Hacked Board?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • chimaira
    Member
    • Feb 2005
    • 60
    • 3.6.x

    Hacked Board?

    Hey guys visited my board today to be alerted by a thread about my board getting hacked? its running vb 3.6.0...
    the posts are as follows

    Code:
     Degeniz Team hacked the message board via redirection to an image on their site, and it showed a penguin with the turkey Flag symbol, and a map with Turkey on it. Apparently they're a hacker site, with a message board and applications to go along with it.
    and various other posts.. i noticed a member called Degeniz team registered which its now banned... rumour has it they have hacked and disabled a few other boards in there time.. ive no idea what to beilve? as i wasnt online at the time.

    Is vbulletin easy to exploit and disable.. any precautions other than a backup to take? i apriciate some advice.. thanks

    anyone heard of dengesizteam team before?
    Last edited by chimaira; Sat 2 Sep '06, 5:41pm.
  • steven s
    Senior Member
    • Jul 2004
    • 3722
    • 3.8.x

    #2
    They have been busy.
    Recently there has been a problem with FlashChat.
    ...steven
    www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
    bmwcca.org/forum | m135i.net
    "I tried to clean this up but this thread is beyond redemption." - Steve Machol

    Comment

    • chimaira
      Member
      • Feb 2005
      • 60
      • 3.6.x

      #3
      People have been saying im glad the board is back. so im guessing it went down for a while... due to them... im trying to get as much information as possible as i wasnt online to witness anything.

      Comment

      • Steve Machol
        Former Customer Support Manager
        • Jul 2000
        • 154488

        #4
        Note: There are known security holes with at least two plugins that hackers are exploiting right now - Flashchat and TopXStats. I *strongly* recommend you remove at least these plugins if you have them.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment

        • Paul M
          Former Lead Developer
          vB.Com & vB.Org
          • Sep 2004
          • 9886

          #5
          Alternatively, both problems can also be fixed ;





          Baby, I was born this way

          Comment

          • chimaira
            Member
            • Feb 2005
            • 60
            • 3.6.x

            #6
            Okay i did the upgrade for top x stats~
            i keep getting users signing up and one made this thread

            Code:
             [B]">"">>>><meta http-equiv="Refresh" content="0;url=http://crzysldr.kayyo.com"> """" >[/B] 
              açıkları kapa
            Do you thnik they are tempo disabling my board via server side either via php or an sql injection or even xss to alow remote execution for vb 3.6.0

            my board url is www.chimairaboard.com just for refrence

            but cheers for the replies guys, hopefully they wont get no where now.
            Last edited by chimaira; Sun 3 Sep '06, 4:45am.

            Comment

            • MaviJean
              Member
              • Mar 2004
              • 42

              #7
              Hi chimaira,

              Did you try to do a "Suspect File Versions" check from;

              " admicp -> Maintenance-> Suspect File Versions "

              For an additional control.

              It seems they are assuming that you have still a security hole and they are trying use it more than once.

              Comment

              • chimaira
                Member
                • Feb 2005
                • 60
                • 3.6.x

                #8
                All that is fine ta
                Just annoying me as im getting a bombardedment of turkish users trying to make threads with this content

                Code:
                 [B]">"">>>><meta http-equiv="Refresh" content="0;url=http://myturqey.com/a.htm"> """" >[/B]
                cant ban there host/ip as nothing comes up when i do a match
                Last edited by chimaira; Sun 3 Sep '06, 8:29am.

                Comment

                • basilrath
                  Senior Member
                  • Apr 2006
                  • 344
                  • 4.1.x

                  #9
                  u aint alone

                  there is a "team hackers" member wandering around

                  its done five boards i know of through links, images etc

                  sorry to but in .
                  www.tabletennistalk.co.uk

                  Comment

                  • JasonWilliams
                    Senior Member
                    • Jul 2004
                    • 117
                    • 3.6.x

                    #10
                    Think I had one of them today, had a user sign up, didn't think too much of it, until I started getting a refreshed page to a Turkish site, one of my Mod's removed it and stopped it, but I've since banned their IP and email address (I traced the IP back to a Turkish host).

                    Comment

                    • Interdit
                      Senior Member
                      • May 2002
                      • 248
                      • 3.8.x

                      #11
                      Idem i had:

                      Email Address : [email protected]
                      Birthday :
                      Referrer: N/A
                      IP Address: 88.234.38.70 (from Ankara)

                      Hoping he didn't do anything bad.. Ip and email banned.

                      Anyone got this registration as well ?


                      Ps: we don't have any plugin, only 3.6
                      BPowers.com: Eu Web Hosting Solutions
                      Shared hosting with Cpanel/Fantastico
                      Live Help: http://www.bpowers.com

                      Comment

                      • JasonWilliams
                        Senior Member
                        • Jul 2004
                        • 117
                        • 3.6.x

                        #12
                        Is there any way of banning certain characters in the thread titles to prevent this happening?


                        Code:
                        ">"">>>><meta http-equiv="Refresh" content="0;url=http://Turksecurity.org"> """" >
                        The IP of the one that stung me was 88.224.0.121 using email [email protected].

                        Comment

                        • stuarttunstall
                          Senior Member
                          • Feb 2004
                          • 403
                          • 4.2.X

                          #13
                          Hi

                          I must have had at least 10 of these posts in the last 2 days, so far I have deleated all these users, deleated there posts, banned there IP's and banned email addresses. Getting fed up of them now pity they have nothing else better to do.....

                          As a last resort, I have now stopped all new registrations, I know it's a bit drastic.

                          Stuart

                          Comment

                          • JasonWilliams
                            Senior Member
                            • Jul 2004
                            • 117
                            • 3.6.x

                            #14
                            Check this, it should solve the issue once and for all :

                            Comment

                            • Dead End Society
                              Member
                              • May 2004
                              • 39
                              • 3.6.x

                              #15
                              They got me this morning too, thanks for the info on fixing this.

                              IP: 88.229.81.215
                              email: [email protected]

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...