Announcement

Collapse
No announcement yet.

how to protect against ajax.php?lol hack

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • how to protect against ajax.php?lol hack

    Our site was hacked yesterday by a new user that was able to give himself admin rights, then create a plugin to upload files directly to our server. He uploaded a php script that overwrote index.php to his own (thankfully mostly harmless) code. This is what he did: http://www.youtube.com/watch?v=wwmqV8fMmfY

    We are running 4.2.1 and I have not been able to find much info about how one could maliciously gain admin access. SQL injection to change his usergroup? There are no entries in the control panel log showing that a real admin account was compromised and used to give that user admin privileges (we have all changed our passwords anyway). The user's IP does not appear in the server's raw access log leading me to believe it was accomplished through scripts on the server. I have cpanel, WHM and FTP access restricted to my IP, and SQL is restricted to the server's. I have verified all file permissions are still set correctly. Config.php has not been altered and tools.php is not on the server.

    For obvious reasons no one should post a how-to gain admin access here, but how can we protect against someone maliciously using vbulletin scripts? And how can we prevent ajax.php from connecting to external servers?

    Edit: Sorry, just saw we're not alone. - http://www.vbulletin.com/forum/forum...pe-hack-method

    I started to create this thread yesterday but wanted to research a few more things first. Install directory deleted.
    Last edited by af1racing; Wed 28th Aug '13, 9:50am.

  • #2

    Delete the install directory, delete the plugin, delete the user, delete any non-vBulletin files.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API - Full / Mobile
    Vote for your favorite feature requests and the bugs you want to see fixed.

    Comment


    • #3
      already done Luke, thanks

      Comment

      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
      Working...
      X