A new type hack method?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • induslady
    Senior Member
    • May 2005
    • 230
    • 3.7.x

    #61
    Hello,

    I came to know of this exploit and looks like we too had this attack, we did the below:

    1.Deleted install folder
    2. Deleted suspicious admin user accounts
    4. Refer thread - http://www.vbulletin.org/forum/showthread.php?t=301892 as mentioned there I didn't have any Iframe injection , but there was a line added in the "header" template of one of our custom style that reads as "Kindly delete "install" directory of your forums. Otherwise you will keep getting hacked" and the suspicious lines were removed.

    Also we notice that few templates in the custom style has edit history that says "Edited by .." the suspicious admin accounts with time stamp in the past year 2010.

    Is there any other precautions that need to be done. Am I currently still exploited? What are the other security measures that I need to do to protect my forums.
    IndusLady
    Indian Ladies Discussion Board | Indian Women Online Community

    Comment

    • y2ksw
      Member
      • Jul 2003
      • 90

      #62
      Originally posted by kiss of death

      Yeah but a few comments i read said that people had had their index.php and forum.php files switched and they just put the originals back i and everything was fine,

      Also it wan't vbseo itself i was suspecting, it was the vbseo sitemap generator which people can use without vbseo,, before vb4 vbulletin had no built in sitemap generator and everyone was using the vbseo one because it was free, when vb4 came out a lot of people continued to use itand i do;t beleive their is a problem with it, only the fact that some people use the same passwords and it's clearly shown in a normal field in admincp,

      yours was obviously done via style manager or it wouldn't still say vbseo at the bottom of the page, i was just curious

      i'm just really confused as to why someone with that level of access would try and cover their tracks by removing the plugin and user account but not prune the logs?
      They just moved to another site and left your's alone. Their main interest is to use a server as a spam-door and this is what they tried to do at my place. surely nobody ever should mention that they take part of the category of hackers, since I'll literally nail them into the ground.

      Comment

      • Robbed
        Member
        • Oct 2005
        • 98
        • 4.2.X

        #63
        Originally posted by Zachery
        We've advised customers to remove the install folder, that is our response. Once you remove it the exploit vector is gone. In the past it wasn't required to remove the install folder based on how the install/upgrade system worked. Overtime the system changed which allowed an issue to crop back up.
        We still should of had some type of notification. This thread was created on 27th, it happened to my forum last night. Most of us receive email on our phones so if we received notification we could of fixed the issue. With the type of access they had I think we are lucky they were only editing templates, they could of deleted data, threads forums etc. I hope you will also look at securing the admin group and not just fix install source issue. New member with 0 posts should never be able to be in this group if you have some checks around that and maybe have extra approvals so this doesn't happen again.

        Comment

        • nerbert
          New Member
          • May 2008
          • 15
          • 3.6.x

          #64
          From what has been said so far this hack apparently uses a plugin to do its mischief. Could vBulletin issue a patch that would add userid, username and date fields to the plugin table and modify the queries to record any new plugins created or edits to existing plugins? None of the new fields would need to show on the plugin page but you could at least go through the plugin table with phpMyAdmin and find the problem. Maybe even create a patch later that could seek out and fix the problem.

          Comment

          • Astyanax
            Senior Member
            • Dec 2009
            • 423
            • 4.2.X

            #65
            I have deleted the install folder but it was after my site was hacked. Now what?
            AMD Forum

            Comment

            • Pony
              New Member
              • Sep 2012
              • 18

              #66
              I'd been out of town, other admins hadn't done the recommendation (remove the install directory) - so I found we'd been hacked today. Went through all the steps detailed in previous posts (only one additional admin, no other users). This person tried to run a plugin, which appears to only have tried to rewrite the ajax.php file, and then deleted the plugin. Doesn't look like they touched anything else, no other modified files that I've been able to find (looking at modified dates). The ajax.php file was completely boned, I'm attaching it in case it can be of assistance. Replaced with a backup, everything seems OK. ajax.txt

              Comment

              • tim.liton
                Member
                • Dec 2012
                • 82

                #67
                If was hacked once can be hacked allways if the tunel is not closed!

                vBulletin support how can we fix this issue?

                Comment

                • WildWayz
                  Senior Member
                  • May 2000
                  • 587
                  • 3.6.x

                  #68
                  Originally posted by djsteve007
                  Looks like I got hit with a similar exploit - they did not deface my site like the OP's - not yet anyway. They did find a way to add about 10 new users, all with the same username, (Th3H4ck) and all with admin privs.

                  I would not have known about this vulnerability, or the active exploit, if they had not .. maybe I should not post what triggered my knowledge of this.

                  I would of like to have received an email about this exploit. Now going to 302 redirect to my buddypress install. Hope my host has backup database and files from 5 days ago. Fingers crossed.

                  vbulletin 4.2.1 running, and had new member moderation turned on -

                  what I wonder is how they were able to run sql insert commands from /forums/core/install/upgrade.php --- when I do not even have a /core/ or /core/install/ folder on this server.

                  Will we get an email if the exploit fix is found?
                  Both sites I run were hit by this 'account' - neither have done anything apart from register an Administrator called "Th3H4ck". Looks like they do a mass script to register the account, then access it later to cause problems? Either way, both accounts had the user Th3H4ck and no changes other than that, so i've removed the /install folders. This is 4.2.1.

                  Comment

                  • General Lee
                    Member
                    • Aug 2009
                    • 86
                    • 3.7.x

                    #69
                    My site was hacked last night. I'm running 4.2.1 and I did have the install directory in place.

                    The hacker "mast3r" made an admin account and installed some plugin titled "vbulletin"

                    The plugin takes over the "subscription.php" template with some type of user-interface the hacker uses to access and edit all the files and such..
                    Ball Python Forum l Cottonmouth Snake l Reptile Husbandry

                    Comment

                    • Jamsoft
                      Member
                      • Jun 2011
                      • 71

                      #70
                      Originally posted by Reignman

                      Yes, that was a big mistake. I don't know why CP message didn't incluse this "added admins" warning.

                      By the way, are you sure that these messages were deleted by this hacker called "abdou" ?
                      I dont know who "abdou" is, but this guy apparently has a script crawling the web and looking for sites with the exploit and creating accounts. Later on (a few days sometimes), someone (or another bot) comes back and tries to do more. My admincp is locked down by IP and with a password, so I escaped with only some deleted records (and i have daily backups) that I had to restore.

                      Comment

                      • Zachery
                        Former vBulletin Support
                        • Jul 2002
                        • 59097

                        #71
                        Please read the following two blog posts:
                        This guide is for what to do, after youÂ’ve been hacked, exploited, and or defaced. Step 1, Change everything: If you believe, or think your site has


                        Getting Started This guide is intended to be a starting point for helping to keep your site safe and secure in the long run. It is not a be-all, end-all guide


                        Also please see these recent security announcements:

                        vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
                        vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

                        Comment

                        • rburns
                          Member
                          • Mar 2002
                          • 91
                          • 3.6.x

                          #72
                          I was hacked too, but I found so much I they had added!

                          Most important, As soon as you are in using the normal method, do not re-enter your password anywhere, go straight to your user page and change it.

                          Before all, delete the install folder!!!!

                          Then:

                          1, Check the admin accounts,
                          2, If unusual admins the check your permissions, you need to change them all to yes again, and change the hacker(s) to no.
                          3, Ban the hacker.
                          4, Check Admin Logs, Look at the user list, if you see lots of spaces before the first username (which may be the hackers), they have changed things, then deleted the user, click on each one and write down what scripts they have edited. You'll probably find it's nearly all of them. (This is how they don't show up unless you select them).
                          3, Check your plugins for init_startup & ajax_complete, delete them.
                          4, Search your templates for the following words "Biz", "derpina" and if you don't use iframes, do a search for "iframe" too, delete all references.
                          5, Check all your headers for scripts at the bottom of their code, I found a long one there.
                          6, Go to Advert manager, check all adverts & coding, I found one there (it was checked to only show if not an admin, so I wouldn't see it!).
                          7, Check all your custom BB Codes are all OK.
                          8, Search users signatures for code.

                          IP addresses that were used (add them to banned list!):
                          95.211.10.3
                          71.64.124.240
                          80.46.173.224
                          24.93.174.137
                          4.247.80.228

                          81.31.96.176
                          81.137.3.125
                          199.19.94.179
                          72.73.225.101
                          63.255.222.11
                          98.110.89.122
                          65.94.217.225
                          65.93.219.195
                          130.63.229.181
                          81.178.229.11
                          81.178.242.65
                          37.24.146.52
                          178.73.207.151
                          118.96.174.234
                          41.99.103.211


                          Hope this helps, took me about 3 hours on a small (3000 member) forum!

                          Comment

                          • Ambro
                            New Member
                            • May 2013
                            • 8
                            • 5.0.X

                            #73
                            For those of you who are getting hacked AFTER removing your install directory, this is because the attacker has installed a persistent backdoor, usually a PHP modification done to one of the core vbulletin files or in some cases, in the form of a plugin.

                            Step one would be to Secure your admincp and modcp folders with .htaccess. This should the the first step in your journey. Also read up on making the admin account (the owner of the forums) undeletable / uneditable via the conf file.

                            After you've done this, login to your adminCP and go to Maintenance -> Diagnostics -> Suspect File Versions

                            Run this and look for files which say "File not recognized as part of vBulletin". If you see something that's not part of an addon or modification you've personally applied to your forums, it's safe to assume it's malicious and doesn't belong. My advise at this point would be to re-upload and replace any files which are not recognized by VBulletin. Once you've been able to rid yourself of the backdoor, you should be in the clear.

                            If you've completed the above steps and are STILL being hacked. Make a backup of your database, pictures, thumbnails, themes, etc and reinstall from a fresh source base. While this may be tedious, it assures that your replacing any backdoored script.

                            PLEASE MAKE SURE to delete your install directory AFTER installation or read up on my post on page 4 about setting up a honeypot for logging ip's of people who visit install/upgrade.php.

                            Comment

                            • tpearl5
                              Senior Member
                              • Jul 2001
                              • 547
                              • 4.2.X

                              #74
                              Just found a user on my site that was set as an admin and installed a backdoor: "smith123456"

                              Capture more registrations - Advanced Guest Posting & Registration
                              Cell Phone Forums | Nikonites

                              Comment

                              • Phat Phreddy
                                New Member
                                • Apr 2013
                                • 22
                                • 4.2.X

                                #75
                                Originally posted by Zachery

                                We've advised customers to remove the install folder, that is our response. Once you remove it the exploit vector is gone.

                                In the past it wasn't required to remove the install folder based on how the install/upgrade system worked. Overtime the system changed which allowed an issue to crop back up.

                                I restored a clean file system.. I removed the install folder.. the admins.. and I have been hacked 2 more times since..

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...