My site is very successful and has up to this point, minimal issues. Currently forum users alerted to me a problem that the NoScript application was picking up a call to a site xblacknet.cn. This prompted me to block the IP of this hostname in IPtables, rename my admincp, and modcp, re-install vBulletin, conduct an entire search of the database, grep every file in the vBulletin directory. Block in .htaccess this hostname and IP as well as require a .htaccess password for admincp and modcp. After re-installing vBulletin the problem went away on thread pages, where it was only occurring. However, a script call is still being made to xblacknet.cn from the admincp and modcp areas of the site, despite these emergency measures. I am willing to allow one of the developers of vBulletin full access to my site to look at what is going on here -- I believe some kind of hack has taken place. The site is hosted on a server in my home office and is completely secured. We are using the latest stable version of everything and have incorporated cPanel/WHM into CentOS to keep everything up-to-date. Please respond, since I believe there may be a script injection problem that has allowed the site to be compromised. There are several million visits a month to this site, so it is a high profile site. Most of all, I am trying to see how I can get this call out of the admincp and modcp area and out of the site in general. Remember, I have replaced all of the vBulletin files to ensure they have not been modified, and in fact, searched the entire database and found no reference to this domain. Any help is GREATLY appreciated. I am a long standing customer and have already pre-ordered v4 Suite. Please see this thread: http://windows7forums.com/security-z...-threat-2.html
Major potential hack from xblacknet.cn
Collapse
X
-
Just a quick thought - you say you have searched the tables for the URL, of xblacknet.cn, have you searched for the IP of them as well?
And this is probably a stupid question, but have you checked any hacks you recently installed for them? -
Searched everywhere. Nothing comes up.Comment
-
I went so far as to disable every plugin and the problem still takes place. It is now limited to admincp and modcp where no custom plugins are being called.Comment
-
Gah, reading up on it, it sounds like a nasty sucker.
Might be worth contacting Mike or whoever it was over at the win7board, they are also using vbulletin, maybe he can fill you in on how he fixed the problem.Comment
-
and upgraded vbseo with their latest security patchComment
-
Hi there,
Regarding the comment about 'vBSEO's vulnerability', the exploit in question allowed the hacker to exploit a vulnerability inherent in vBulletin - that of having world-writable directories that are designed to hold only images, yet there is no GD/other check to determine if the files are indeed images.
As soon as we were advised of the issue (both times), the flaw was patched within hours, and ALL customers were notified via Email and the Forum Announcement (and twitter, facebook etc).
It's vitally important to ensure you keep up to date with all software you have installed on your forum, even a single plugin that was added years ago could well end up being a serious security hole.
JuanComment
-
-
scared rat
Hi there,
Regarding the comment about 'vBSEO's vulnerability', the exploit in question allowed the hacker to exploit a vulnerability inherent in vBulletin - that of having world-writable directories that are designed to hold only images, yet there is no GD/other check to determine if the files are indeed images.
As soon as we were advised of the issue (both times), the flaw was patched within hours, and ALL customers were notified via Email and the Forum Announcement (and twitter, facebook etc).
It's vitally important to ensure you keep up to date with all software you have installed on your forum, even a single plugin that was added years ago could well end up being a serious security hole.
Juan
WHOA!!! is this still an issue with vb v8.3.4. patch level 1 ???Comment
-
The issue was only if you stored Custom Pics in the file system with vBSEO Installed.Comment
-
Any idea why VB doesn't have the safeguards that Juan mentioned for world-writable image directories? Seems like it should.
Comment
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment