Announcement

**AusPhotography** · Thu 5 May '11, 12:56am

Seal team 6 needed

**tlwwolfseye** · Thu 5 May '11, 12:57am

Just a clean shot to the head, thats all the hacker needs.

**meijin** · Thu 5 May '11, 2:23am

I would just like to commend a member here "borbole". He was a tremendous help in helping me get everything back under control on my site and, to date, we have not had the hackers revisit our site. Certainly, trying to do all that he did on my own would have taken much, much longer to do and my site would have been at risk during that entire time. I certainly know who I am going to talk to the next time I need work done on my site! Much thanks my friend!

**ikorolis** · Thu 5 May '11, 2:57am

have anynews for security bug/exploit/hack/fault or sql injection when fixed?
have anynews for other mod hack if danger of hack attack?

thank you.

**Paul M** · Thu 5 May '11, 3:20am

Originally posted by tlwwolfseye View Post

Do I now have to be afraid of running any other Mods of him (either for v3.x or v4.x) because of this ? My trust in his Mods just went out of the window.

TBH, thats not particularly fair. All but the simplest software is a possible subject of attack by hackers, they are always looking for (and find) the most obscure faults. Just remember that this code has existed (with this issue) for something like four years before someone eventually found this exploit - its not an obvious problem unless you really go looking for it.

You presumably dont trust vbulletin either, since numerous exploits have been found in it over the years.

**BirdOPrey5** · Thu 5 May '11, 3:25am

Originally posted by tlwwolfseye View Post

No practice that wasn't really necessary. Just getting a negative wibe about others of his (Valter) Mods.

And yes, I changed all these Passwords and other things. And tbh, people that do something like this (the hacker I mean), should be shot on sight. Sorry for the harsh words, but there is nothing to forgive in my oppinion about killing someone else's work.

Actually hacks like this keep us on our toes, like we should be. They force people to learn about things they should know, remind people to do the backups they should be doing. In the end nothing of value was really damaged but the user titles... Yes it's annoying but it could have been worse. They could have planted far more destructive viruses in your pages that would have spread to all your users- they could have remained quiet for weeks or months just collecting data... it could have been a lot worse- although they wanted attention they didn't have intent to harm.

It does bring up some questions about our modding community too... If even some of our most popular mods by our most experienced coders can have these exploits maybe we need to do more than just offer mods as "use at your own risk." - I would like to implement some sort of peer review process for mods, don't know if it's possible but it's worth discussing anyway.

We, as a community, will come out of this stronger than when we went it.

**Suiram** · Thu 5 May '11, 5:15am

Originally posted by NYCe View Post

Apparently. This was the case on my forums. I wonder what happened on forums where a userid of 13371337 already existed?

I doubt such a forum exists. They'd have to have 13+ million registered users. I'd like to see such a forum. Even with deleted spammer accounts or such, which keep their userid seed number, it would be extremely highly unlikely. I mean how many users do some of the biggest forums have? 1-2 million?

**gosborne** · Thu 5 May '11, 5:41am

Just as a checklist - here's what I think they have done

Uploaded a new catchy saxophone index.html page to root, admincp and modcp
Added a new user to the user table as an admin, called team animus
Set the autoincrement to 13371337 on userid
Changed customtitle and user title so they all read 'hacked by team animus'
Switched off the vBulletin forum
Added a file called vba.php to the includes folder.

Is that the lot as far as you've seen?

**NickCat** · Thu 5 May '11, 5:48am

My concern is that everyone here only cleaning up their system and database seems comfortable that nothing else in the database was affected by the hackers. Call me paranoid, but a warm and fuzzy message that says "we didn't do anything malicious" in an html file doesn't really inspire much confidence. Personally I'd rather take the 1.5 day loss of data than find out in 2 weeks from now something else was inserted and used later to gain access to the site. I agree it doesn't appear to be the case, but this is my livelihood, I'd rather be safe than sorry.

**Paul M** · Thu 5 May '11, 6:23am

Originally posted by gosborne View Post

Just as a checklist - here's what I think they have done

Uploaded a new catchy saxophone index.html page to root, admincp and modcp
Added a new user to the user table as an admin, called team animus
Set the autoincrement to 13371337 on userid
Changed customtitle and user title so they all read 'hacked by team animus'
Switched off the vBulletin forum
Added a file called vba.php to the includes folder.

Is that the lot as far as you've seen?

The interesting part about this is that you cannot do the first or last items [i.e. upload files] via SQL injection.

**borbole** · Thu 5 May '11, 6:31am

Originally posted by meijin View Post

I would just like to commend a member here "borbole". He was a tremendous help in helping me get everything back under control on my site and, to date, we have not had the hackers revisit our site. Certainly, trying to do all that he did on my own would have taken much, much longer to do and my site would have been at risk during that entire time. I certainly know who I am going to talk to the next time I need work done on my site! Much thanks my friend!

You are most welcome. Glad to have been of help

**Zachery** · Thu 5 May '11, 6:33am

We've been telling everyone religiously to open a ticket with my attention. I've delt with a bulk amount of tickets now, I know what is generally exploited and what needs to be done. Anyone still having a problem please open a ticket.

**Hemanth** · Thu 5 May '11, 6:55am

Originally posted by Paul M View Post

The interesting part about this is that you cannot do the first or last items [i.e. upload files] via SQL injection.

I was also wondering the same thing. As an admin user, would it be possible to use any vBulletin files to write to the root directory (assuming it's set as 777)?

@Zachery: Any idea how they gained file system access?

**Valter** · Thu 5 May '11, 7:10am

Hacked by Team Animus?

Please read this thread:
http://www.vbulletin.org/forum/showthread.php?t=263202

**jimjam** · Thu 5 May '11, 7:21am

Originally posted by OcR Envy View Post

Resolution:
Login under unalterable admin account; everyone should have one of these!

How do I get me one of those unalterable admin accounts? Thanks

vBulletin 3 End of Life

Announcement

Site hacked, can someone please help?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics