A new type hack method?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • DemOnstar
    Senior Member
    • Nov 2012
    • 1912

    #46
    Originally posted by kiss of death
    i'm just really confused as to why someone with that level of access would try and cover their tracks by removing the plugin and user account but not prune the logs?
    Removing the account and the plug in so that admin won't see it suggests that they don't want to be seen. They come in, do the nasty and move out.. The nasty is obviously set to trigger at some point in time (possibly cron related) Check your scheduled tasks for unrecognizable cron jobs.. Snapshot the cron folder or count the number of files within and keep for future reference.

    Not pruning the logs could mean that they are not aware of this functionality. Otherwise they would have done it.


    Comment

    • Scream And Fly
      Member
      • Jan 2004
      • 75
      • 3.6.x

      #47
      I'm so very glad that VBulletin took the time out to send a message to all of their customers about this. Imagine if people had to find out about this the hard way...

      Comment

      • DemOnstar
        Senior Member
        • Nov 2012
        • 1912

        #48
        For some people, they did find out a little too late. At least they found out and now I would think that most people know.


        Comment

        • dougdirac
          Senior Member
          • Jul 2012
          • 425
          • 4.2.X

          #49
          Originally posted by Scream And Fly
          I'm so very glad that VBulletin took the time out to send a message to all of their customers about this. Imagine if people had to find out about this the hard way...
          I assume this is sarcasm since people finding out the hard way is exactly what happened, unnecessarily (and inexcusably) so. Last week I tried to ask what the policy is about sending an email about security threats but the thread was closed without providing an answer to this simple question. All I can guess is that whoever is "responsible" left early for Labor Day weekend. Not very reassuring to the customer when important security warnings take holidays off. :/

          Comment

          • akoj
            Member
            • Jun 2004
            • 78
            • 3.6.x

            #50
            My hacker this am was nice enough to identify himself with the email [email protected] and username TH3H4CK. A mod caught it fairly quick but couldn't delete the account but I was able to. It was created as an admin account. None of the files you all the mentioned were installed but I wonder if we just caught it in the nick of time OR I am in for a nasty surprise soon.
            Be "Tween" Talk Forums | Kids Craft Club | Spina Bifida Connection

            Comment

            • DemOnstar
              Senior Member
              • Nov 2012
              • 1912

              #51
              I don't know about nasty surprises, I don't anybody knows much on this guy..


              Comment

              • Ion Saliu
                Senior Member
                • Sep 2010
                • 172
                • 4.2.X

                #52
                Originally posted by akoj
                My hacker this am was nice enough to identify himself with the email [email protected] and username TH3H4CK. A mod caught it fairly quick but couldn't delete the account but I was able to. It was created as an admin account. None of the files you all the mentioned were installed but I wonder if we just caught it in the nick of time OR I am in for a nasty surprise soon.
                Axiomatic Colleague of Mine:

                What a coincidence! That bastard (criminal, actually) registered in my forum, too! He did it 10+ times!

                User: Th3H4ck
                Email: [email protected]
                User Title: Administrator

                I discovered his/their IP addresses as well and banned them. See my recent thread here:



                Best of luck, axiomatic one!

                Ion Saliu,
                Watchdog At-Large
                Forums: Lottery, Lotto, Gambling, Software, Systems

                Comment

                • fccsonline
                  New Member
                  • Sep 2005
                  • 24

                  #53
                  This affected us bit time.

                  I have a small VPS hosting a friends website - vbulletin forum. About a year ago he took over the patching / upgrading and backing up. Unfortunately, he hasn't taken a backup for a year, and last upgrade left the install directory....

                  This hacker, username of "VBking" deleted half of his forums. The transaction log is just plain ugly - and as far as I know, without a backup, there's no "undo."

                  I think he might be up a creek without a paddle, but I'm trying to help as best I can. I've contacted the webhost to see if there's any option to obtain a backup of the database from a previous date - but there's nothing we had in place ourselves. I was under the impression he was backing up via cpanel.

                  Comment

                  • Ambro
                    New Member
                    • May 2013
                    • 8
                    • 5.0.X

                    #54
                    Just so you're all aware, the takeover is being issued directly from install/upgrade.php, the attacker is posting to this page and RIGHT after, gains access to the admincp page. This requires the person to have registered a forum account prior and has to be logged into a valid session for that registered user.

                    Once he/she posts to the upgrade.php page, the user he/she's logged in as becomes an administrator of the forum. For persistence, the attackers are installing php backdoors so that they can retain access to the forums in the event of their account being removed.

                    Anyhow, if you've been targeted by this, to locate potential malicious plugins, from within MySQL in your VBulletin forums database, issue these queries:

                    SELECT * FROM plugin WHERE phpcode LIKE '%base64%';
                    SELECT * FROM plugin WHERE phpcode LIKE '%lol%';
                    This exploit is a direct derivative of the "vBulletin Install Auto Exploiter founded by pixel_death, n3tw0rk & z0ne", the new variant was revived by "Ne0-HackeR & G00g!3W!0r" from UGHackers

                    This new variant is literally the same PHP code base as the original but with a modification for how it locates the CUSTNUMBER hash.

                    To protect yourself from this, completely remove your install directory or at the very least, protect it with .htaccess.

                    ALSO, this is an important one, protect your admincp and modcp folders with .htaccess, i'd recommend using IP/Subnet based ACL's not password based since that can be bruted.

                    Setup iptables, PF / etc and create rules for accessing ftp over port 21 and SSH. Change your default SSH port to something non standard and restrict authentication to public/private keys ONLY... Only allow connection requests from the outside from whitelisted source addresses / subnets for both FTP and SSH.

                    Also, if you'd like to collect metrics on how many people are querying these pages, create a simple php script in the same location, for index.php and create a symbolic link to upgrade.php. Inside, write a small routine for logging IP's to your mysql database.

                    I've been keeping track of people hitting my site and as of recent, in the last week have 18 attempts logged.

                    -Ambro
                    Last edited by Ambro; Fri 6 Sep '13, 11:38am.

                    Comment


                    • adeel786
                      adeel786 commented
                      Editing a comment
                      Thank you for writing this in detail.

                      i was victim of this hack. Even after deleting the install file, hacker kept replacing my adsense with his.

                      I found the plugin using your mysql trick and deleted and I'm really hoping, he won't be able harm me anymore. He hurt me enough already

                    • induslady
                      induslady commented
                      Editing a comment
                      Hi Ambro,
                      Our site was a hacked. We just removed the 'install' directory. There were Admin accounts created. Removed and blocked IP.
                      We also see via Control panel log (for the date on which these admin accounts got created) there were few more usernames (edit and killed) and plugins touched (displays plugin id).

                      But when we ran your above query in plugin table in vB DB, it returned no results.

                      We did not see anything weird so far in the front end or any redirect of 'index.php'. However, in one of the style we use, got a message at the top of the header:
                      "Kindly delete your install directory of forums. Otherwise, you will keep getting hacked".

                      Did the hacker put up this message? Wierd? However, this message was not displaying in other styles we use.
                  • Robbed
                    Member
                    • Oct 2005
                    • 98
                    • 4.2.X

                    #55
                    So is VB going to respond to this issue? It's happened to us as well it would of been nice to receive an email notification.

                    The funny thing is a while back I asked if it was a good idea to delete install folder after every upgrade and they said it wasn't necessary.

                    Comment

                    • kiss of death
                      Member
                      • May 2008
                      • 64
                      • 3.7.x

                      #56
                      I don;t believe removing the install directory fixes the issue , i removed the install directory, then restored my database to the day before my site was accessed, checked my admi cp yesterday and had my usual 4 admin, when i check again today, i had another new admin called "__" with an email address of "[email protected]" , i've checked the control panel logs and their has been no cp access or any plugis installed, checked my ftp file dates are later than the 6th of june when i last updated to vbulletin

                      Comment

                      • Zachery
                        Former vBulletin Support
                        • Jul 2002
                        • 59097

                        #57
                        Originally posted by Robbed
                        So is VB going to respond to this issue? It's happened to us as well it would of been nice to receive an email notification.

                        The funny thing is a while back I asked if it was a good idea to delete install folder after every upgrade and they said it wasn't necessary.
                        We've advised customers to remove the install folder, that is our response. Once you remove it the exploit vector is gone.

                        In the past it wasn't required to remove the install folder based on how the install/upgrade system worked. Overtime the system changed which allowed an issue to crop back up.

                        Comment

                        • Birdman
                          New Member
                          • May 2010
                          • 7
                          • 4.0.0

                          #58
                          how do i remove the install directory...where is it in the root folders...cant seem to locate. However, our site has not been a victim "yet". Maybe it's because the human verification registration security protocols i have in place are preventing. Running 4.2.0

                          Comment

                          • induslady
                            Senior Member
                            • May 2005
                            • 230
                            • 3.7.x

                            #59
                            Hi,
                            We suspected if they changed something in the styles / templates.

                            Looking at the templates (both in parent style and other styles), reviewing the 'Edit history', some of the templates show
                            'Edited by Jelsoft', 'Edited by vBulletin' which are vbulletin edits
                            Some show 'Edited by' our own admin accounts - probably some template customizations
                            While some templates show as below:
                            blog_blog_rown - Last edited December 15 2010 at 13:29 by ksours
                            blog_comment_profile -
                            Last edited December 21 2009 at 16:59 by freddie
                            blog_cp_manage_categories -
                            Last edited December 9 2010 at 16:32 bymichael.lavaveshkuli

                            Are these something that we should suspect? Could it be possible they changed the edit date and time?
                            IndusLady
                            Indian Ladies Discussion Board | Indian Women Online Community

                            Comment

                            • DemOnstar
                              Senior Member
                              • Nov 2012
                              • 1912

                              #60
                              Originally posted by Birdman
                              how do i remove the install directory...where is it in the root folders...cant seem to locate. However, our site has not been a victim "yet". Maybe it's because the human verification registration security protocols i have in place are preventing. Running 4.2.0
                              Unless you have or somebody else has removed it, it should be at your forum root. With me, it comes after the includes folder. Alphabetical order I assume.


                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...