My vB forums were hacked by THIS vB user:

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • blakespot
    New Member
    • Jan 2005
    • 13
    • 3.0.5

    My vB forums were hacked by THIS vB user:

    Two days ago, I found that my vBulletin v3.5.2 forums had been hacked (help request posted here). Some manner of vulnerability was exploited such that the malicious user inserted HTML redirects into the forum titles of the FORUMS table in the DB. As soon as a user hit my forums, they were redirected to this page:



    As you can see, the malicious user's handle is "EmRe_DaNCeR". My forums were down from early afternoon to the wee hours of the next day, when I finally got the system updated to vB v3.6.5. (I hope this exploit was addressed between 3.5.2 and current!)

    I just did a WHOIS lookup on the "hacked" website people were redirected to. Look what I found:

    Code:
    [FONT=courier new, courier]Registrant:
    EmRe Koseoglu (ENYENIMIX-COM-DOM)
    Erikli Mahallesi...
    Bursa, 16360
    Turkey
    +90.2243415323
    +90.2243640456
    [email protected]
    
    Domain Name: ENYENIMIX.COM
    Status: PROTECTED
    
    Administrative Contact:
    EmReKoseoglu [email protected]
    mollaarap mah. mert sk. no 3 yildirim
    Bursa, 16360
    Turkey
    +90.2243640456
    Fax- +90.2243640456
    
    Technical Contact, Zone Contact:
    EmReKoseoglu [email protected]
    mollaarap mah. mert sk. no 3 yildirim
    Bursa, 16360
    Turkey
    +90.2243640456
    Fax- +90.2243640456
    
    Record last updated on 04-Dec-2006.
    Record expires on 27-Sep-2007.
    Record created on 27-Sep-2006.
    
    Domain servers in listed order:
    
    Name Server: ns1.yildizhost.com
    Name Server: ns2.yildizhost.com[/FONT]
    The registrant's name is Emre! It seems this guy redirrected folks, in the hack, to his own website! I looked at the source of the "hacked" page and found the image and MP3 were being loaded from blueforumum.com. So I went there and found a user named "EnYeniMix.CoM". He is an admin, user id=1.



    Here is the WHOIS on blueforumum.com:

    Code:
    Registrant:
       gokhan koseoglu (BLUEFORUMUM-COM-DOM)
       mollaarap mah. mert sk. no 3 yildirim
       Bursa,  16360
       Turkey
       +90.2243299135
       +90.2243640456
       [email protected]
    
       Domain Name: BLUEFORUMUM.COM
       Status: PROTECTED
    
       Administrative Contact:
          gokhan koseoglu [email protected]
          mollaarap mah. mert sk. no 3 yildirim
          Bursa,  16360
          Turkey
          +90.2243299135
          Fax- +90.2243640456
    
       Technical Contact, Zone Contact:
          gokhan koseoglu [email protected]
          mollaarap mah. mert sk. no 3 yildirim
          Bursa,  16360
          Turkey
          +90.2243299135
          Fax- +90.2243640456
    
       Record last updated on 29-Nov-2006.
       Record expires on 21-Apr-2007.
       Record created on 21-Apr-2006.
    
       Domain servers in listed order:
    
       Name Server: ns3.turkticaret.net
       Name Server: ns2.turkticaret.net
    I thought people in the vBulletin community might like to know about this. I might also request that Emre Koseoglu not be granted any further vBulletin licenses - that is, if he even has a valid license.

    Do with this information what you will.



    blakespot
    Last edited by blakespot; Wed 21 Mar '07, 7:43am.
  • Zachery
    Former vBulletin Support
    • Jul 2002
    • 59097

    #2
    Its not really considered an exploit of such, because it requires an authinicated administrator and we do permit html to be entered into forum titles and descriptions. In the future you need to be much more carful about who you are giving login information to.

    Comment

    • blakespot
      New Member
      • Jan 2005
      • 13
      • 3.0.5

      #3
      Originally posted by Zachery
      Its not really considered an exploit of such, because it requires an authinicated administrator and we do permit html to be entered into forum titles and descriptions. In the future you need to be much more carful about who you are giving login information to.
      I am the only administrator. I have two users with admin access - both are mine. I've given the info to no one.

      I have two moderators, but they've pretty much got default access. It's not possible for a moderator to have such access (if not an Administrator), is it?

      Also - nothing in the Admin logs as viewed through the CP that shows any forum alteration action connected with this - nothing.

      Is this, then, a new exploit? Tnx.




      blakespot
      Last edited by blakespot; Wed 21 Mar '07, 8:31am.

      Comment

      • Wayne Luke
        vBulletin Technical Support Lead
        • Aug 2000
        • 73976

        #4
        There have been several exploits disclosed in 3.5.2 and we always urge our customers to upgrade as soon as possible. The latest version in your series is 3.5.8.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment

        • blakespot
          New Member
          • Jan 2005
          • 13
          • 3.0.5

          #5
          Originally posted by Wayne Luke
          There have been several exploits disclosed in 3.5.2 and we always urge our customers to upgrade as soon as possible. The latest version in your series is 3.5.8.
          I have upgraded to 3.6.5.

          I had been hoping this closed the exploit used here, but Zachery feels this is not an exploit at all, though the lack of evidence in the CP log would seem to indicate otherwise... ?



          blakespot

          Comment

          • Simetrical
            Senior Member
            • Jul 2005
            • 1401
            • 3.8.x

            #6
            If your account has log pruning rights, maybe it was compromised and then the logs were just deleted. Otherwise, it would have to be some kind of compromise of FTP or shell access, or similar. Make sure that all of your passwords are secure and not the same as you use at other sites.
            System Administrator, Total War Center

            Developer, MediaWiki

            Comment

            • Wayne Luke
              vBulletin Technical Support Lead
              • Aug 2000
              • 73976

              #7
              From experience, very few people who claim to be hacked through vBulletin actually are. Most come down to direct database access, FTP access or root access on the server.

              What he said is we allow HTML to be used in the forum titles and descriptions and that these are not exploits. If there is no entry into the Control Panel Log, it means one of two things happened:
              1) The attacker deleted the logs which means he had access to an administrator account with full access to the control panel (i.e. a Super Administrator)
              2) He had direct access to the database and could circumvent vBulletin's logging features.

              Honestly, I recommend the following:

              Change all your passwords for email, FTP, database and vBulletin's Control Panel. They should all be different and at least 12 characters with a combination of upper and lowercase letters, numbers and punctuation.

              Do not access your site through FTP but use SFTP instead. Some hosts require shell access for this so contact your host. If they don't give it then move to a more secure host.

              Rename your admincp and modcp directories. While this isn't really security, it can deter some people. Especially if you make the directory names obscure enough.

              Place .htaccess on your admin and moderator control panel directories as well as your include and install directories.

              Since you're the only administrator, delete the secondary administrator. There is no point in having it and it only makes your site less secure by opening another vector of attack.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

              Comment

              • blakespot
                New Member
                • Jan 2005
                • 13
                • 3.0.5

                #8
                Originally posted by Wayne Luke
                What he said is we allow HTML to be used in the forum titles and descriptions and that these are not exploits. If there is no entry into the Control Panel Log, it means one of two things happened:
                1) The attacker deleted the logs which means he had access to an administrator account with full access to the control panel (i.e. a Super Administrator)
                Thanks.

                The logs are present, just no entries that show any change to forum info. Can a super admin delete selective entries in the logs? Tnx.



                blakespot

                Comment

                • Wayne Luke
                  vBulletin Technical Support Lead
                  • Aug 2000
                  • 73976

                  #9
                  You can prune log entries based on the script, the user that created and how old they are.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API

                  Comment

                  • blakespot
                    New Member
                    • Jan 2005
                    • 13
                    • 3.0.5

                    #10
                    There are no unusual IPs in the Control Panel logs and there are previous entries (forum initial setup) of forum.php script.

                    Does that not rule out pruning here? I think this is a new exploit.



                    blakespot

                    Comment

                    • Zachery
                      Former vBulletin Support
                      • Jul 2002
                      • 59097

                      #11
                      When you prune admin logins, it prunes them, theres no log of them being pruned. Either this user had direct access to the admincp or the database.

                      Comment

                      • blakespot
                        New Member
                        • Jan 2005
                        • 13
                        • 3.0.5

                        #12
                        The Apache logs show all accesses to 'forum.php' to be my access AFTER the hacking of my forums took place. So they could not have had AdminCP access, based on this, it seems.



                        blakespot

                        Comment

                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...