my server was hacked

i run vbulletin 3.0.3 with a few 3rd party addon's. i was hacked the other day and the hacker set up a cron job to attack another server. I was just wondering if SQL injection could of triggered this, or how on earth someone can go about doing this, i have no idea how they could of got in, or how they set up the cron job, do they know my cpanel password? its a very crypyic password and would takes years to brute force crack.

how are these guys doing it?

I don't know anything about specific to vbulletin, but a little googling on vbulletin and vulnerabilities ought to get you up to speed. It is not uncommon to get hacked via SQL injection, but it is quite likely that there are easier ways. SQL injection first requires taking over the database (whatever one you happen to have), which is an extra layer of expertise most hackers lack, I suspect that there are other ways to penatrate your machine. If you are not keeping completely up-to-date on ALL patches for ALL your servers and the OS, you are potentially making yourself quite vulnerable. There is also the very real chance that someone is using a new exploit, but if you haven't been keeping up with your patches then they could be using something very old. BTW, when you access your machine is it always via a secure connection like SSH (HTTPS if everything is via the web)? If not, anyone who wants to take the time can sniff your username/password as you authenticate.

If you are interested, I have a little secure programming writeup, you can access it via my sig.

thankyou i will have a read up about it, its not a secure connection to the ftp, how hard would it be to sniff?

There have been a number of major vulnerabilities in PHP announced recently. A lot of php software is affected, including vBulletin. Exploits using these will be multiplying rapidly. Upgrade to 4.3.10 or 5.something ASAP.

phpBB is a MAJOR hole here (there was a worm released last week which uses this to enter a system), so if you're running that on the same server, this is likely to be the point of entry.

The best way to track the intrusion down is to look at your server logs. It should be fairly easy to spot SQL injection attacks. But, I think it's probably those php/vBulletin holes.

Finally, look into using SSH/SCP/SFTP to transfer files instead of FTP etc.

While it takes a bit of talent and understanding of network protocols (which I lack the details on), basically all Internet communications are available to all machines connected to the Internet (it is not really that simple, but not much more complex). Therefore anyone with suitable equipment can listen to any communication stream they are interested in hence any unencrypted communication stream is like reading an open book. Someone has to want to go to the trouble, though, but if they want to, then the effort is minimal. What is a bit more likely is there are automated programs probing your machine for known weaknesses and exploiting them automatically, which is why I suggest you get up-to-date on all patches for all software running on your server.

Just as a by-the-by, just because you are convinced your password is too cryptic to guess does not mean that you have really chosen a good password. Lets say that a hacker found a way to get your password hash file off your machine via some exploit through some software you have installed. They can take that hash and use what is called a dictionary attack on it and quite possibly find your password in seconds or minutes by a simple lookup in a pre-hashed dictionary of likely passwords. With disk storage so cheap today, it is not unreasonable to have several hundred gigabytes of pre-calculated password hashes, making the lookup near real-time. The 'dictionary' starts out exactly like one, then they add know variations in how people change capitalization, abreviations and special characters. They may have 10 billion combinations! In any case, I figure the greatest likelyhood is they took advantage of a known vulnerablity in existing software and just created their own account; why go through all this effort if a simple hack can get you what you want.

FWIW: in a lot of older MySQL versions, (4.0 something down IIRC), just knowing the password hash was good enough to give you access.

It might be related to the init.php sql injection bug.. Thought it only works if magic_quotes_gpc is off..
specialtemplate variable is vulnerable and the fix is:

Open init.php file and search for these lines:
$datastoretemp = $DB_site->query("
SELECT title, data
FROM " . TABLE_PREFIX . "datastore
WHERE title IN ('" . implode("', '", $specialtemplates) . "')
");
unset($specials, $specialtemplates);

Replace with these :
if(!is_array($specialtemplates))
exit;

$specialtemplate = array();
foreach ($specialtemplates AS $arrykey => $arryval)
{
$specialtemplate[] = addslashes($specialtemplates["$arrykey"]);
}

$datastoretemp = $DB_site->query("
SELECT title, data
FROM " . TABLE_PREFIX . "datastore
WHERE title IN ('" . implode("', '", $specialtemplate) . "')
");
unset($specials, $specialtemplates, $specialtemplate);

Vbulletin versions below 3.0.5 can be nuked. The VB dudes were prudent in not allowing the exploit code to be generally available like the phpBB one.

You are welcome to check out the issue on VBulletin's support pages.