These hackers are back on my site, hacking usertitles and God knows what else, for the second time today. What is going on??? There is obviously a weakness in 3.8.7. What is it? Come one guys, spare us a couple of comments, so that we know what is going on?
Site hacked, can someone please help?
Collapse
This topic is closed.
X
X
-
Any of your running third party addons? If so lets make a list and see whos running what and what is in common. If it was as big of an exploit to effect 3.8.x I would imagine it goes back far enough.Comment
-
Comment
-
It had absolutely nothing to do with other sites.
If you're having an issue with your site, please start a support ticket. Include admincp, ftp , and phpmyadmin information.
We can help yoou cleanup a mess but we cannot help you make sure your server is 100% sure.
Make sure you're not running third party addons, there is much more likely a chance that one of those is the cause than vBulletin itself, esp vBulletin 3 due to its age on the market.Comment
-
It was a coincidence, we rolled out the new editor, found some glaring issues, and rolled out to a different release.
It had absolutely nothing to do with other sites.
If you're having an issue with your site, please start a support ticket. Include admincp, ftp , and phpmyadmin information.
We can help yoou cleanup a mess but we cannot help you make sure your server is 100% sure.
Make sure you're not running third party addons, there is much more likely a chance that one of those is the cause than vBulletin itself, esp vBulletin 3 due to its age on the market.Comment
-
environment: Centos 6.9, Apache v2.4.25, PHP 5.6.30/xCache, MariaDB 10.22 -- vB5 Connect Licensed
AusPhotography - Australia's Premier Photographic Forum vB4.2.3
Rick (site owner) and Kym (site tech) sharing this accountComment
-
I have started a ticket, but I think it is a little ridiculous to be handling this as a single support incident, considering the number of people who were hacked. Now if you don't mind, I would prefer to continue this conversation with the guy that represents the company. EricComment
-
I was running 3.8.4 when my site got hacked. I deleted all the files and upgraded to 3.8.7 and shut off all of my products in case that is the conduit the hackers used to get in.
My opinion, this is widespread enough that individual support tickets aren't the best way to handle it.Comment
-
I run following add-ons on my vBulletin 3.8.7:
- Auto Mark Read 1.0 Automatically mark forums read for inactive users
- Cyb - Advanced Forum Rules 4.0.2 Cyb - Advanced Forum Rules
- Ignore Thread 1.0.0 Ignore Thread
- Selective Forum Filter 1.1.0 Created By VisionScripts (www.visionscripts.com)
- smilie-Alias 0.1 Allows to define some alias for a smilie
- TCattd - The Image Resizer 1.2.8 Automatically resize posted images
- vBadvanced CMPS 3.2.0 vBadvanced Content Management & Portal System
Comment
-
If vbf.php is the backdoor, it's not a default vBulletin file. A simple google search implies it stands for vbFreelancers, which is a group that has made a number of modifications for vBulletin. If all of these sites have a mod in common by this group, or maybe just any mod made by the group, or just this file on their server, that's where the problem lies. However, I could be wrong and it stands for something else. I tried searching for some of the mods on vbulletin.org, but the ones I came across are in the Mod Graveyard and can't be downloaded, so I can't confirm if there's a backdoor in the file.Last edited by thincom2000; Wed 4 May '11, 12:58am.- the makers of VaultWikiComment
-
Reviewed the code for Cyb - Advanced Forum Rules and this can be the culprit as I see an exploit there: you can inject SQL and modify the database if you tamper with the HTML form when agreeing to the rules. The posted data, while cleaned, is not escaped before being used in the database query. Because many modern browsers let you modify a page's HTML, posted data cannot be trusted like this. This uses misc.php so it supports unterschluepfli's belief that the attacker entered through misc.php
CODE REMOVED
The $cybfr_rulesaccepted string contains the post data for a form field, which I think the modder expects to be a list of IDs. While this is likely where the attacker gained entry, the same mistake is made in multiple places throughout the modification.Last edited by Trevor Hannant; Wed 4 May '11, 5:45am.- the makers of VaultWikiComment
-
Reviewed the code for Cyb - Advanced Forum Rules and this can be the culprit as I see an exploit there: you can inject SQL and modify the database if you tamper with the HTML form when agreeing to the rules. The posted data, while cleaned, is not escaped before being used in the database query. Because many modern browsers let you modify a page's HTML, posted data cannot be trusted like this. This uses misc.php so it supports unterschluepfli's belief that the attacker entered through misc.php
CODE REMOVED
The $cybfr_rulesaccepted string contains the post data for a form field, which I think the modder expects to be a list of IDs. While this is likely where the attacker gained entry, the same mistake is made in multiple places throughout the modification.Last edited by Trevor Hannant; Wed 4 May '11, 5:45am.Comment
Related Topics
Collapse
-
I just signed up for vbulletin. It is used in a lot of gaming communities. I am trying to build my own community and now have enough members to justify building a forum. So I know alot of the clans/gaming...
-
Channel: vB Cloud Support & Troubleshooting.
Wed 7 Jun '17, 8:25am -
Comment