Announcement

Collapse
No announcement yet.

Site hacked, can someone please help?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • EricGT
    replied
    Originally posted by Paul M View Post
    They have been restored.

    For anyone interested, it was the versions for vb 3.7, 3.8 & 4.x - older versions did not have the affected code.
    According to the last post in this thread: http://www.vbulletin.org/forum/showt...177559&page=21 , it isn't fixed. This guy says he just installed the latest version and got hacked.

    Leave a comment:


  • Paul M
    replied
    Originally posted by Cybernetec View Post
    This bug has been fixed and I'm waiting for vB.org Staff to restore my mods.
    They have been restored.

    For anyone interested, it was the versions for vb 3.7, 3.8 & 4.x - older versions did not have the affected code.

    Leave a comment:


  • KProjects
    replied
    Urljet is good people..

    Originally posted by BluebeamSoftware View Post
    Good news! I'm back up and running!
    My forum is hosted through URLjet.com.
    They were able to help get me up and running again, and fixed all all of my user titles.
    Luckily they were able to determine the fix and it didn't take more than a few minutes to implement.

    For users here in the forum that need immediate assistance with this, you may want to try contacting them to see if they are willing to assist you on the appropriate methods.

    Leave a comment:


  • ctrlbrk
    replied
    Originally posted by Cybernetec View Post
    This bug has been fixed and I'm waiting for vB.org Staff to restore my mods.

    Once they do this please upgrade your forums.
    I'll let you know when it's done via "Send Update" feature.

    To update:
    Just import new XML with "overwrite" checked.


    I'm sorry for any inconveniences this may have caused.


    Valter
    Valter, can you confirm all of your other mods are fine and don't contain the vulnerability? Or if that isn't the case can you post an explicit list of mod/version # that should be upgraded...

    Leave a comment:


  • BluebeamSoftware
    replied
    Good news! I'm back up and running!
    My forum is hosted through URLjet.com.
    They were able to help get me up and running again, and fixed all all of my user titles.
    Luckily they were able to determine the fix and it didn't take more than a few minutes to implement.

    For users here in the forum that need immediate assistance with this, you may want to try contacting them to see if they are willing to assist you on the appropriate methods.

    Leave a comment:


  • Valter
    replied
    Fixed

    This bug has been fixed and I'm waiting for vB.org Staff to restore my mods.

    Once they do this please upgrade your forums.
    I'll let you know when it's done via "Send Update" feature.

    To update:
    Just import new XML with "overwrite" checked.


    I'm sorry for any inconveniences this may have caused.


    Valter

    Leave a comment:


  • dutchbb
    replied
    Ok uninstalled, thanks.

    Leave a comment:


  • TheLastSuperman
    replied
    Paul M. has quarantined the modification in question, 3.x and 4.x versions. If you marked the modification as "Installed" then you should have received the email notification regarding the quarantine.

    http://www.vbulletin.org/forum/showt...177559&page=21

    Leave a comment:


  • HMBeaty
    replied
    Originally posted by BluebeamSoftware View Post
    Our forum was hacked as well. We are running Cyb - Advanced Forum Rules
    Originally posted by Zachery View Post
    For anyone who was hacked please start a support ticket with my attention, make sure to provide admincp, ftp, and phpmyadmin access.
    .

    Leave a comment:


  • BluebeamSoftware
    replied
    Our forum was hacked as well. We are running Cyb - Advanced Forum Rules

    Leave a comment:


  • Zachery
    replied
    For anyone who was hacked please start a support ticket with my attention, make sure to provide admincp, ftp, and phpmyadmin access.

    Leave a comment:


  • Zombie-F
    replied
    I also have that hack installed. I'm betting that is the gate in since it seems to be the common bond between our forums.

    Leave a comment:


  • Alfa1
    replied
    cyb - advanced rules was downloaded over 14000 times, so if this addon has a vulnerability then the impact can be pretty wide.

    Leave a comment:


  • SilentSleeper
    replied
    Originally posted by thincom2000 View Post
    Reviewed the code for Cyb - Advanced Forum Rules and this can be the culprit as I see an exploit there: you can inject SQL and modify the database if you tamper with the HTML form when agreeing to the rules. The posted data, while cleaned, is not escaped before being used in the database query. Because many modern browsers let you modify a page's HTML, posted data cannot be trusted like this. This uses misc.php so it supports unterschluepfli's belief that the attacker entered through misc.php

    CODE REMOVED

    The $cybfr_rulesaccepted string contains the post data for a form field, which I think the modder expects to be a list of IDs. While this is likely where the attacker gained entry, the same mistake is made in multiple places throughout the modification.
    I believe you maybe right. I have looked over each mod and this Cyb - Advanced Forum Rules which was installed on my forum as well could be the problem. I came to the same conclusion earlier, however I was wondering would they be able to change the index(s) with their content as they did in my case by gaining entry this way. They were able to inject sql data into the database, but not sure how they changed the index.php
    Last edited by Trevor Hannant; Wed 4 May '11, 6:45am.

    Leave a comment:


  • thincom2000
    replied
    Reviewed the code for Cyb - Advanced Forum Rules and this can be the culprit as I see an exploit there: you can inject SQL and modify the database if you tamper with the HTML form when agreeing to the rules. The posted data, while cleaned, is not escaped before being used in the database query. Because many modern browsers let you modify a page's HTML, posted data cannot be trusted like this. This uses misc.php so it supports unterschluepfli's belief that the attacker entered through misc.php

    CODE REMOVED

    The $cybfr_rulesaccepted string contains the post data for a form field, which I think the modder expects to be a list of IDs. While this is likely where the attacker gained entry, the same mistake is made in multiple places throughout the modification.
    Last edited by Trevor Hannant; Wed 4 May '11, 6:45am.

    Leave a comment:

Related Topics

Collapse

  • TsG XxGHOSTxX
    I need help
    by TsG XxGHOSTxX
    I just signed up for vbulletin. It is used in a lot of gaming communities. I am trying to build my own community and now have enough members to justify building a forum. So I know alot of the clans/gaming...
    Wed 7 Jun '17, 9:25am
Working...
X