Announcement

Collapse
No announcement yet.

A new type hack method?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • A new type hack method?

    Hello,

    When I entered my forum homepage a little while ago, I met with this page:



    First I've checked my server/ftp accounts and all were looking OK. Also my admin panel was working too, so I've searched in templates and I saw that he changed "FORUMHOME" script, I reverted it and everything turned back normal.

    Then I made a deeper research and saw that he created a plugin in Vbulletin system like this:





    At the same time I've seen this in my mail:



    When I searched for some keywords in the hacking message I've seen that he hacked many sites today with the same method:

    https://www.google.com.tr/#fp=2afba6...+By+Federal%22

    Even he hacked homepage of antifraudintl.org forum page, and this is the thread in their forum about this matter (their homepage is still hacked, if you read this message, you have to revert FORUMHOME template)

    http://antifraudintl.org/showthread....bercriminalite

    What can be this? A new vulnerability?

    Regards...

  • #2
    remove your install directory, We posted an announcement about this. If you need help getting your site back up and running, please open a support ticket

    Comment


    • Birdman
      Birdman commented
      Editing a comment
      how? where do i need to go in the root folders to remove it. After reading this thread, our site "so far" has not been a victim. However my human verification security questioning requirements are more stringent and many bogus folks have been blocked from registering.

  • #3
    Well, I saw that announcement and removed install directory. But I wasn't aware that it's about this vulnerability.

    A question only; I deactivated plugin he created, should I remove it completely?

    Comment


    • #4
      You should remove it completely (You may want to copy the code to a text file just s you have it for future reference)

      You should also go to the Admin CP -> Maintenance - > Diagnostics -> Suspect File Check. If any files say "Does not contain expected contents" you should re-upload a fresh set of files for your version of vBulletin.

      Make sure you are running the latest version of vBulletin as well.

      Also if there are any files not recognized as part of vBulletin you will need to manually check them to be sure they are clear of exploits. If you have a lot of 3rd party add-ons this can be time consuming. Consider removing add-ons and reinstalling fresh copies of the latest versions.

      Double check your list of Administrators in Admin CP -> Usergroups -> Usergroup Manager, if you have an Admin account you didn't create then this was likely the result of the exploit announced yesterday.

      There is sttiil the possibility that your case was caused by a 3rd party add-on or server vulnerability, if no new Admin account was created it may not be the same hack.

      Comment


      • #5
        Well, Joe I've checked my admin usergroup now and saw that there are 2 admin accounts named "federal"

        So, it's certain that I was victim of same hack. I've removed admin accounts, install directory and plugin he created. My forum version is 4.2.1 and there is nothing suspicious on 3rd party addons.

        Thanks for help!

        Comment


        • #6
          same happened to me : homepage replaced(index.php and forum.php), new plugin and a new admin user was created named : federal
          בגרות במתמטיקה | פתרונות לספרי לימוד

          Comment


          • #7
            Originally posted by Emath View Post
            same happened to me : homepage replaced(index.php and forum.php), new plugin and a new admin user was created named : federal
            Then you should follow the same steps as above.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API - Full / Mobile
            Vote for your favorite feature requests and the bugs you want to see fixed.

            Comment


            • #8
              As above. This problem was found on Tuesday morning about 11 am Japan time. Like reignman, we had 2 people registered as federal. One is now deleted and the other had all permissions removed an PW changed. I have no idea how he got in. All new members receive an email with an activation link in it. They have to click to become active but even then they only go into a admin queue for final approval. Supposedly, no one can do anything until admin approval and only admins can do it, not mods. Maybe Abdou found some way to make himself an admin but I don't know how.

              I have also found a file "federal" in the plugin and that is removed. We only have vb software and vb advanced for the front page (with all our language forums). vba is the only plugin that is set up. All "abdou" did is deface our frontpage. The forum works fine from forum/php page. I have removed the install file as Zachary has indicated. But the problem has not been resolved.

              NB; vis a vis Abdou, we may have identified him and some of his hacker friends. Since our website runs on a US server Abdou has violated federal law (maybe USC Title 18 but I don't have the citation in front of me). Abdou has been reported to law enforcement agencies in the USA and UK among others. If anyone else has been hacked and you have any LE friends, let them know.
              http://www.antifraudintl.org

              Comment


              • #9
                Originally posted by Hawkmoth View Post
                I have removed the install file as Zachary has indicated. But the problem has not been resolved.
                You need to remove the install DIRECTORY, not FILE.
                Keeping the /install/ directory open and accessible, will just keep your forum getting hacked.

                You should also check for suspect files through ACP.
                Most probably some of the files have been changed.

                Comment


                • #10
                  Sorry for my english. I meant directory. I removed the directory.
                  http://www.antifraudintl.org

                  Comment


                  • #11
                    I got the same "federal" member who got admin access on one of my site.
                    Apparently he tried to add an announcement with no success and looked at user.php --> viewjoinrequests
                    No plugin added on my site and no file edit.
                    IP used: 41.248.180.132 (morocco)
                    I deleted the install folder and banned the IP from my server.

                    Comment


                    • #12
                      Problem resolved, for now. Somehow, whatever Abdou did he installed a new index.php over our old one. All I had to do was fo into ftp and copy our original index.php over the "new" one. Sorry I'm not clever. If I was I might have thought of this sooner.

                      Now the question is, how does Abdou/Federal install his files?
                      http://www.antifraudintl.org

                      Comment


                      • #13
                        Originally posted by Zachery View Post
                        remove your install directory, We posted an announcement about this. If you need help getting your site back up and running, please open a support ticket
                        Same happened on my Forum.

                        Wouldn't it have been better for Vbulletin to email all customers about this serious exploit?

                        Comment


                        • #14
                          The way Vbulletin have handled this serious exploit has really got me annoyed. If ever Vbulletin want use to buy something such as VB5 we get an email, but with such a serious exploit such as this, the best Vbulletin staff can manage is an announcement post! No good enough Vbulletin, I'm now seriously looking to move to another Forum system.

                          Comment


                          • #15
                            I agree, what about all those admins not visiting the forums ?

                            VB should have contacted all forum owners. It is not too late to do that and provide this basic support !

                            Comment

                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                            Working...
                            X