Removing the account and the plug in so that admin won't see it suggests that they don't want to be seen. They come in, do the nasty and move out.. The nasty is obviously set to trigger at some point in time (possibly cron related) Check your scheduled tasks for unrecognizable cron jobs.. Snapshot the cron folder or count the number of files within and keep for future reference.

Not pruning the logs could mean that they are not aware of this functionality. Otherwise they would have done it.

I'm so very glad that VBulletin took the time out to send a message to all of their customers about this. Imagine if people had to find out about this the hard way...

For some people, they did find out a little too late. At least they found out and now I would think that most people know.

I assume this is sarcasm since people finding out the hard way is exactly what happened, unnecessarily (and inexcusably) so. Last week I tried to ask what the policy is about sending an email about security threats but the thread was closed without providing an answer to this simple question. All I can guess is that whoever is "responsible" left early for Labor Day weekend. Not very reassuring to the customer when important security warnings take holidays off. :/

My hacker this am was nice enough to identify himself with the email [email protected] and username TH3H4CK. A mod caught it fairly quick but couldn't delete the account but I was able to. It was created as an admin account. None of the files you all the mentioned were installed but I wonder if we just caught it in the nick of time OR I am in for a nasty surprise soon.

I don't know about nasty surprises, I don't anybody knows much on this guy..

Axiomatic Colleague of Mine:

What a coincidence! That bastard (criminal, actually) registered in my forum, too! He did it 10+ times!

User: Th3H4ck
Email: [email protected]
User Title: Administrator

I discovered his/their IP addresses as well and banned them. See my recent thread here:

http://www.vbulletin.com/forum/forum...minal-detected

Best of luck, axiomatic one!

Ion Saliu,
Watchdog At-Large
Forums: Lottery, Lotto, Gambling, Software, Systems

This affected us bit time.

I have a small VPS hosting a friends website - vbulletin forum. About a year ago he took over the patching / upgrading and backing up. Unfortunately, he hasn't taken a backup for a year, and last upgrade left the install directory....

This hacker, username of "VBking" deleted half of his forums. The transaction log is just plain ugly - and as far as I know, without a backup, there's no "undo."

I think he might be up a creek without a paddle, but I'm trying to help as best I can. I've contacted the webhost to see if there's any option to obtain a backup of the database from a previous date - but there's nothing we had in place ourselves. I was under the impression he was backing up via cpanel.

Just so you're all aware, the takeover is being issued directly from install/upgrade.php, the attacker is posting to this page and RIGHT after, gains access to the admincp page. This requires the person to have registered a forum account prior and has to be logged into a valid session for that registered user.

Once he/she posts to the upgrade.php page, the user he/she's logged in as becomes an administrator of the forum. For persistence, the attackers are installing php backdoors so that they can retain access to the forums in the event of their account being removed.

Anyhow, if you've been targeted by this, to locate potential malicious plugins, from within MySQL in your VBulletin forums database, issue these queries:

This exploit is a direct derivative of the "vBulletin Install Auto Exploiter founded by pixel_death, n3tw0rk & z0ne", the new variant was revived by "Ne0-HackeR & G00g!3W!0r" from UGHackers

This new variant is literally the same PHP code base as the original but with a modification for how it locates the CUSTNUMBER hash.

To protect yourself from this, completely remove your install directory or at the very least, protect it with .htaccess.

ALSO, this is an important one, protect your admincp and modcp folders with .htaccess, i'd recommend using IP/Subnet based ACL's not password based since that can be bruted.

Setup iptables, PF / etc and create rules for accessing ftp over port 21 and SSH. Change your default SSH port to something non standard and restrict authentication to public/private keys ONLY... Only allow connection requests from the outside from whitelisted source addresses / subnets for both FTP and SSH.

Also, if you'd like to collect metrics on how many people are querying these pages, create a simple php script in the same location, for index.php and create a symbolic link to upgrade.php. Inside, write a small routine for logging IP's to your mysql database.

I've been keeping track of people hitting my site and as of recent, in the last week have 18 attempts logged.

-Ambro

So is VB going to respond to this issue? It's happened to us as well it would of been nice to receive an email notification.

The funny thing is a while back I asked if it was a good idea to delete install folder after every upgrade and they said it wasn't necessary.

I don;t believe removing the install directory fixes the issue , i removed the install directory, then restored my database to the day before my site was accessed, checked my admi cp yesterday and had my usual 4 admin, when i check again today, i had another new admin called "__" with an email address of "[email protected]" , i've checked the control panel logs and their has been no cp access or any plugis installed, checked my ftp file dates are later than the 6th of june when i last updated to vbulletin

We've advised customers to remove the install folder, that is our response. Once you remove it the exploit vector is gone.

In the past it wasn't required to remove the install folder based on how the install/upgrade system worked. Overtime the system changed which allowed an issue to crop back up.

how do i remove the install directory...where is it in the root folders...cant seem to locate. However, our site has not been a victim "yet". Maybe it's because the human verification registration security protocols i have in place are preventing. Running 4.2.0

Hi,
We suspected if they changed something in the styles / templates.

Looking at the templates (both in parent style and other styles), reviewing the 'Edit history', some of the templates show
'Edited by Jelsoft', 'Edited by vBulletin' which are vbulletin edits
Some show 'Edited by' our own admin accounts - probably some template customizations
While some templates show as below:
blog_blog_rown - Last edited December 15 2010 at 13:29 by ksours
blog_comment_profile - Last edited December 21 2009 at 16:59 by freddie
blog_cp_manage_categories - Last edited December 9 2010 at 16:32 bymichael.lavaveshkuli

Are these something that we should suspect? Could it be possible they changed the edit date and time?

Unless you have or somebody else has removed it, it should be at your forum root. With me, it comes after the includes folder. Alphabetical order I assume.