vBulletin 3.x and 4.x Redirect Security Exploit
Collapse
This topic is closed.
X
X
-
anders | vbulletin team | check out the new vbulletin facebook app
Proudly vBulletin'ing since 2001
Please be my friend! http://www.twitter.com/inetskunkworks
vBulletin Performance Articles: Click here to read -
Comment
-
It was not a vBSEO issue either. It was/is a server permissions issue.Comment
-
Ok, even I was hacked again. Now I didn't follow my last rule.
Change administrator passwords...
I did NOT do this. And because of this, some interesting stuff happened.
Here's the hack from this morning:
I left ALL the information and links in there because the greater good comes above some of my privacy at this point:
Forum and Site dedicated to old and rare paintball guns, the players, and those that just love the game
I grep'd my access_log and pulled out this info. That IP: 209.236.66.108 is from a Tor router, so the hacker is trying to stay anonymous.
Backstory: I had 3 admins... Myself, Cat, and Incynr8
My buddy incynr8 hasn't been around in a long long time, but he still had admin privileges from a while back. I noticed his account had activity a while back. Knew it wasn't him. Notified him to change his passwords. I removed his admin access.
In this log above (test.txt) you'll see the hacker logging into the server (mcbadmin is the admin folder for vbulletin, I renamed it, and will again after all this in a few days or so), the hacker logs in, and checks out the user "incynr8". Looks at his profile, etc. He sees that I'm catching on.
This time, after looking at the admin account "Cat", that person had a "last activity" in their profile showing for this morning... I know for a fact this person did not use or log in either.
So somehow the hacker got ANOTHER password from an admin.
...
Here's where it gets funny. I go and look at the "control panel" log for more evidence. I can't find any.
But my access_log on the server says someone was in the control panel. I check the control panel again... Where is says "Show Only Entries Generated By", and there is a choice for "all users" and then a drop down box for specific users.
Well, both of the admins "Cat" and "Incynr8" are not a choice. I don't know why... I'm in the drop down list, and I'm an admin, but I can no longer see the other two as a choice.
I have since changed my password now, and I am the only admin left on the site.
...
Also looking at the log, you can see the plugin the hacker used to edit the site to redirect. For me, plugin 671 is the "Disable Swear Censor Per Forum"
I'm going to go further back through my previous logs and see if I can't find out how these user passwords were compromised. Neither of the accounts hacked have been used in months.
I will most likely change my database password just in case. I would assume if the person had the database password, they would just do it that way, not logging in as an admin. Somehow the passwords are being cracked...
That's my update for now. Will post more as I go through older logs.Comment
-
Haven't found much going through older logs... But I keep on seeing this:
89.212.30.147 - - [06/Jun/2011:22:27:16 -0500] "GET /forums/mcbadmin/user.php?do=update HTTP/1.0" 200 6248 "http://www.mcarterbrown.com/forums/mcbadmin/user.php?do=update" "Mozilla/4.7 (compatible; OffByOne; Windows 2000) Webster Pro V3.4"
That IP comes up as a Spam IP... Same thing done with a bunch of other IP addresses on different days. But someone is trying to do something in my admin section. Maybe running a script?Comment
-
How is it that I can find in my access logs on the server someone doing something in the control panel and editing, but nothing shows up in the vbulletin control panel log? The only thing vbulletin recorded is that the user logged in, but nothing about the control panel (that shows up in the server logs) was logged. I'm stumped by that...Comment
-
For anyone having their search engine traffic redirected, I've only found plugin code in a vbseo plugin point in the datastore table. Enabling, and disabling a single plugin normally rebuilds the pluginlist in the datastore and fixes the problem.Comment
-
However, two points:
1. CBrown above at http://www.vbulletin.com/forum/showt...=1#post2168506 identifies a different non-vBSEO plugin from vBulletin.org as the source on his installation.
2. While this may fix the problem by clearing/rebuilding the datastore, since the precise entry point and method is unclear, what's to stop the problem from reappearing?Comment
-
Thank you, Zachery.
However, two points:
1. CBrown above at http://www.vbulletin.com/forum/showt...=1#post2168506 identifies a different non-vBSEO plugin from vBulletin.org as the source on his installation.
2. While this may fix the problem by clearing/rebuilding the datastore, since the precise entry point and method is unclear, what's to stop the problem from reappearing?Comment
-
Ok, I may be way off, but this is what I'm guessing...
Due to some server issues, the hacker was able to upload a malicious .gif file and run it as a php file. I have since corrected that issue, but too little too late...
That person has then since grabbed enough info from the database and uploaded the redirect script.
Since then they must have decoded the admin passwords, and used those to regain entrance back into the admin section.
...
I'm sure about the php laden gif file. I'm not sure about the getting db info and getting the passwords. But SOMEHOW, a person snagged two of my users admin passwords. Two people with nothing in common and living in different states. Or there is a major hole somewhere in the code.Comment
-
Nothing, however it is not my job to provide complete forensic analysis of your third party addons to determine where the code is coming from. If this was a completely, 100% stock vBulletin board, we would to try to look into the issue. But every board I've checked has had vBSEO, also other plugins, but off the top of my head I haven't seen any similar ones specifically and is on vB3. That is the most common thing I've run into.Comment
Related Topics
Collapse
-
by CorbinHHi at vB,
I am planning to update our site Australian Photoholics Forum "ausph.com" to SSL.
Last time we tried this, we broke our site which was down for a week!
Everyone here...-
Channel: Support Issues & Questions
-
-
by fionixHi,
I was just wondering how you get the URL shorten in Vbulletin 5.1.7 ?
From what I can see you have it done here at vbulletin.com - see url below... there is this number (which...-
Channel: Support Issues & Questions
-
-
by zyuzGood afternoon.I set ssl whatever forum was on the https protocol, prescribed in your permanent address offline via https, but do not know how to do so, that would be a http version offline (http://f...
-
Channel: Support Issues & Questions
-
-
by rag_gupta
-
Channel: Support Issues & Questions
-
Comment