Tweet
My site is very successful and has up to this point, minimal issues. Currently forum users alerted to me a problem that the NoScript application was picking up a call to a site xblacknet.cn. This prompted me to block the IP of this hostname in IPtables, rename my admincp, and modcp, re-install vBulletin, conduct an entire search of the database, grep every file in the vBulletin directory. Block in .htaccess this hostname and IP as well as require a .htaccess password for admincp and modcp. After re-installing vBulletin the problem went away on thread pages, where it was only occurring. However, a script call is still being made to xblacknet.cn from the admincp and modcp areas of the site, despite these emergency measures. I am willing to allow one of the developers of vBulletin full access to my site to look at what is going on here -- I believe some kind of hack has taken place. The site is hosted on a server in my home office and is completely secured. We are using the latest stable version of everything and have incorporated cPanel/WHM into CentOS to keep everything up-to-date. Please respond, since I believe there may be a script injection problem that has allowed the site to be compromised. There are several million visits a month to this site, so it is a high profile site. Most of all, I am trying to see how I can get this call out of the admincp and modcp area and out of the site in general. Remember, I have replaced all of the vBulletin files to ensure they have not been modified, and in fact, searched the entire database and found no reference to this domain. Any help is GREATLY appreciated. I am a long standing customer and have already pre-ordered v4 Suite. Please see this thread: http://windows7forums.com/security-z...-threat-2.html
-
Last edited by MikeF; Tue 1 Dec '09, 3:40am. -
Just a quick thought - you say you have searched the tables for the URL, of xblacknet.cn, have you searched for the IP of them as well?
And this is probably a stupid question, but have you checked any hacks you recently installed for them? -
Gah, reading up on it, it sounds like a nasty sucker.
Might be worth contacting Mike or whoever it was over at the win7board, they are also using vbulletin, maybe he can fill you in on how he fixed the problem.
Comment
-
Please do keep us updated on this issue. I'm finding our site has the same issue.
Comment
-
Just a quick update - I re-uploaded all of our vb files and upgraded vbseo with their latest security patch and it seems to have fixed the issue. However, I'm still not sure where the exploit came from.
Comment
-
Vbseo had a major security flaw recently (something to do with uploads); I have sadly seen another very large forum get hit last week, they have since removed vbseo. If you have vbseo installed you MUST apply their security patch. I know we all hear lots of security updates about this and that, but vbseo's vulnerabilities are, and have, been exploited for real.and upgraded vbseo with their latest security patchComment
-
Hi there,
Regarding the comment about 'vBSEO's vulnerability', the exploit in question allowed the hacker to exploit a vulnerability inherent in vBulletin - that of having world-writable directories that are designed to hold only images, yet there is no GD/other check to determine if the files are indeed images.
As soon as we were advised of the issue (both times), the flaw was patched within hours, and ALL customers were notified via Email and the Forum Announcement (and twitter, facebook etc).
It's vitally important to ensure you keep up to date with all software you have installed on your forum, even a single plugin that was added years ago could well end up being a serious security hole.
JuanComment
-
Cheers for the update Juan.
Comment
-
The issue was only if you stored Custom Pics in the file system with vBSEO Installed.Comment
-
So if you store Avatars or Profile Pics in the file system as opposed to the database and have VBSEO installed, like we do, you are vulnerable. The first thing you need to do is update your VBSEO installation with the latest patch. I wasn't seeing the problems most people were having, so you might need to download the NoScript add-on for Firefox to see if your site is running any unknown javascript. That's how I did most of my testing, and that's how you'll know if any of your files had code written to them. I overwrote all of the vb files and it seemed to have fixed it, along with a couple VBA CMPS files.
Any idea why VB doesn't have the safeguards that Juan mentioned for world-writable image directories? Seems like it should.
Comment
-
Alas, there must be other ways to get in outside of vbseo... I got hit again. This time they added iframe code to the vbulletin_menu.js file and the header template. Joy.
Comment
Comment