Announcement

Collapse
No announcement yet.

vBulletin 3.x and 4.x Redirect Security Exploit

Collapse
This topic is closed.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #91
    Originally posted by Ramsesx View Post
    Interesting, is this a new security exploit? Could someone from staff confirm this?
    Definitely not NEW and this is an old issue that was related to an older VBSEO exploit. What I am seeing is that malicious php files are hard to find and people are not able to clean it out 100% - leaving there sites susceptible to more attacks.
    anders | vbulletin team | check out the new vbulletin facebook app
    Proudly vBulletin'ing since 2001
    Please be my friend!
    http://www.twitter.com/inetskunkworks
    vBulletin Performance Articles:
    Click here to read

    Comment


    • #92
      Originally posted by Ramsesx View Post
      Interesting, is this a new security exploit? Could someone from staff confirm this?
      See above. This is NOT a vBulletin exploit. It's a file permissions issue. And it's not particularly new, but it may be part of some of the redirection issues people are experiencing.
      Psychlinks Mental Health Support Forum
      Local Search Forum

      Comment


      • #93
        Originally posted by IBxAnders View Post
        Definitely not NEW and this is an old issue that was related to an older VBSEO exploit. What I am seeing is that malicious php files are hard to find and people are not able to clean it out 100% - leaving there sites susceptible to more attacks.
        It was not a vBSEO issue either. It was/is a server permissions issue.
        Psychlinks Mental Health Support Forum
        Local Search Forum

        Comment


        • #94
          Thanks for this quick answer.
          .......

          Comment


          • #95
            Originally posted by Ramsesx View Post
            Interesting, is this a new security exploit? Could someone from staff confirm this?
            Its neither new nor a vbulletin issue - its a server exploit.
            Baby, I was born this way

            Comment


            • #96
              Ok, even I was hacked again. Now I didn't follow my last rule.

              Change administrator passwords...

              I did NOT do this. And because of this, some interesting stuff happened.

              Here's the hack from this morning:
              I left ALL the information and links in there because the greater good comes above some of my privacy at this point:

              http://mcarterbrown.com/test.txt

              I grep'd my access_log and pulled out this info. That IP: 209.236.66.108 is from a Tor router, so the hacker is trying to stay anonymous.

              Backstory: I had 3 admins... Myself, Cat, and Incynr8

              My buddy incynr8 hasn't been around in a long long time, but he still had admin privileges from a while back. I noticed his account had activity a while back. Knew it wasn't him. Notified him to change his passwords. I removed his admin access.

              In this log above (test.txt) you'll see the hacker logging into the server (mcbadmin is the admin folder for vbulletin, I renamed it, and will again after all this in a few days or so), the hacker logs in, and checks out the user "incynr8". Looks at his profile, etc. He sees that I'm catching on.

              This time, after looking at the admin account "Cat", that person had a "last activity" in their profile showing for this morning... I know for a fact this person did not use or log in either.

              So somehow the hacker got ANOTHER password from an admin.

              ...

              Here's where it gets funny. I go and look at the "control panel" log for more evidence. I can't find any.

              But my access_log on the server says someone was in the control panel. I check the control panel again... Where is says "Show Only Entries Generated By", and there is a choice for "all users" and then a drop down box for specific users.

              Well, both of the admins "Cat" and "Incynr8" are not a choice. I don't know why... I'm in the drop down list, and I'm an admin, but I can no longer see the other two as a choice.

              I have since changed my password now, and I am the only admin left on the site.

              ...

              Also looking at the log, you can see the plugin the hacker used to edit the site to redirect. For me, plugin 671 is the "Disable Swear Censor Per Forum"

              I'm going to go further back through my previous logs and see if I can't find out how these user passwords were compromised. Neither of the accounts hacked have been used in months.

              I will most likely change my database password just in case. I would assume if the person had the database password, they would just do it that way, not logging in as an admin. Somehow the passwords are being cracked...

              That's my update for now. Will post more as I go through older logs.

              Comment


              • #97
                Haven't found much going through older logs... But I keep on seeing this:


                89.212.30.147 - - [06/Jun/2011:22:27:16 -0500] "GET /forums/mcbadmin/user.php?do=update HTTP/1.0" 200 6248 "http://www.mcarterbrown.com/forums/mcbadmin/user.php?do=update" "Mozilla/4.7 (compatible; OffByOne; Windows 2000) Webster Pro V3.4"

                That IP comes up as a Spam IP... Same thing done with a bunch of other IP addresses on different days. But someone is trying to do something in my admin section. Maybe running a script?

                Comment


                • #98
                  They are attempting to view [or edit] a user account.

                  As your logs dont log the query string [or cookies], its hard to tell much more.
                  Baby, I was born this way

                  Comment


                  • #99
                    Originally posted by Paul M View Post
                    They are attempting to view [or edit] a user account.

                    As your logs dont log the query string [or cookies], its hard to tell much more.
                    That's what I figured, but can you comment on the post I made above:
                    http://www.vbulletin.com/forum/showt...=1#post2168506

                    How is it that I can find in my access logs on the server someone doing something in the control panel and editing, but nothing shows up in the vbulletin control panel log? The only thing vbulletin recorded is that the user logged in, but nothing about the control panel (that shows up in the server logs) was logged. I'm stumped by that...

                    Comment


                    • Perhaps they are deleting the log records after they have finished.
                      Baby, I was born this way

                      Comment


                      • For anyone having their search engine traffic redirected, I've only found plugin code in a vbseo plugin point in the datastore table. Enabling, and disabling a single plugin normally rebuilds the pluginlist in the datastore and fixes the problem.

                        Comment


                        • Originally posted by Zachery View Post
                          For anyone having their search engine traffic redirected, I've only found plugin code in a vbseo plugin point in the datastore table. Enabling, and disabling a single plugin normally rebuilds the pluginlist in the datastore and fixes the problem.
                          Thank you, Zachery.

                          However, two points:

                          1. CBrown above at http://www.vbulletin.com/forum/showt...=1#post2168506 identifies a different non-vBSEO plugin from vBulletin.org as the source on his installation.

                          2. While this may fix the problem by clearing/rebuilding the datastore, since the precise entry point and method is unclear, what's to stop the problem from reappearing?
                          Psychlinks Mental Health Support Forum
                          Local Search Forum

                          Comment


                          • Originally posted by djbaxter View Post
                            Thank you, Zachery.

                            However, two points:

                            1. CBrown above at http://www.vbulletin.com/forum/showt...=1#post2168506 identifies a different non-vBSEO plugin from vBulletin.org as the source on his installation.

                            2. While this may fix the problem by clearing/rebuilding the datastore, since the precise entry point and method is unclear, what's to stop the problem from reappearing?
                            Nothing, however it is not my job to provide complete forensic analysis of your third party addons to determine where the code is coming from. If this was a completely, 100% stock vBulletin board, we would to try to look into the issue. But every board I've checked has had vBSEO, also other plugins, but off the top of my head I haven't seen any similar ones specifically and is on vB3. That is the most common thing I've run into.

                            Comment


                            • Ok, I may be way off, but this is what I'm guessing...

                              Due to some server issues, the hacker was able to upload a malicious .gif file and run it as a php file. I have since corrected that issue, but too little too late...

                              That person has then since grabbed enough info from the database and uploaded the redirect script.

                              Since then they must have decoded the admin passwords, and used those to regain entrance back into the admin section.

                              ...

                              I'm sure about the php laden gif file. I'm not sure about the getting db info and getting the passwords. But SOMEHOW, a person snagged two of my users admin passwords. Two people with nothing in common and living in different states. Or there is a major hole somewhere in the code.

                              Comment


                              • Originally posted by Zachery View Post
                                Nothing, however it is not my job to provide complete forensic analysis of your third party addons to determine where the code is coming from. If this was a completely, 100% stock vBulletin board, we would to try to look into the issue. But every board I've checked has had vBSEO, also other plugins, but off the top of my head I haven't seen any similar ones specifically and is on vB3. That is the most common thing I've run into.
                                Thanks. I would agree that it does seem that vB3 forums are more vulnerable to the redirect exploit, although it's unclear why. I guess this does confirm the sense in trying to ensure that ALL your software is up to date, whether it's vBulletin itself or add-ons.
                                Psychlinks Mental Health Support Forum
                                Local Search Forum

                                Comment

                                Related Topics

                                Collapse

                                Working...
                                X