Announcement

**Scott MacVicar** · Sun 30th Jul '06, 4:30pm

Was on a private list this morning that requires credentials to access, I suspect it will filter through to public lists soon.

Not sure why'd you need to know what it entails, its a simple remote code execution exploit that can be used to install a shell.

Best thing to do is install the updates that have been posted for vbportal or simply remove it if you dont want to do that, its a very serious error.

**jw00dy** · Sun 30th Jul '06, 5:40pm

Fair enough, thank you.

I didn't get a chance to download the files from their site when it was up, so I've shut my portal off for the time being.

Anyone know if the updated version is posted somewhere else? We're missing the portal already

It can wait though as I know their is license issues involved.

**mikeserv** · Sun 30th Jul '06, 5:51pm

I'd like to know a little more about what this entails, only so that I can protect against it temporarily. I am not in a position to install the updates (are they available through other means since vbportals is down?) because I'm not the actual license holder. Yes, the site owner/webmaster needs to get the updates and do this and he will soon, but that isn't possible at the moment and neither is removing vbportal from the site.

We aren't using phpsuexec, yet the site did manage to get some readme.txt files with "Hacked By vbPortal hackers" in them.

What I would specifically like to know is if setting disable_functions = passthru in php.ini will mitigate this for now?

Also it was mentioned to set "the passthru setting to 1" in php.ini but I could not find a reference to that anywhere (and I did spend considerable time googling). The closest thing I could find was in the [odbc] section for binary data handling. (0 means passthru, 1 means return as is)

I'd be grateful if someone in the know could reply.

**Freesteyelz** · Sun 30th Jul '06, 5:55pm

Originally posted by wajones View Post

Our host 'Liquidweb' to date has been little or no help at all. The first line tech's have responded with a few things an have tried to help, but bottom line the abuse support is non existent as far as security.

Security has not even answered my tickets in 4 days. I ask last night to have my database restored (they supposably backup every night) Not even a answer about that.

What about their phone support?

**JamieB** · Mon 31st Jul '06, 5:43am

there back

well done mr jones

**Torqued** · Mon 31st Jul '06, 6:53am

Aaaannnd... it looks like they've been hacked/defaced *again*.

**Freesteyelz** · Mon 31st Jul '06, 6:55am

It's up and running for me.

**NathanLedet** · Mon 31st Jul '06, 6:56am

now vbPortal.org has taken a beating

got an e-mail:

Hello Again

www.vbportal.org & www.vbportal.org/forums
are defaced

http://www.zone-h.org/index2.php?option=com_mirrorwrp&Itemid=45&id=4421867

vbPortal is Hacked Again By R00t[ATI] & SecAnalyst
We've tried to Advise the admin of the vbportal but we were not
successful

if you can please Advise him about the recently hacks , Defacements,
Holes and other things.

NOW i want to Delete all of their DB after mailing

**Sergio68** · Mon 31st Jul '06, 7:35am

Originally posted by Freesteyelz View Post

It's up and running for me.

Nope.

**firewire** · Mon 31st Jul '06, 7:42am

Seeing the hack has happened again (didn't I read in this thread the problem was fixed?), I'd like to know whether the problem is vbportal-(software)-specific, vbportal-hosting-specific or vBulletin-specific.
I have registered years ago for to the vbportal.org forum out of potential interest, but I am not using it, so I am asking myself right now if my site, too, is in danger.

Thank you for clarifying.

**Scott MacVicar** · Mon 31st Jul '06, 7:44am

They were running vbulletin 3.0.9 + an old vbportal so it could have been either.

**ixian** · Mon 31st Jul '06, 7:44am

I'm glad I didn't use a regular email alias years ago when I first signed up for that site.

I'm also glad I stopped using vbportals years ago even after paying the "contribution" fee or whatever they called it at the time. I feel for them, but I'm also still highly annoyed they didn't alert their userbase first before the hackers did it for them. In any case, now that they've pissed them off I suspect this will continue for a good long time.

**firewire** · Mon 31st Jul '06, 7:55am

Just to make sure: Is vbportal.org and vbportal.com being run at the same provider, by the same people?

**BigCheeze** · Mon 31st Jul '06, 8:06am

Originally posted by ixian View Post

I feel for them, but I'm also still highly annoyed they didn't alert their userbase first before the hackers did it for them.

HUH??? Alert their users that they we're about to be hacked? Does that even make any sense?

And apparently this an an attempt to get money. It's a pretty common ploy in the hacker community, perpetrated many times against places like Online Casinos, and even porn sites. However, they are widening the scope of targets; as unfortunately Scott & WJones have discovered.

Scott & WJones, please contact me if you want any assistance. With out going into details in public, I work in InfoSec. So contact me if you want, and I'll see what help I can offer.

Either way, good luck guys.

**kman2000** · Mon 31st Jul '06, 8:23am

Where are the patches for VBPortal? Seems like they should be made available somewhere other than on a site that is being actively attacked.

Announcement

vbportal?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment