Two days ago, I found that my vBulletin v3.5.2 forums had been hacked (help request posted here). Some manner of vulnerability was exploited such that the malicious user inserted HTML redirects into the forum titles of the FORUMS table in the DB. As soon as a user hit my forums, they were redirected to this page:
As you can see, the malicious user's handle is "EmRe_DaNCeR". My forums were down from early afternoon to the wee hours of the next day, when I finally got the system updated to vB v3.6.5. (I hope this exploit was addressed between 3.5.2 and current!)
I just did a WHOIS lookup on the "hacked" website people were redirected to. Look what I found:
The registrant's name is Emre! It seems this guy redirrected folks, in the hack, to his own website! I looked at the source of the "hacked" page and found the image and MP3 were being loaded from blueforumum.com. So I went there and found a user named "EnYeniMix.CoM". He is an admin, user id=1.
Here is the WHOIS on blueforumum.com:
I thought people in the vBulletin community might like to know about this. I might also request that Emre Koseoglu not be granted any further vBulletin licenses - that is, if he even has a valid license.
Do with this information what you will.
blakespot
As you can see, the malicious user's handle is "EmRe_DaNCeR". My forums were down from early afternoon to the wee hours of the next day, when I finally got the system updated to vB v3.6.5. (I hope this exploit was addressed between 3.5.2 and current!)
I just did a WHOIS lookup on the "hacked" website people were redirected to. Look what I found:
Code:
[FONT=courier new, courier]Registrant: EmRe Koseoglu (ENYENIMIX-COM-DOM) Erikli Mahallesi... Bursa, 16360 Turkey +90.2243415323 +90.2243640456 [email protected] Domain Name: ENYENIMIX.COM Status: PROTECTED Administrative Contact: EmReKoseoglu [email protected] mollaarap mah. mert sk. no 3 yildirim Bursa, 16360 Turkey +90.2243640456 Fax- +90.2243640456 Technical Contact, Zone Contact: EmReKoseoglu [email protected] mollaarap mah. mert sk. no 3 yildirim Bursa, 16360 Turkey +90.2243640456 Fax- +90.2243640456 Record last updated on 04-Dec-2006. Record expires on 27-Sep-2007. Record created on 27-Sep-2006. Domain servers in listed order: Name Server: ns1.yildizhost.com Name Server: ns2.yildizhost.com[/FONT]
Here is the WHOIS on blueforumum.com:
Code:
Registrant: gokhan koseoglu (BLUEFORUMUM-COM-DOM) mollaarap mah. mert sk. no 3 yildirim Bursa, 16360 Turkey +90.2243299135 +90.2243640456 [email protected] Domain Name: BLUEFORUMUM.COM Status: PROTECTED Administrative Contact: gokhan koseoglu [email protected] mollaarap mah. mert sk. no 3 yildirim Bursa, 16360 Turkey +90.2243299135 Fax- +90.2243640456 Technical Contact, Zone Contact: gokhan koseoglu [email protected] mollaarap mah. mert sk. no 3 yildirim Bursa, 16360 Turkey +90.2243299135 Fax- +90.2243640456 Record last updated on 29-Nov-2006. Record expires on 21-Apr-2007. Record created on 21-Apr-2006. Domain servers in listed order: Name Server: ns3.turkticaret.net Name Server: ns2.turkticaret.net
Do with this information what you will.
blakespot
Comment