Announcement

Collapse
No announcement yet.

hotscripts hacked

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Floris
    replied
    Can the users that show up unlicensed and claim to run vBulletin please go to the members area and click on priority support and enter their email in the priority support field so they show up licensed on this site? Thank you.

    Once you purchase one you will receive your customer details in an email. With those customer details you can login to the Members' Area and click on the 'Priority Support' link in the left menu. On the page that loads you must enter the email address you registered with on this support forum. When done correctly you will show up as a licensed members and you will receive priority support.

    If you do have a valid vBulletin license, I kindly request you to update your information.

    Leave a comment:


  • The Prohacker
    replied
    Because of the file permissions on certain sites only certain sites were affected. I don't think any forums were, but 3 of our sites were that were smarty based, because smarty requires the cache to be world writeable...

    Leave a comment:


  • AWS
    replied
    Originally posted by The Prohacker
    We had/have it disabled on all of our forums and yet one still got hit by this worm.....
    I see this was the misc.php exploit.
    Did it hit any of the live forums?

    Leave a comment:


  • dictionaryof
    replied
    Well it was done through misc.php within vbulletin and it looks to be exploited through the 'template' variable...

    I had posted the entire log line from our access_log, but it was requested that it be removed... which is the correct call, of course.

    Leave a comment:


  • AWS
    replied
    I don't think this was a vbulletin exploit since all iNets properties that run vbulletin weren't affected. Hotscripts site was hacked, but, the forum wasn't.
    There is rumor of a vulnerabilitiy in the php upload function. This is supposed to affect all versions of php including 4.3.10. It was being discussed on a private security list I belong to. I don't think this was used either since it was just discovered a couple days ago by a member. So far no one else is able to duplicate his findings so it could be bogus.

    Leave a comment:


  • dictionaryof
    replied
    I've also disabled the 'Add Template Name in HTML Comments' config.

    Leave a comment:


  • dictionaryof
    replied
    log lines removed.

    Can someone confirm that the upgrade to 3.0.7 will prevent this from re-occuring...

    The upgrade has been completed, but don't want to reopen the forum til it is confirmed.

    Leave a comment:


  • Dean C
    replied
    I've reported posts in this thread several times, but publically posting exactly how to exploit vulnrabilities in public is not very smart. That server log shows every tom dick and harry how to exploit it.

    Leave a comment:


  • The Prohacker
    replied
    Originally posted by Mike Sullivan
    Yes. Or if you didn't have "Add Template Name in Comments" enabled.
    We had/have it disabled on all of our forums and yet one still got hit by this worm.....

    Leave a comment:


  • patriotcow
    replied
    Some have an irc left there me goes to look

    Spykids ownz you!! irc.brasnet.org //j #spy [email protected]

    Leave a comment:


  • Mike Sullivan
    replied
    Note that I am / was still using 3.0.3, so it is possible / probable the upgrade to 3.0.7 fixes this ??
    Yes. Or if you didn't have "Add Template Name in Comments" enabled.

    Leave a comment:


  • dictionaryof
    replied
    Also, here is what the access log call looks like:

    -- Removed - Contact me if needed. ;-)

    Note that I am / was still using 3.0.3, so it is possible / probable the upgrade to 3.0.7 fixes this ??
    Last edited by dictionaryof; Sun 6th Mar '05, 10:15am.

    Leave a comment:


  • dictionaryof
    replied
    Don't click this link, but here is where the worm got the script from:

    compras.el-nacional.com/spykids.txt

    I suggest a safe wget or something other like that.

    Leave a comment:


  • dictionaryof
    replied
    It was indeed that. One of my servers got hit...

    Leave a comment:


  • wbear
    replied
    That's PERL not PHP, and it appears to search and replace all index files in /home with the "spykids" text. Script kiddies, from South america, at a guess.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X