jforjustice.co.uk/banksters - Hacked

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • cobradude
    Senior Member
    • Mar 2001
    • 147

    #16
    dlloyd, thank you, but I'm a little slow at this point. I added the code to a php file and executed it, but I get no output. I'm certain I am missing something, but hoping you can give me a little more guidance. Thanks for the help.

    Comment

    • Wayne Luke
      vBulletin Technical Support Lead
      • Aug 2000
      • 73976

      #17
      Originally posted by cobradude
      I was hit by this too. What should the "salt" field be? mine was "lol" and it isn't friggin funny. WHat a bunch of A-holes there are out there!
      It should be a 30 digit random string of characters that is generated on user registration. There is no way to restore the salt if it is changed directly in the database and no way to change it within the vBulletin software.

      You would have to enter a new 30 digit random string into the field and then run this query to regain access to your account:

      UPDATE user SET password = MD5(CONCAT(MD5('new-password'), salt)) WHERE userid = 1

      Replace new-password with the password you want and 1 with your userid.

      If you use a prefix defined in your config.php file, you will need to add that to user.
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API

      Comment

      • cobradude
        Senior Member
        • Mar 2001
        • 147

        #18
        Thanks for the help.

        By the way, I got everything fixed up, but they struck again today. THis time inserting a java script to redirect into all the postparsed table. Any ideas for how they would be doing this?

        Comment

        • dlloyd
          New Member
          • Jul 2008
          • 3

          #19
          Originally posted by cobradude
          Thanks for the help.

          By the way, I got everything fixed up, but they struck again today. THis time inserting a java script to redirect into all the postparsed table. Any ideas for how they would be doing this?

          You can empty the postparsed table, it will re-generate.

          Comment

          • Wayne Luke
            vBulletin Technical Support Lead
            • Aug 2000
            • 73976

            #20
            Or rebuild it under Maintenance -> General Update Tools (4.1.10+) / Update Counters (older versions).
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API

            Comment

            • Danny M
              Member
              • May 2010
              • 58

              #21
              They also got my forum with this jforjustice re-direct.

              Comment

              • Kesha
                New Member
                • May 2010
                • 17
                • 4.2.X

                #22
                Whoever made the rounds got a forum that is completely unrelated to me, which is why I even checked into it and found this whole thread. Initially, I thought that it might've been a targeted attack until I did some research into it. There are all sorts of forums out there right now whom have members receiving this email and posting in their respective site's feedback/support/assistance forum.

                Comment

                • rootnik
                  Senior Member
                  • Nov 2001
                  • 110

                  #23
                  I going through the exact same thing right now. You might want to check your email logs, because in my case not only did I get a redirect but they somehow used the vbulletin mailer to spam their message. I'll probably lose my Amazon SES account because of it

                  Comment

                  • Wayne Luke
                    vBulletin Technical Support Lead
                    • Aug 2000
                    • 73976

                    #24
                    Originally posted by rootnik
                    I going through the exact same thing right now. You might want to check your email logs, because in my case not only did I get a redirect but they somehow used the vbulletin mailer to spam their message. I'll probably lose my Amazon SES account because of it
                    If someone gains access to your Admin CP or puts a mailer script on your server that includes the vBulletin engine, then they can use the mailer. Should be log entries of any emails that go out through the Admin CP. Though if you give your main admin account permission to delete logs, well then they can be deleted.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API

                    Comment

                    • rootnik
                      Senior Member
                      • Nov 2001
                      • 110

                      #25
                      Originally posted by Wayne Luke
                      If someone gains access to your Admin CP or puts a mailer script on your server that includes the vBulletin engine, then they can use the mailer. Should be log entries of any emails that go out through the Admin CP. Though if you give your main admin account permission to delete logs, well then they can be deleted.

                      Wow, thanks! That helped a lot!

                      edit: to clarify, I was able to see the account that was compromised and that the emails were sent through the admincp.

                      There is still the question of how the account was hacked in the first place. The admin whose account was breached says he had a ridiculous password with random caps/numbers, and I take his word for it. Searching google, only vbulletin boards are getting hit with this. There has to be an exploit somewhere, whether it be in a 3rd party plugin or vbulletin itself that is giving these guys access to admin accounts.

                      I have vbseo, vboptimise, Yet Another Awards System, and Warning to users awaiting email confirmation products installed.
                      Last edited by rootnik; Wed 21 Mar '12, 1:42pm.

                      Comment

                      • Danny M
                        Member
                        • May 2010
                        • 58

                        #26
                        Originally posted by rootnik
                        Wow, thanks! That helped a lot!

                        edit: to clarify, I was able to see the account that was compromised and that the emails were sent through the admincp.

                        There is still the question of how the account was hacked in the first place. The admin whose account was breached says he had a ridiculous password with random caps/numbers, and I take his word for it. Searching google, only vbulletin boards are getting hit with this. There has to be an exploit somewhere, whether it be in a 3rd party plugin or vbulletin itself that is giving these guys access to admin accounts.

                        I have vbseo, vboptimise, Yet Another Awards System, and Warning to users awaiting email confirmation products installed.
                        I got hacked and I had an extremely powerful password.

                        I also use the vBSEO and Awards plugins the same as you, maybe it is something to do with the awards plugin? Because I can't see vBSEO being the problem.

                        I was also using the latest version of vBulletin, I am not sure if you was?

                        Comment

                        • Wayne Luke
                          vBulletin Technical Support Lead
                          • Aug 2000
                          • 73976

                          #27
                          Originally posted by Danny M
                          I also use the vBSEO and Awards plugins the same as you, maybe it is something to do with the awards plugin? Because I can't see vBSEO being the problem.
                          vBSEO has a security exploit earlier this year. It involved a file on their server that would insert a malicious plugin into vBulletin every time you accessed their control panel. See:
                          Translations provided by Google.

                          Wayne Luke
                          The Rabid Badger - a vBulletin Cloud demonstration site.
                          vBulletin 5 API

                          Comment

                          • rootnik
                            Senior Member
                            • Nov 2001
                            • 110

                            #28
                            VBSEO has been exploited 2 times that I know of. A couple of years ago we were hacked because of a VBSEO expoilt that injected a URL redirect that downloaded malware to visitors computers. Feedback from others who are affected, to see if they are running VBSEO, would be helpful.

                            I didn't know about about the exploit that Wayne linked to below, so I wasn't updated with the patch. I am now, after the fact.

                            I was running vbulletin 4.1.8 when we got attacked, I'm up to date there now as well.

                            Thanks for the response, and thank you Wayne for helping us troubleshoot.

                            Originally posted by Danny M
                            I got hacked and I had an extremely powerful password.

                            I also use the vBSEO and Awards plugins the same as you, maybe it is something to do with the awards plugin? Because I can't see vBSEO being the problem.

                            I was also using the latest version of vBulletin, I am not sure if you was?
                            Last edited by rootnik; Wed 21 Mar '12, 4:31pm.

                            Comment

                            • cobradude
                              Senior Member
                              • Mar 2001
                              • 147

                              #29
                              So, the first time I was hacked, they gained access to admincp, they inserted a plug in, as well as sent mail to my users. A holes! I locked down the ability to execute to a particular IP, changed all passwords, and they came back, but this time, they just hit the postparsed table and injected their bit of java to redirect every link.

                              Any additional ideas on how to lock this down? I have vbseo and other plugins. This spans latest 4 and 3.8 boards I run.

                              Comment

                              • Tim Mousel
                                Senior Member
                                • May 2000
                                • 281
                                • 5.0.0

                                #30
                                I also had an older version of VBSEO
                                Five Star Review Script - Add reviews to your website!
                                Mixed Martial Arts - Houston MMA Training
                                Women's Self-Defense - Courses and DVDs available

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...