Announcement

Collapse
No announcement yet.

A new type hack method?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Reignman
    replied
    Originally posted by Jamsoft View Post

    Agreed!! I "happened" to see this in the CP yesterday, and went ahead and did what they said. BUT, they didnt say "check to see if you had admin accounts to see if you have been compromised. I did what they asked and researched no further. Today I am out like 40,000 posts that were deleted early this morning.

    how about an email to all owners, not only with a fix, but what to check to see if you've been compromised? Handled very badly
    Yes, that was a big mistake. I don't know why CP message didn't incluse this "added admins" warning.

    By the way, are you sure that these messages were deleted by this hacker called "abdou" ?

    Leave a comment:


  • Reignman
    replied
    Originally posted by Hawkmoth View Post
    As above. This problem was found on Tuesday morning about 11 am Japan time. Like reignman, we had 2 people registered as federal. One is now deleted and the other had all permissions removed an PW changed. I have no idea how he got in. All new members receive an email with an activation link in it. They have to click to become active but even then they only go into a admin queue for final approval. Supposedly, no one can do anything until admin approval and only admins can do it, not mods. Maybe Abdou found some way to make himself an admin but I don't know how.

    I have also found a file "federal" in the plugin and that is removed. We only have vb software and vb advanced for the front page (with all our language forums). vba is the only plugin that is set up. All "abdou" did is deface our frontpage. The forum works fine from forum/php page. I have removed the install file as Zachary has indicated. But the problem has not been resolved.

    NB; vis a vis Abdou, we may have identified him and some of his hacker friends. Since our website runs on a US server Abdou has violated federal law (maybe USC Title 18 but I don't have the citation in front of me). Abdou has been reported to law enforcement agencies in the USA and UK among others. If anyone else has been hacked and you have any LE friends, let them know.
    He gets admin priviliges when registering to the forum (using the exploit) So he can do whatever he wants.

    Another warning to forum owners: if your password in config.php is equal to your ftp/server passwords, you have to change these passwords.

    Leave a comment:


  • Jamsoft
    replied
    Originally posted by DF031 View Post
    I agree, what about all those admins not visiting the forums ?

    VB should have contacted all forum owners. It is not too late to do that and provide this basic support !
    Agreed!! I "happened" to see this in the CP yesterday, and went ahead and did what they said. BUT, they didnt say "check to see if you had admin accounts to see if you have been compromised. I did what they asked and researched no further. Today I am out like 40,000 posts that were deleted early this morning.

    how about an email to all owners, not only with a fix, but what to check to see if you've been compromised? Handled very badly

    Leave a comment:


  • user-1231235234532
    replied
    I agree, what about all those admins not visiting the forums ?

    VB should have contacted all forum owners. It is not too late to do that and provide this basic support !

    Leave a comment:


  • Sicilian
    replied
    The way Vbulletin have handled this serious exploit has really got me annoyed. If ever Vbulletin want use to buy something such as VB5 we get an email, but with such a serious exploit such as this, the best Vbulletin staff can manage is an announcement post! No good enough Vbulletin, I'm now seriously looking to move to another Forum system.

    Leave a comment:


  • Sicilian
    replied
    Originally posted by Zachery View Post
    remove your install directory, We posted an announcement about this. If you need help getting your site back up and running, please open a support ticket
    Same happened on my Forum.

    Wouldn't it have been better for Vbulletin to email all customers about this serious exploit?

    Leave a comment:


  • Hawkmoth
    replied
    Problem resolved, for now. Somehow, whatever Abdou did he installed a new index.php over our old one. All I had to do was fo into ftp and copy our original index.php over the "new" one. Sorry I'm not clever. If I was I might have thought of this sooner.

    Now the question is, how does Abdou/Federal install his files?

    Leave a comment:


  • ercule
    replied
    I got the same "federal" member who got admin access on one of my site.
    Apparently he tried to add an announcement with no success and looked at user.php --> viewjoinrequests
    No plugin added on my site and no file edit.
    IP used: 41.248.180.132 (morocco)
    I deleted the install folder and banned the IP from my server.

    Leave a comment:


  • Hawkmoth
    replied
    Sorry for my english. I meant directory. I removed the directory.

    Leave a comment:


  • McGyver
    replied
    Originally posted by Hawkmoth View Post
    I have removed the install file as Zachary has indicated. But the problem has not been resolved.
    You need to remove the install DIRECTORY, not FILE.
    Keeping the /install/ directory open and accessible, will just keep your forum getting hacked.

    You should also check for suspect files through ACP.
    Most probably some of the files have been changed.

    Leave a comment:


  • Hawkmoth
    replied
    As above. This problem was found on Tuesday morning about 11 am Japan time. Like reignman, we had 2 people registered as federal. One is now deleted and the other had all permissions removed an PW changed. I have no idea how he got in. All new members receive an email with an activation link in it. They have to click to become active but even then they only go into a admin queue for final approval. Supposedly, no one can do anything until admin approval and only admins can do it, not mods. Maybe Abdou found some way to make himself an admin but I don't know how.

    I have also found a file "federal" in the plugin and that is removed. We only have vb software and vb advanced for the front page (with all our language forums). vba is the only plugin that is set up. All "abdou" did is deface our frontpage. The forum works fine from forum/php page. I have removed the install file as Zachary has indicated. But the problem has not been resolved.

    NB; vis a vis Abdou, we may have identified him and some of his hacker friends. Since our website runs on a US server Abdou has violated federal law (maybe USC Title 18 but I don't have the citation in front of me). Abdou has been reported to law enforcement agencies in the USA and UK among others. If anyone else has been hacked and you have any LE friends, let them know.

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by Emath View Post
    same happened to me : homepage replaced(index.php and forum.php), new plugin and a new admin user was created named : federal
    Then you should follow the same steps as above.

    Leave a comment:


  • Emath
    replied
    same happened to me : homepage replaced(index.php and forum.php), new plugin and a new admin user was created named : federal

    Leave a comment:


  • Reignman
    replied
    Well, Joe I've checked my admin usergroup now and saw that there are 2 admin accounts named "federal"

    So, it's certain that I was victim of same hack. I've removed admin accounts, install directory and plugin he created. My forum version is 4.2.1 and there is nothing suspicious on 3rd party addons.

    Thanks for help!

    Leave a comment:


  • BirdOPrey5
    replied
    You should remove it completely (You may want to copy the code to a text file just s you have it for future reference)

    You should also go to the Admin CP -> Maintenance - > Diagnostics -> Suspect File Check. If any files say "Does not contain expected contents" you should re-upload a fresh set of files for your version of vBulletin.

    Make sure you are running the latest version of vBulletin as well.

    Also if there are any files not recognized as part of vBulletin you will need to manually check them to be sure they are clear of exploits. If you have a lot of 3rd party add-ons this can be time consuming. Consider removing add-ons and reinstalling fresh copies of the latest versions.

    Double check your list of Administrators in Admin CP -> Usergroups -> Usergroup Manager, if you have an Admin account you didn't create then this was likely the result of the exploit announced yesterday.

    There is sttiil the possibility that your case was caused by a 3rd party add-on or server vulnerability, if no new Admin account was created it may not be the same hack.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X