If you are a hosting company i would certainly get the FBI involved.

If you do not take action to first further secure the entrance and second to contact the authorities, then you're telling them it's ok.

Yup...it's ok to hack us ...walk away .....and yup...you can come back and try again if you wish.... :rolleyes:

isn't that what you're saying? :eek:

Of course ..for a personal website it would depend if any important information was stolen .....for you to contact the authorities.

I think this is mainly a flaw in the message board you are using. Passwords should never be stored as plain text. They should be encrypted. Even better if it's one-way encryption such as unix's crypt function. If I were you I would find a way to store the password in an encrypted format so this doesn't happen again in the future. I'm sure someone has written a mod for vBulletin to do this.

And I agree, I wouldn't call someone getting into a message board "hacking". But the fact that the passwords were there for all to see makes this pretty bad.

Originally posted by Xev
Even better if it's one-way encryption such as unix's crypt function.

s/one-way encryption/hash function/

If I were you I would find a way to store the password in an encrypted format so this doesn't happen again in the future.

Of course, this is likely to have no useful effect, since if you can access back-end files directly, you can probably trojan the executable to sniff passwords as they are used. It might take longer, but it's not likely to be quickly uncovered.

If I can ask another question, along the same lines:

What can you do about a DoS attack? I lease a dedicated server that was apparently hit by a DoS attack recently. Although they didn't actually "break in" to my server or bring it down (the pipeline is pretty robust), they sure racked up a bunch of bandwidth charges for me. Now I'm worried that someone could do it whenever they want to and cost me a fortune - and there's little I can do about it.

Does the FBI investigate this stuff, too?

Originally posted by The Prohacker
Just a side note:

In my experince, if you haven't lost more than $500 dollars in revenue due to the attack, they won't even look at the incident report....


FBI most likely will not get involved with the incident unless the loss is greater than $5000.

-Sqposter / Michael