3.5.8 Hacked

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • hype901
    Senior Member
    • Mar 2004
    • 105

    3.5.8 Hacked

    My forum running vBulletin 3.5.8 just got hacked early this morning. So far I have noticed the password changed on my admin account and the index.php for the /vb directory completely defaced, but only for one of the four themes we use.
  • FreshFroot_
    Senior Member
    • Jul 2005
    • 1420
    • 3.8.x

    #2
    Turn off ALL your plugins 1stly.. replace he index file.. use the Do_not_upload folder and use the file in there to regain admin access.

    My guess is one of your hacks was used to break into your system... also which skin did they deface?

    Comment

    • Steve Machol
      Former Customer Support Manager
      • Jul 2000
      • 154488

      #3
      Please see this thread on how to make your vBulletin more secure:



      If you are still being hacked after doing all of this, then they are most likely doing this by accessing your server. You need to contact your host about this.
      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
      Change CKEditor Colors to Match Style (for 4.1.4 and above)

      Steve Machol Photography


      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


      Comment

      • hype901
        Senior Member
        • Mar 2004
        • 105

        #4
        The hackers said it is a SQL injection vulnerability in vBulletin 3.5.8 - they have now hacked the site on 4 different occassions in the past 2 weeks. Any ideas? Is there something out for 3.5.8 that I am not aware of?

        I can't go to 3.6.x because the mySQL on my system isn't new enough.

        Comment

        • peterska2
          Senior Member
          • Oct 2003
          • 8869
          • 3.7.x

          #5
          There are no known issues with 3.5.8

          As Steve has said, the most likely cause is that someone is accessing your server. However, if there is any particular concerns with regards to vBulletin, feel free to submit a support ticket with all the details.

          Finally, go to AdminCP > Maintenance > Diagnostics > Suspect file versions and remove any files that you do not recognize. If any vBulletin files are reported back, overwrite them with the files for 3.5.8 from a fresh download from the members area.

          Comment

          • Floris
            Senior Member
            • Dec 2001
            • 37767

            #6
            Apparently the hacker has no problem telling you how leet he is. Feel free to ask him to actually provide evidence that he has exploited vb 3.5.8 with what code, so we can see if it is due to an addon to vBulletin, or if you allowed HTML in posts, etc. Or if he has access to a 0day unreleased exploit we've yet to have heard of. (or if he is just bs you)

            Comment

            • goha
              Senior Member
              • Mar 2004
              • 308

              #7
              I have the same problem. 3.5.4 patched to 3.5.8
              looks like mysql injection, they changed title of the subforum, added iframe, pointed to trojan loader.
              Also they unban some banned users..
              GoHa.Ru

              Comment

              • goha
                Senior Member
                • Mar 2004
                • 308

                #8
                GoHa.Ru

                Comment

                • RattleSnake
                  Banned
                  • Jun 2005
                  • 419
                  • 3.6.x

                  #9
                  Just a reccomendation, not very helpful, but i hope you get your forum back, and when you do, upgrade to 3.6.7 PLC1

                  Comment

                  • goha
                    Senior Member
                    • Mar 2004
                    • 308

                    #10
                    What means "PLC-1"
                    If I am upgradiong form earlier version - which installation I should use? Just latest?
                    GoHa.Ru

                    Comment

                    • Floris
                      Senior Member
                      • Dec 2001
                      • 37767

                      #11
                      Patching older forums to 3.5.8 without upgrading could mean not every security issue is patched. Also, the exploit you describe sounds like an older one from a plugin added to vBulletin that got exploited sometimes.

                      The securityfocus listing has a handful of fake reports, invalid reports, retired reports and the few reports out there have all been fixed. The latest stables don't have these issues.

                      Comment

                      • Floris
                        Senior Member
                        • Dec 2001
                        • 37767

                        #12
                        3.6.7pl1 is the latest stable
                        pl1 = patch level 1
                        and has all current patches from all known security issues applied.

                        Comment

                        • RattleSnake
                          Banned
                          • Jun 2005
                          • 419
                          • 3.6.x

                          #13
                          Originally posted by goha
                          What means "PLC-1"
                          If I am upgradiong form earlier version - which installation I should use? Just latest?

                          Whenever upgrading, always upgrade to the latest version. Wether its PLC-1 or PLC-1000000

                          Comment

                          • goha
                            Senior Member
                            • Mar 2004
                            • 308

                            #14
                            Originally posted by Floris
                            Also, the exploit you describe sounds like an older one from a plugin added to vBulletin that got exploited sometimes.
                            could you please tell me what plugin do you mean? If you won't publish it here, could you please send me a PM with plugin name? If I have it - I'll remove it.
                            GoHa.Ru

                            Comment

                            • Floris
                              Senior Member
                              • Dec 2001
                              • 37767

                              #15
                              I am not up to date on which version of what plugin. But I've seen plugins like arcade, vbadvanced, vbbux/vbplaza, flashchat, etc with known exploits.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...