exploit? forcefully resetting password issue.

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 2
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • mentalrz
    Senior Member
    • Sep 2004
    • 538
    • 1.1.x
    #1

    [Forum] exploit? forcefully resetting password issue.

    Hi

    I cannot 100% pinpoint the location or the method but I had an email saying I requested to reset my password then i had another saying it was successfully changed despite not clicking it. I checked my mail history and its not been accessed since it requires mobile access to login. Now, I checked the logs for the IP and found the following;

    Code:
    root@dmca [/home/domain/access-logs]# cat forum.domain.com | grep 91.236.116.142


91.236.116.142 - - [21/Jan/2013:17:13:46 +0000] "GET / HTTP/1.1" 200 11488 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:14:22 +0000] "GET /register.php HTTP/1.1" 200 10000 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:14:28 +0000] "GET /clientscript/vbulletin_css/style00115l/register.css?d=1358021545 HTTP/1.1" 200 338 "http://forum.domain.com/register.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:14:34 +0000] "GET /login.php HTTP/1.1" 303 26 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:14:39 +0000] "GET /index.php HTTP/1.1" 200 11494 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:14:45 +0000] "GET /f71/ HTTP/1.1" 200 13247 "http://forum.domain.com/index.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:14:50 +0000] "GET /f71/forum-rules-101410/ HTTP/1.1" 200 12843 "http://forum.domain.com/f71/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:14:50 +0000] "GET /f71/forum-rules-101410/images/styles/AnimatedArena/style_blue/loginButton.gif HTTP/1.1" 404 40 "http://forum.domain.com/f71/forum-rules-101410/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:14:50 +0000] "GET /f71/forum-rules-101410/images/styles/AnimatedArena/style_blue/footerLogo.png HTTP/1.1" 404 40 "http://forum.domain.com/f71/forum-rules-101410/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:14:51 +0000] "GET /f71/forum-rules-101410/images/styles/AnimatedArena/style/logo_blue.png HTTP/1.1" 404 40 "http://forum.domain.com/f71/forum-rules-101410/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:14:59 +0000] "GET /usercp.php HTTP/1.1" 200 6749 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:15:07 +0000] "POST /login.php?do=login HTTP/1.1" 200 6594 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:15:12 +0000] "GET /login.php?do=lostpw HTTP/1.1" 200 6619 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:30:02 +0000] "GET /usercp.php HTTP/1.1" 200 6782 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:30:04 +0000] "GET /cron.php?rand=1358789402 HTTP/1.1" 200 43 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:30:37 +0000] "POST /login.php?do=login HTTP/1.1" 200 2365 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:30:41 +0000] "GET /usercp.php HTTP/1.1" 200 6868 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:31:01 +0000] "GET / HTTP/1.1" 200 6398 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:32:39 +0000] "GET / HTTP/1.1" 200 11489 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:32:49 +0000] "GET /usercp.php HTTP/1.1" 200 6749 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:33:06 +0000] "POST /login.php?do=login HTTP/1.1" 200 6244 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:33:14 +0000] "GET / HTTP/1.1" 200 11488 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:33:08 +0000] "GET /login.php?do=lostpw HTTP/1.1" 200 6618 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:34:17 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 666 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
91.236.116.142 - - [21/Jan/2013:17:34:17 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 623 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
91.236.116.142 - - [21/Jan/2013:17:34:24 +0000] "POST /login.php?do=emailpassword HTTP/1.1" 200 2403 "http://forum.domain.com/login.php?do=lostpw" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:34:27 +0000] "GET /login.php?do=login HTTP/1.1" 303 26 "http://forum.domain.com/login.php?do=emailpassword" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:34:27 +0000] "GET /index.php HTTP/1.1" 200 11494 "http://forum.domain.com/login.php?do=emailpassword" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:36:13 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 665 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
91.236.116.142 - - [21/Jan/2013:17:36:13 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 659 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
91.236.116.142 - - [21/Jan/2013:17:36:18 +0000] "GET /login.php?do=resetpassword&u=1&i=8e3849c72ee420c426fea00f50947f226aabf1f6 HTTP/1.1" 200 6381 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/2013:17:36:46 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 667 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
91.236.116.142 - - [21/Jan/2013:17:36:46 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 648 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
    What I find interesting is the browser identity string. Most are normal but some contain no valid header so it appears to be some sort of script coming from arcade.php? But no injection code is actually being displayed. What do you suggest?

    Regards.
    Tags: None
    • borbole
      Senior Member
      • Feb 2010
      • 3074
      • 4.0.0
      #2
      What version of vb are you using?

        Comment

        • mentalrz
          Senior Member
          • Sep 2004
          • 538
          • 1.1.x
          #3
          4.1.12 manually patched w/ security fixes.

            Comment

            • ZeroHour
              Senior Member
              • Sep 2007
              • 167
              #4
              It looks like something to do with arcade.php.
              The user appears to create an account which allows them to probe arcade.php.
              I suspect
              Code:
              [COLOR=#333333]"GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 666 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"[/COLOR]

              is a tool that is using the new accounts login credentials to expliot something in that function probably allowing them to retrieve the reset password auth key.
              I would pull arcade.php for now though until you can check that function.

                Comment

                • mentalrz
                  Senior Member
                  • Sep 2004
                  • 538
                  • 1.1.x
                  #5
                  first thing i did was pull arcade.php.

                    Comment

                    • Mark.B
                      vBulletin Support
                      • Feb 2004
                      • 24288
                      • 6.0.X
                      #6
                      yes...pnFStoreScore is connected with sending scores for pnFlash games, but I seem to recall there was an exploit surrounding it that was patched last year.

                      Make sure the arcade is fully up to date.

                      For further help with that aspect, www.vbulletin.org can assist.
                      MARK.B
                      vBulletin Support
                      ------------
                      My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
                      My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

                        Comment

                        • mentalrz
                          Senior Member
                          • Sep 2004
                          • 538
                          • 1.1.x
                          #7
                          i was the one who reported the exploit for the addon last year. This is a different one.

                            Comment

                            • topladz
                              Member
                              • Aug 2010
                              • 32
                              #8
                              would this be an issue with this mod to v3 Arcade - Professional vBulletin Gaming (vB4) as i get the same message e.g unathurised access

                                Comment

                                • mentalrz
                                  Senior Member
                                  • Sep 2004
                                  • 538
                                  • 1.1.x
                                  #9
                                  Originally posted by topladz
                                  would this be an issue with this mod to v3 Arcade - Professional vBulletin Gaming (vB4) as i get the same message e.g unathurised access
                                  What? No...

                                    Comment

                                    • ZeroHour
                                      Senior Member
                                      • Sep 2007
                                      • 167
                                      #10
                                      There is probably another sql exploit allowing them to retrieve the reset id.

                                        Comment

                                        • MrZeropage
                                          New Member
                                          • Jan 2003
                                          • 11
                                          • 3.6.x
                                          #11
                                          by now I don't see how this should be related to arcade.php but if there is any information, just let me know and I will fix it (developer of ibProArcade).

                                          I just see that there are different browser-identifications, Mozilla for arcade.php and Chrome/Safari for usercp.php
                                          Developer of ibProarcade for vBulletin (professional Arcade System for your vBulletin)

                                            Comment

                                            • mentalrz
                                              Senior Member
                                              • Sep 2004
                                              • 538
                                              • 1.1.x
                                              #12
                                              Originally posted by MrZeropage
                                              by now I don't see how this should be related to arcade.php but if there is any information, just let me know and I will fix it (developer of ibProArcade).

                                              I just see that there are different browser-identifications, Mozilla for arcade.php and Chrome/Safari for usercp.php
                                              Upon removing arcade.php the password resetting had stopped. The person continued to try and access that specific url. The person is clearly running some sort of script. The fact he is using linux / chrome and then upon directly accessing the URL his browser string would lead me to believe it was some command line based script (hence why no header strings are being sent). Plus your last 0day exploit that was going around giving out MD5 of any user account I reported and turned out I was correct on that too.

                                                Comment

                                                • ZeroHour
                                                  Senior Member
                                                  • Sep 2007
                                                  • 167
                                                  #13
                                                  Originally posted by MrZeropage
                                                  by now I don't see how this should be related to arcade.php but if there is any information, just let me know and I will fix it (developer of ibProArcade).

                                                  I just see that there are different browser-identifications, Mozilla for arcade.php and Chrome/Safari for usercp.php
                                                  The tag for a software probe could easily be anything the person wants. The fact its missing details means its faked and they have been able to probe via the newly created user account (probably).

                                                    Comment

                                                    • mentalrz
                                                      Senior Member
                                                      • Sep 2004
                                                      • 538
                                                      • 1.1.x
                                                      #14
                                                      Still no issues since removing arcade.php.

                                                        Comment

                                                        • hipster
                                                          Senior Member
                                                          • Oct 2009
                                                          • 116
                                                          • 4.2.X
                                                          #15
                                                          I tried to duplicate this
                                                          and the only way to get a message like this
                                                          is to try and save a score with a second window openand try to save it again ..

                                                          But Never seens anything about reseting passwords..

                                                          from your log it looks like they tried to save score and then logged them out

                                                          I have this arcade running on 95 % of my Clients
                                                          they all run vb with the lastest creation from MrZeropage
                                                          and the logs are checked every day
                                                          and never seen this one

                                                          If there is a issue MrZeroPage will fix it up..
                                                          Back up back up Back up, thats all the advice I can give.

                                                            Comment

                                                            Previous 1 2 template Next
                                                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                                            Working...