A new type hack method?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Reignman
    New Member
    • Dec 2011
    • 25
    • 4.1.x

    A new type hack method?

    Hello,

    When I entered my forum homepage a little while ago, I met with this page:



    First I've checked my server/ftp accounts and all were looking OK. Also my admin panel was working too, so I've searched in templates and I saw that he changed "FORUMHOME" script, I reverted it and everything turned back normal.

    Then I made a deeper research and saw that he created a plugin in Vbulletin system like this:





    At the same time I've seen this in my mail:



    When I searched for some keywords in the hacking message I've seen that he hacked many sites today with the same method:

    Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for.


    Even he hacked homepage of antifraudintl.org forum page, and this is the thread in their forum about this matter (their homepage is still hacked, if you read this message, you have to revert FORUMHOME template)



    What can be this? A new vulnerability?

    Regards...
  • Zachery
    Former vBulletin Support
    • Jul 2002
    • 59097

    #2
    remove your install directory, We posted an announcement about this. If you need help getting your site back up and running, please open a support ticket

    Comment


    • Birdman
      Birdman commented
      Editing a comment
      how? where do i need to go in the root folders to remove it. After reading this thread, our site "so far" has not been a victim. However my human verification security questioning requirements are more stringent and many bogus folks have been blocked from registering.
  • Reignman
    New Member
    • Dec 2011
    • 25
    • 4.1.x

    #3
    Well, I saw that announcement and removed install directory. But I wasn't aware that it's about this vulnerability.

    A question only; I deactivated plugin he created, should I remove it completely?

    Comment

    • BirdOPrey5
      Senior Member
      • Jul 2008
      • 9613
      • 5.6.3

      #4
      You should remove it completely (You may want to copy the code to a text file just s you have it for future reference)

      You should also go to the Admin CP -> Maintenance - > Diagnostics -> Suspect File Check. If any files say "Does not contain expected contents" you should re-upload a fresh set of files for your version of vBulletin.

      Make sure you are running the latest version of vBulletin as well.

      Also if there are any files not recognized as part of vBulletin you will need to manually check them to be sure they are clear of exploits. If you have a lot of 3rd party add-ons this can be time consuming. Consider removing add-ons and reinstalling fresh copies of the latest versions.

      Double check your list of Administrators in Admin CP -> Usergroups -> Usergroup Manager, if you have an Admin account you didn't create then this was likely the result of the exploit announced yesterday.

      There is sttiil the possibility that your case was caused by a 3rd party add-on or server vulnerability, if no new Admin account was created it may not be the same hack.

      Comment

      • Reignman
        New Member
        • Dec 2011
        • 25
        • 4.1.x

        #5
        Well, Joe I've checked my admin usergroup now and saw that there are 2 admin accounts named "federal"

        So, it's certain that I was victim of same hack. I've removed admin accounts, install directory and plugin he created. My forum version is 4.2.1 and there is nothing suspicious on 3rd party addons.

        Thanks for help!

        Comment

        • Emath
          Senior Member
          • Aug 2008
          • 146

          #6
          same happened to me : homepage replaced(index.php and forum.php), new plugin and a new admin user was created named : federal
          בגרות במתמטיקה | פתרונות לספרי לימוד

          Comment

          • Wayne Luke
            vBulletin Technical Support Lead
            • Aug 2000
            • 73981

            #7
            Originally posted by Emath
            same happened to me : homepage replaced(index.php and forum.php), new plugin and a new admin user was created named : federal
            Then you should follow the same steps as above.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API

            Comment

            • Hawkmoth
              Member
              • May 2012
              • 34
              • 4.1.x

              #8
              As above. This problem was found on Tuesday morning about 11 am Japan time. Like reignman, we had 2 people registered as federal. One is now deleted and the other had all permissions removed an PW changed. I have no idea how he got in. All new members receive an email with an activation link in it. They have to click to become active but even then they only go into a admin queue for final approval. Supposedly, no one can do anything until admin approval and only admins can do it, not mods. Maybe Abdou found some way to make himself an admin but I don't know how.

              I have also found a file "federal" in the plugin and that is removed. We only have vb software and vb advanced for the front page (with all our language forums). vba is the only plugin that is set up. All "abdou" did is deface our frontpage. The forum works fine from forum/php page. I have removed the install file as Zachary has indicated. But the problem has not been resolved.

              NB; vis a vis Abdou, we may have identified him and some of his hacker friends. Since our website runs on a US server Abdou has violated federal law (maybe USC Title 18 but I don't have the citation in front of me). Abdou has been reported to law enforcement agencies in the USA and UK among others. If anyone else has been hacked and you have any LE friends, let them know.
              http://www.antifraudintl.org

              Comment

              • Guest

                #9
                Originally posted by Hawkmoth
                I have removed the install file as Zachary has indicated. But the problem has not been resolved.
                You need to remove the install DIRECTORY, not FILE.
                Keeping the /install/ directory open and accessible, will just keep your forum getting hacked.

                You should also check for suspect files through ACP.
                Most probably some of the files have been changed.

                Comment

                • Hawkmoth
                  Member
                  • May 2012
                  • 34
                  • 4.1.x

                  #10
                  Sorry for my english. I meant directory. I removed the directory.
                  http://www.antifraudintl.org

                  Comment

                  • ercule
                    Senior Member
                    • Feb 2008
                    • 107
                    • 4.1.x

                    #11
                    I got the same "federal" member who got admin access on one of my site.
                    Apparently he tried to add an announcement with no success and looked at user.php --> viewjoinrequests
                    No plugin added on my site and no file edit.
                    IP used: 41.248.180.132 (morocco)
                    I deleted the install folder and banned the IP from my server.

                    Comment

                    • Hawkmoth
                      Member
                      • May 2012
                      • 34
                      • 4.1.x

                      #12
                      Problem resolved, for now. Somehow, whatever Abdou did he installed a new index.php over our old one. All I had to do was fo into ftp and copy our original index.php over the "new" one. Sorry I'm not clever. If I was I might have thought of this sooner.

                      Now the question is, how does Abdou/Federal install his files?
                      http://www.antifraudintl.org

                      Comment

                      • Sicilian
                        Member
                        • Apr 2010
                        • 78
                        • 4.0.0

                        #13
                        Originally posted by Zachery
                        remove your install directory, We posted an announcement about this. If you need help getting your site back up and running, please open a support ticket
                        Same happened on my Forum.

                        Wouldn't it have been better for Vbulletin to email all customers about this serious exploit?

                        Comment

                        • Sicilian
                          Member
                          • Apr 2010
                          • 78
                          • 4.0.0

                          #14
                          The way Vbulletin have handled this serious exploit has really got me annoyed. If ever Vbulletin want use to buy something such as VB5 we get an email, but with such a serious exploit such as this, the best Vbulletin staff can manage is an announcement post! No good enough Vbulletin, I'm now seriously looking to move to another Forum system.

                          Comment

                          • user-1231235234532
                            Senior Member
                            • Nov 2012
                            • 266

                            #15
                            I agree, what about all those admins not visiting the forums ?

                            VB should have contacted all forum owners. It is not too late to do that and provide this basic support !

                            Comment

                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                            Working...