Announcement

Collapse
No announcement yet.

A new type hack method?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Birdman
    replied
    how do i remove the install directory...where is it in the root folders...cant seem to locate. However, our site has not been a victim "yet". Maybe it's because the human verification registration security protocols i have in place are preventing. Running 4.2.0

    Leave a comment:


  • Birdman
    commented on 's reply
    how? where do i need to go in the root folders to remove it. After reading this thread, our site "so far" has not been a victim. However my human verification security questioning requirements are more stringent and many bogus folks have been blocked from registering.

  • Zachery
    replied
    Originally posted by Robbed View Post
    So is VB going to respond to this issue? It's happened to us as well it would of been nice to receive an email notification.

    The funny thing is a while back I asked if it was a good idea to delete install folder after every upgrade and they said it wasn't necessary.
    We've advised customers to remove the install folder, that is our response. Once you remove it the exploit vector is gone.

    In the past it wasn't required to remove the install folder based on how the install/upgrade system worked. Overtime the system changed which allowed an issue to crop back up.

    Leave a comment:


  • kiss of death
    replied
    I don;t believe removing the install directory fixes the issue , i removed the install directory, then restored my database to the day before my site was accessed, checked my admi cp yesterday and had my usual 4 admin, when i check again today, i had another new admin called "__" with an email address of "[email protected]" , i've checked the control panel logs and their has been no cp access or any plugis installed, checked my ftp file dates are later than the 6th of june when i last updated to vbulletin

    Leave a comment:


  • adeel786
    commented on 's reply
    Thank you for writing this in detail.

    i was victim of this hack. Even after deleting the install file, hacker kept replacing my adsense with his.

    I found the plugin using your mysql trick and deleted and I'm really hoping, he won't be able harm me anymore. He hurt me enough already

  • Robbed
    replied
    So is VB going to respond to this issue? It's happened to us as well it would of been nice to receive an email notification.

    The funny thing is a while back I asked if it was a good idea to delete install folder after every upgrade and they said it wasn't necessary.

    Leave a comment:


  • Ambro
    replied
    Just so you're all aware, the takeover is being issued directly from install/upgrade.php, the attacker is posting to this page and RIGHT after, gains access to the admincp page. This requires the person to have registered a forum account prior and has to be logged into a valid session for that registered user.

    Once he/she posts to the upgrade.php page, the user he/she's logged in as becomes an administrator of the forum. For persistence, the attackers are installing php backdoors so that they can retain access to the forums in the event of their account being removed.

    Anyhow, if you've been targeted by this, to locate potential malicious plugins, from within MySQL in your VBulletin forums database, issue these queries:

    SELECT * FROM plugin WHERE phpcode LIKE '%base64%';
    SELECT * FROM plugin WHERE phpcode LIKE '%lol%';
    This exploit is a direct derivative of the "vBulletin Install Auto Exploiter founded by pixel_death, n3tw0rk & z0ne", the new variant was revived by "Ne0-HackeR & G00g!3W!0r" from UGHackers

    This new variant is literally the same PHP code base as the original but with a modification for how it locates the CUSTNUMBER hash.

    To protect yourself from this, completely remove your install directory or at the very least, protect it with .htaccess.

    ALSO, this is an important one, protect your admincp and modcp folders with .htaccess, i'd recommend using IP/Subnet based ACL's not password based since that can be bruted.

    Setup iptables, PF / etc and create rules for accessing ftp over port 21 and SSH. Change your default SSH port to something non standard and restrict authentication to public/private keys ONLY... Only allow connection requests from the outside from whitelisted source addresses / subnets for both FTP and SSH.

    Also, if you'd like to collect metrics on how many people are querying these pages, create a simple php script in the same location, for index.php and create a symbolic link to upgrade.php. Inside, write a small routine for logging IP's to your mysql database.

    I've been keeping track of people hitting my site and as of recent, in the last week have 18 attempts logged.

    -Ambro
    Last edited by Ambro; Fri 6 Sep '13, 12:38pm.

    Leave a comment:


  • fccsonline
    replied
    This affected us bit time.

    I have a small VPS hosting a friends website - vbulletin forum. About a year ago he took over the patching / upgrading and backing up. Unfortunately, he hasn't taken a backup for a year, and last upgrade left the install directory....

    This hacker, username of "VBking" deleted half of his forums. The transaction log is just plain ugly - and as far as I know, without a backup, there's no "undo."

    I think he might be up a creek without a paddle, but I'm trying to help as best I can. I've contacted the webhost to see if there's any option to obtain a backup of the database from a previous date - but there's nothing we had in place ourselves. I was under the impression he was backing up via cpanel.

    Leave a comment:


  • Ion Saliu
    replied
    Originally posted by akoj View Post
    My hacker this am was nice enough to identify himself with the email [email protected] and username TH3H4CK. A mod caught it fairly quick but couldn't delete the account but I was able to. It was created as an admin account. None of the files you all the mentioned were installed but I wonder if we just caught it in the nick of time OR I am in for a nasty surprise soon.
    Axiomatic Colleague of Mine:

    What a coincidence! That bastard (criminal, actually) registered in my forum, too! He did it 10+ times!

    User: Th3H4ck
    Email: [email protected]
    User Title: Administrator

    I discovered his/their IP addresses as well and banned them. See my recent thread here:

    http://www.vbulletin.com/forum/forum...minal-detected

    Best of luck, axiomatic one!

    Ion Saliu,
    Watchdog At-Large
    Forums: Lottery, Lotto, Gambling, Software, Systems

    Leave a comment:


  • DemOnstar
    replied
    I don't know about nasty surprises, I don't anybody knows much on this guy..

    Leave a comment:


  • akoj
    replied
    My hacker this am was nice enough to identify himself with the email [email protected] and username TH3H4CK. A mod caught it fairly quick but couldn't delete the account but I was able to. It was created as an admin account. None of the files you all the mentioned were installed but I wonder if we just caught it in the nick of time OR I am in for a nasty surprise soon.

    Leave a comment:


  • dougdirac
    replied
    Originally posted by Scream And Fly View Post
    I'm so very glad that VBulletin took the time out to send a message to all of their customers about this. Imagine if people had to find out about this the hard way...
    I assume this is sarcasm since people finding out the hard way is exactly what happened, unnecessarily (and inexcusably) so. Last week I tried to ask what the policy is about sending an email about security threats but the thread was closed without providing an answer to this simple question. All I can guess is that whoever is "responsible" left early for Labor Day weekend. Not very reassuring to the customer when important security warnings take holidays off. :/

    Leave a comment:


  • DemOnstar
    replied
    For some people, they did find out a little too late. At least they found out and now I would think that most people know.

    Leave a comment:


  • Scream And Fly
    replied
    I'm so very glad that VBulletin took the time out to send a message to all of their customers about this. Imagine if people had to find out about this the hard way...

    Leave a comment:


  • DemOnstar
    replied
    Originally posted by kiss of death View Post
    i'm just really confused as to why someone with that level of access would try and cover their tracks by removing the plugin and user account but not prune the logs?
    Removing the account and the plug in so that admin won't see it suggests that they don't want to be seen. They come in, do the nasty and move out.. The nasty is obviously set to trigger at some point in time (possibly cron related) Check your scheduled tasks for unrecognizable cron jobs.. Snapshot the cron folder or count the number of files within and keep for future reference.

    Not pruning the logs could mean that they are not aware of this functionality. Otherwise they would have done it.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X