Database leak at the VB 3.6.8 PL2

**Jake Bunce** · Mon 28 Jan '08, 9:02am

The database user actually needs DROP privileges for some forum operations. That is why you are getting that error.

I usually just enable all MySQL privileges for the database user. Here are some security tips:

How To Make My Forums More Secure - vBulletin Community Forum

http://www.vbulletin.com/forum/showthread.php?t=194701

**AnT0NiuS** · Mon 28 Jan '08, 9:26am

I had all MySQL privileges enebled untill somebody DROPed my vbulletin 3.6.2 database...

Thanks for quick reply and link

**Lynne** · Mon 28 Jan '08, 9:32am

Originally posted by AnT0NiuS

I had all MySQL privileges enebled untill somebody DROPed my vbulletin 3.6.2 database...

Thanks for quick reply and link

Do you know what page/script they used to drop the tables? It seems like you should disable whatever plugin was used to do this or go see if there is an update to the plugin to fix this issue.

**AnT0NiuS** · Mon 28 Jan '08, 10:36am

Originally posted by U2Lynne

Do you know what page/script they used to drop the tables? It seems like you should disable whatever plugin was used to do this or go see if there is an update to the plugin to fix this issue.

How can I figure out from which page/script was the attack?

**Lynne** · Mon 28 Jan '08, 10:46am

I would have looked in my access_logs and possibly my error_logs for that date and, if you know the time, that time.

**Jake Bunce** · Mon 28 Jan '08, 10:51am

You will probably need to consult with your host to analyze the logs that U2Lynne is talking about.

**AnT0NiuS** · Mon 28 Jan '08, 2:42pm

Thank you very much for suggestions.

I started investigation with the host provider. As soon as I find the script or page I will let you know.

I have a suspicion that it could be script related to the customavatar table. But may be i'm wrong. Let's wait when my investigation will be done.

**jasonlitka** · Tue 29 Jan '08, 6:24am

Originally posted by U2Lynne

Do you know what page/script they used to drop the tables? It seems like you should disable whatever plugin was used to do this or go see if there is an update to the plugin to fix this issue.

If PhotoPost is installed it was probably that... All of my sites with it installed got F-ed a couple weeks ago (some multiple times) because PP was deleting forum threads and refusing to admit that they had a huge problem with their software that was letting people run whatever PHP code they wanted.

**DanaSoft** · Sat 2 Feb '08, 2:50pm

Originally posted by jason|xoxide

If PhotoPost is installed it was probably that... All of my sites with it installed got F-ed a couple weeks ago (some multiple times) because PP was deleting forum threads and refusing to admit that they had a huge problem with their software that was letting people run whatever PHP code they wanted.

PhotoPost was not deleting the threads in your forum; someone was exploiting a PHP issue via PhotoPost to delete threads - big difference.

**jasonlitka** · Mon 4 Feb '08, 6:08am

Originally posted by DanaSoft

PhotoPost was not deleting the threads in your forum; someone was exploiting a PHP issue via PhotoPost to delete threads - big difference.

It was a vulnerability in PhotoPost that the developers refused to acknowledge. As far as I'm concerned that makes them and their software just as responsible as the person who wrote the hack script and the tool who decided to use it.

Database leak at the VB 3.6.8 PL2

Database leak at the VB 3.6.8 PL2

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment