vBulletin 3.x and 4.x Redirect Security Exploit

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • IBxAnders
    Senior Member
    • Aug 2001
    • 1172
    • 4.0.x

    #91
    Originally posted by Ramsesx
    Interesting, is this a new security exploit? Could someone from staff confirm this?
    Definitely not NEW and this is an old issue that was related to an older VBSEO exploit. What I am seeing is that malicious php files are hard to find and people are not able to clean it out 100% - leaving there sites susceptible to more attacks.
    anders | vbulletin team | check out the new vbulletin facebook app
    Proudly vBulletin'ing since 2001
    Please be my friend!
    http://www.twitter.com/inetskunkworks
    vBulletin Performance Articles:
    Click here to read

    Comment

    • djbaxter
      Senior Member
      • Aug 2006
      • 1418
      • 4.2.5

      #92
      Originally posted by Ramsesx
      Interesting, is this a new security exploit? Could someone from staff confirm this?
      See above. This is NOT a vBulletin exploit. It's a file permissions issue. And it's not particularly new, but it may be part of some of the redirection issues people are experiencing.
      Psychlinks Web Services Affordable Web Design & Site Management
      Specializing in Small Businesses and vBulletin/Xenforo Forums

      Comment

      • djbaxter
        Senior Member
        • Aug 2006
        • 1418
        • 4.2.5

        #93
        Originally posted by IBxAnders
        Definitely not NEW and this is an old issue that was related to an older VBSEO exploit. What I am seeing is that malicious php files are hard to find and people are not able to clean it out 100% - leaving there sites susceptible to more attacks.
        It was not a vBSEO issue either. It was/is a server permissions issue.
        Psychlinks Web Services Affordable Web Design & Site Management
        Specializing in Small Businesses and vBulletin/Xenforo Forums

        Comment

        • Ramsesx
          Senior Member
          • Aug 2005
          • 3254
          • 3.8.x

          #94
          Thanks for this quick answer.
          .......

          Comment

          • Paul M
            Former Lead Developer
            vB.Com & vB.Org
            • Sep 2004
            • 9886

            #95
            Originally posted by Ramsesx
            Interesting, is this a new security exploit? Could someone from staff confirm this?
            Its neither new nor a vbulletin issue - its a server exploit.
            Baby, I was born this way

            Comment

            • Cbrown
              New Member
              • Mar 2006
              • 23
              • 3.5.x

              #96
              Ok, even I was hacked again. Now I didn't follow my last rule.

              Change administrator passwords...

              I did NOT do this. And because of this, some interesting stuff happened.

              Here's the hack from this morning:
              I left ALL the information and links in there because the greater good comes above some of my privacy at this point:

              Forum and Site dedicated to old and rare paintball guns, the players, and those that just love the game


              I grep'd my access_log and pulled out this info. That IP: 209.236.66.108 is from a Tor router, so the hacker is trying to stay anonymous.

              Backstory: I had 3 admins... Myself, Cat, and Incynr8

              My buddy incynr8 hasn't been around in a long long time, but he still had admin privileges from a while back. I noticed his account had activity a while back. Knew it wasn't him. Notified him to change his passwords. I removed his admin access.

              In this log above (test.txt) you'll see the hacker logging into the server (mcbadmin is the admin folder for vbulletin, I renamed it, and will again after all this in a few days or so), the hacker logs in, and checks out the user "incynr8". Looks at his profile, etc. He sees that I'm catching on.

              This time, after looking at the admin account "Cat", that person had a "last activity" in their profile showing for this morning... I know for a fact this person did not use or log in either.

              So somehow the hacker got ANOTHER password from an admin.

              ...

              Here's where it gets funny. I go and look at the "control panel" log for more evidence. I can't find any.

              But my access_log on the server says someone was in the control panel. I check the control panel again... Where is says "Show Only Entries Generated By", and there is a choice for "all users" and then a drop down box for specific users.

              Well, both of the admins "Cat" and "Incynr8" are not a choice. I don't know why... I'm in the drop down list, and I'm an admin, but I can no longer see the other two as a choice.

              I have since changed my password now, and I am the only admin left on the site.

              ...

              Also looking at the log, you can see the plugin the hacker used to edit the site to redirect. For me, plugin 671 is the "Disable Swear Censor Per Forum"

              I'm going to go further back through my previous logs and see if I can't find out how these user passwords were compromised. Neither of the accounts hacked have been used in months.

              I will most likely change my database password just in case. I would assume if the person had the database password, they would just do it that way, not logging in as an admin. Somehow the passwords are being cracked...

              That's my update for now. Will post more as I go through older logs.

              Comment

              • Cbrown
                New Member
                • Mar 2006
                • 23
                • 3.5.x

                #97
                Haven't found much going through older logs... But I keep on seeing this:


                89.212.30.147 - - [06/Jun/2011:22:27:16 -0500] "GET /forums/mcbadmin/user.php?do=update HTTP/1.0" 200 6248 "http://www.mcarterbrown.com/forums/mcbadmin/user.php?do=update" "Mozilla/4.7 (compatible; OffByOne; Windows 2000) Webster Pro V3.4"

                That IP comes up as a Spam IP... Same thing done with a bunch of other IP addresses on different days. But someone is trying to do something in my admin section. Maybe running a script?

                Comment

                • Paul M
                  Former Lead Developer
                  vB.Com & vB.Org
                  • Sep 2004
                  • 9886

                  #98
                  They are attempting to view [or edit] a user account.

                  As your logs dont log the query string [or cookies], its hard to tell much more.
                  Baby, I was born this way

                  Comment

                  • Cbrown
                    New Member
                    • Mar 2006
                    • 23
                    • 3.5.x

                    #99
                    Originally posted by Paul M
                    They are attempting to view [or edit] a user account.

                    As your logs dont log the query string [or cookies], its hard to tell much more.
                    That's what I figured, but can you comment on the post I made above:


                    How is it that I can find in my access logs on the server someone doing something in the control panel and editing, but nothing shows up in the vbulletin control panel log? The only thing vbulletin recorded is that the user logged in, but nothing about the control panel (that shows up in the server logs) was logged. I'm stumped by that...

                    Comment

                    • Paul M
                      Former Lead Developer
                      vB.Com & vB.Org
                      • Sep 2004
                      • 9886

                      Perhaps they are deleting the log records after they have finished.
                      Baby, I was born this way

                      Comment

                      • Zachery
                        Former vBulletin Support
                        • Jul 2002
                        • 59097

                        For anyone having their search engine traffic redirected, I've only found plugin code in a vbseo plugin point in the datastore table. Enabling, and disabling a single plugin normally rebuilds the pluginlist in the datastore and fixes the problem.

                        Comment

                        • djbaxter
                          Senior Member
                          • Aug 2006
                          • 1418
                          • 4.2.5

                          Originally posted by Zachery
                          For anyone having their search engine traffic redirected, I've only found plugin code in a vbseo plugin point in the datastore table. Enabling, and disabling a single plugin normally rebuilds the pluginlist in the datastore and fixes the problem.
                          Thank you, Zachery.

                          However, two points:

                          1. CBrown above at http://www.vbulletin.com/forum/showt...=1#post2168506 identifies a different non-vBSEO plugin from vBulletin.org as the source on his installation.

                          2. While this may fix the problem by clearing/rebuilding the datastore, since the precise entry point and method is unclear, what's to stop the problem from reappearing?
                          Psychlinks Web Services Affordable Web Design & Site Management
                          Specializing in Small Businesses and vBulletin/Xenforo Forums

                          Comment

                          • Zachery
                            Former vBulletin Support
                            • Jul 2002
                            • 59097

                            Originally posted by djbaxter
                            Thank you, Zachery.

                            However, two points:

                            1. CBrown above at http://www.vbulletin.com/forum/showt...=1#post2168506 identifies a different non-vBSEO plugin from vBulletin.org as the source on his installation.

                            2. While this may fix the problem by clearing/rebuilding the datastore, since the precise entry point and method is unclear, what's to stop the problem from reappearing?
                            Nothing, however it is not my job to provide complete forensic analysis of your third party addons to determine where the code is coming from. If this was a completely, 100% stock vBulletin board, we would to try to look into the issue. But every board I've checked has had vBSEO, also other plugins, but off the top of my head I haven't seen any similar ones specifically and is on vB3. That is the most common thing I've run into.

                            Comment

                            • Cbrown
                              New Member
                              • Mar 2006
                              • 23
                              • 3.5.x

                              Ok, I may be way off, but this is what I'm guessing...

                              Due to some server issues, the hacker was able to upload a malicious .gif file and run it as a php file. I have since corrected that issue, but too little too late...

                              That person has then since grabbed enough info from the database and uploaded the redirect script.

                              Since then they must have decoded the admin passwords, and used those to regain entrance back into the admin section.

                              ...

                              I'm sure about the php laden gif file. I'm not sure about the getting db info and getting the passwords. But SOMEHOW, a person snagged two of my users admin passwords. Two people with nothing in common and living in different states. Or there is a major hole somewhere in the code.

                              Comment

                              • djbaxter
                                Senior Member
                                • Aug 2006
                                • 1418
                                • 4.2.5

                                Originally posted by Zachery
                                Nothing, however it is not my job to provide complete forensic analysis of your third party addons to determine where the code is coming from. If this was a completely, 100% stock vBulletin board, we would to try to look into the issue. But every board I've checked has had vBSEO, also other plugins, but off the top of my head I haven't seen any similar ones specifically and is on vB3. That is the most common thing I've run into.
                                Thanks. I would agree that it does seem that vB3 forums are more vulnerable to the redirect exploit, although it's unclear why. I guess this does confirm the sense in trying to ensure that ALL your software is up to date, whether it's vBulletin itself or add-ons.
                                Psychlinks Web Services Affordable Web Design & Site Management
                                Specializing in Small Businesses and vBulletin/Xenforo Forums

                                Comment

                                Related Topics

                                Collapse

                                Working...