Help me please

**Colin F** · Sun 2 Apr '06, 8:26am

So you're running 3.5.4 and this problem is occuring?
Do you have any plugins installed?

**Orix** · Sun 2 Apr '06, 8:31am

Hello Colin,

Yes we use this 3.5.4, and the only plug-in that i have installed , it is this one : http://www.vbulletin.org/forum/showthread.php?t=83003

In fact, with this plugin, we could see who is using Admincp panel at any time.

With the 3.0.9 we've got the problem too.

Thank a lot

Originally posted by Colin F

So you're running 3.5.4 and this problem is occuring?
Do you have any plugins installed?

**Floris** · Sun 2 Apr '06, 8:42am

If the exploits started before the upgrade, that makes sence. You've been running 3.0.x until March 30th when you've downloaded 3.5.4, so only recently you've upgraded to 3.5.4

This could mean the user created another admin, or got access to the config.php file somehow and knows how to connect to the database and does his actions like that.

Could you please email your apache weblog file in a .zip to floris [at] vbulletin.com so our developers can take a look and see if there's an isuse with 3.5.4?

Ny the way, it might also be possible he got access to the site through SPIP: http://www.securityfocus.com/bid/17130

**Orix** · Sun 2 Apr '06, 8:43am

Ok Floris, we will change our password in our config.php

I will send you our log now.

Thanks

**Floris** · Sun 2 Apr '06, 8:44am

Go to the admincp > usergroups > usergroup manager > and see if any strange users have been added to the admin & mods usergroups. Or perhaps a custom usergroup has been created with admin privs.

**Scott MacVicar** · Sun 2 Apr '06, 9:03am

This usually suggests the user already has access to your database somehow either via another script, phpMyAdmin or some vulnerability within a plugin.

The code for sending lost passwords works as follows:

User enters email address associated with their account
Fetch userid, username, email, languageid from user where the email = <user entered email>
We then send an email with the details to the user specified from the data we retreived from the database, not the user entered email.
The id value we use is inserted into the database and we wait for the user to visit the link.

Next step is for activation:
Get userinfo for userid in querystring
Get activation information, id and dateline
Check dateline was in the last 24 hours
Check activationid passed in is equal to that in the database
Delete activation id
Update password

The fact he banned you without entering the admin panel sounds like he has database access, if is is a shared host then you should bring this up with your hosting provider.

Also check your access logs for apache and see if you can trace his steps.

**Orix** · Sun 2 Apr '06, 9:03am

Ok i have verified it, and no group have been added, i think that if he has the password in config.php, he could do all what he wants in our database (create an admin use by example).

Originally posted by Floris

Go to the admincp > usergroups > usergroup manager > and see if any strange users have been added to the admin & mods usergroups. Or perhaps a custom usergroup has been created with admin privs.

**Orix** · Sun 2 Apr '06, 9:20am

Thanks Scott for these informations.

Originally posted by Scott MacVicar

This usually suggests the user already has access to your database somehow either via another script, phpMyAdmin or some vulnerability within a plugin.

The code for sending lost passwords works as follows:

User enters email address associated with their account
Fetch userid, username, email, languageid from user where the email = <user entered email>
We then send an email with the details to the user specified from the data we retreived from the database, not the user entered email.
The id value we use is inserted into the database and we wait for the user to visit the link.

Next step is for activation:
Get userinfo for userid in querystring
Get activation information, id and dateline
Check dateline was in the last 24 hours
Check activationid passed in is equal to that in the database
Delete activation id
Update password

The fact he banned you without entering the admin panel sounds like he has database access, if is is a shared host then you should bring this up with your hosting provider.

Also check your access logs for apache and see if you can trace his steps.

**Floris** · Sun 2 Apr '06, 9:32am

Let me know when you mailed me, because my pop3 doesn't show a new mail yet.

**Orix** · Sun 2 Apr '06, 9:48am

03 mails for you Floris

Hello Floris

i have send you the first email, (of 3 email)

Thanks a lot

**Scott MacVicar** · Sun 2 Apr '06, 12:47pm

After reading the logs there is no sign of this person doing anything mischevious, he simply requested a lost password, a few minutes later he activated it and then changed the password.

The only explanation is that the user is able to change the email address within your database somehow. It's only available within one part of vBulletin and thats on the editpassword screen.

Did userid 25 that was hacked use voila.fr for his email since thats the next usual entry point, he did actually have access to this email.

**Orix** · Sun 2 Apr '06, 1:16pm

Hello Scott,

In fact, i think you are right, he certainly have access to our ftp and our database, so he has changed easly email address in database, and retrieve them normally via the forum panel.

The userid 25 didn't use voila, but the lamer have an email box voila.fr.

In fact this lamer have access on our database, and change any email for any userid (change the register email by his email) and then retrieve the email normally !!

I am really fed up this this fu#!$ guy !! but it's our fault. I wonder how dit he find our ftp our database access password

We asked our hoster to give us the database log.

Thanks a lot

Originally posted by Scott MacVicar

After reading the logs there is no sign of this person doing anything mischevious, he simply requested a lost password, a few minutes later he activated it and then changed the password.

The only explanation is that the user is able to change the email address within your database somehow. It's only available within one part of vBulletin and thats on the editpassword screen.

Did userid 25 that was hacked use voila.fr for his email since thats the next usual entry point, he did actually have access to this email.

**Scott MacVicar** · Sun 2 Apr '06, 1:19pm

If the FTP password was an easy one then it is very possible he has brute forced it, if not then someone with the password may have a trojan / keylogger type virus installed. If they all come clean then he's most likely gained access to your server some other way.

If it is a shared host then its possible he is another customer on the box or he has exploited another script anywhere on the server to allow himself to upload files.

If you have the SQL password its just a case of "UPDATE user SET email = '[email protected]'" to change the password.

**Orix** · Sun 2 Apr '06, 1:28pm

I think that he use a brute force software.
It is a shared host, but how could i check on the host his script ?
For the SQL password, i don't understand what do you mean with lamer at lamer . com

Thanls

Originally posted by Scott MacVicar

If the FTP password was an easy one then it is very possible he has brute forced it, if not then someone with the password may have a trojan / keylogger type virus installed. If they all come clean then he's most likely gained access to your server some other way.

If it is a shared host then its possible he is another customer on the box or he has exploited another script anywhere on the server to allow himself to upload files.

If you have the SQL password its just a case of "UPDATE user SET email = '[email protected]'" to change the password.

Help me please

Help me please

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment