Announcement

Collapse
No announcement yet.

Forum hacked...

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Coppers Lot
    replied
    One problem I have is accessing the ad manager on Admin CP. If in Admin CP I select >Manage Ads I don't get that screen. Instead the left side bar of Admin CP disappears and the right hand table "Welcome to Admin Control Panel" screen expands to take up the whole screen.
    Anyone know why this is happening please?

    Update, it seems to be a problem with Firefox browser only.
    Last edited by Coppers Lot; Mon 7th Oct '13, 6:07am. Reason: research findings

    Leave a comment:


  • donald1234
    replied
    Yes thats a vbulletin plugin for enabling paid for links in your text, looks like it's disabled anyway.

    Leave a comment:


  • vbsm
    replied
    I see that Skimlinks was asked about above, with no answer. My install folder was deleted last year, and today I looked at the plugins for the first time, and see:

    Product : Skimlinks Plugin

    Add Skimlinks Classes to PostBit postbit_display_complete
    Add Skimlinks JavaScript to footer template showthread_complete
    Add Skimlinks Option to Edit Options Form profile_editoptions_start
    Extend User DataManager userdata_start
    Update Skimlinks Preference profile_updateoptions



    I searched the forum, and Skimlinks seems to be a feature, not a problem. Is this correct?

    Leave a comment:


  • Coppers Lot
    replied
    Thanks for the heads up and tips Ion

    Leave a comment:


  • Ion Saliu
    replied
    Coppers Lot:

    The IP addresses are easy to fake, axiomatic colleague of mine. There is plenty of software that hides the real IP address. Even Google Chrome has several extensions that hide the real IP of the visitor. Still, I believe it is a good action to ban the skumbullows (cyber criminals) by their IP numbers. I did it immediately after this latest Psychosama hack-attack:

    AdminCP > Options > User Banning Options > paste the IP in the corresponding textbox.

    I collected several IP addresses of bad guys in these forums. I mean, I copied the IPs other members posted here. I added them to the ban list of the IPs I discovered.

    You might still have problems even after you deleted the /install folder. The reason: You did not change all related passwords immediately after the attack. It is specified in a dedicated blog written by Zachery:
    http://www.vbulletin.com/forum/blogs...ve-been-hacked

    vBulletin email alert should have also specified the changing of passwords immediately after the deletion of the /install folder.

    Ion Saliu
    “A good man is an axiomatic man; an axiomatic man is a happy man. Be axiomatic!”

    Leave a comment:


  • Coppers Lot
    replied
    Hi All, I find that I was hacke today. I run VB 4.1.2 . It is a closed forum and does not accept new members. Today I discovered a new Admin "aventus67"
    They had deleted their IP addrfess but I found it in the logs:- 88.230.120.188. Host Name 88.230.120.188.dynamic.ttnet.com.tr
    A search shows this to be someone in Turkey.
    He/She used a Yopnet disposable email address.
    I then checked my plugins and found that they had installed something called Skimlinks. I have never seen this in my P&P folder before so I assume they installed it.
    A check of my logs show the following activity:
    10939 aventus67 10:56, 28th Sep 2013 plugin.php 88.230.120.188
    10938 aventus67 10:56, 28th Sep 2013 plugin.php doimport 88.230.120.188
    10937 aventus67 10:56, 28th Sep 2013 plugin.php files 88.230.120.188
    10936 aventus67 10:56, 28th Sep 2013 plugin.php files 88.230.120.188

    My Install folder was deleted ages ago and the forum is set up with All Ajax features disabled.
    The one thing I have always had problems with in the past was some members could sign up and start posting without requiring moderation whilst some would.
    Anyway, I am going through Zacharys blogs to check everything but is there anything else I should know or does anyone have an opinion of what this person was trying to do and how they managed to get in.
    Thanks for reading

    Leave a comment:


  • Wayne Luke
    replied
    You've missed something then. For one your AdminCP is not behind .htaccess. I suspect you you're not getting hacked repeatedly just they are reapplying their maliciousness through a backdoor they installed and hasn't been removed. You would need to open a support ticket to have someone look deeper.

    Leave a comment:


  • Jaxo
    replied
    just a bit of an update, I am getting hacked on a daily basis now. I have took all the recommended steps, changed site and database passwords amongst many other things but they still get in. if the dont create a rogue admin account they redirect the site to some islamic nonsence with a notice saying hacked by 747 crew... getting really pi$$ed of now.. when i figure out how to get my 15Gb of attachements to phpBB im gone.. everything else transfers fine except the attachments

    Leave a comment:


  • islander
    replied
    Found this existing thread so I'm putting my oar in the water. I can log into Admin panel and Cpanel, but when I try to access the site, I get "This website is temporarily suspended." Host thinks there is a malicious line of code inserted but I don't know how to find it, much less remove it. I've read through Zachery's blogs but I am too ignorant of computer coding etc. to understand any of it. I don't even know where to look for the /install folder. Please hold my hand and offer some simple instructions an old lady can follow.

    Leave a comment:


  • Ion Saliu
    replied
    Kyo-dono: “I not understand how user can have INSTALL folder in forum system. After install/upgrade you MUST delete it to login as admin!? Why you have a INSTALL folder in your system?”

    Mark.B: “You now need to delete the entire /install folder (or /core/install on vB5) to avoid security issues.”

    vBulletin has had serious security issues after the new ownership (post v3) — yet, they have treated problems childishly quite often. I was shocked when I did my first vB upgrade — my entire website became vulnerable because of the upgrade. Yet, vBulletin Team blamed… my webhost!

    http://forums.saliu.com/forum-admini...18-2010-a.html

    I said previously that all these security issues originate inside the vBulletin hou’ (e.g. former employees who became disgruntled). I was NOT implying that vBulletin creates security issues deliberately. That is, they intentionally want access to the forums run by their software. You know, some forums have paid subscriptions, paid advertising… things that hackers can redirect to their coffins…

    Still, even involuntary security problems can be legal snakes for any company. It is called negligence. I remember in the good ol’ DOS era, a company promised the doubling of RAM via software. In reality, that piece of software caused serious losses. I was hit by that problem. The RAM company became the subject of a class-action lawsuit that destroyed the company. I remember well I received a check issued by a court in California.

    With so many security issues, vBulletin is lucky they haven’t been the subject of a class-action lawsuit. Just imagine a law firm who runs a paid-for forum (they usually demand high fees for such membership). Now, the forum of the law firm is powered by vBulletin. Imagine this latest grave security problem — the law firm would lose lots of money. Their paid-for-membership redirects all the money to a bunch of hackers (with IPs spread all over the world)…

    Take care, vB axiomatics! You skating on thin ice…

    Ion Saliu,
    Well-Wisher At-Large

    Leave a comment:


  • Mark.B
    replied
    Originally posted by Martyn_s30v View Post
    Ahhh - so is the existance of the install folder the exploit here? Is 4.2.0 Patch Level 2 secure with the install dir removed?
    Yes that's correct.

    Leave a comment:


  • Martyn_s30v
    replied
    Ahhh - so is the existance of the install folder the exploit here? Is 4.2.0 Patch Level 2 secure with the install dir removed?
    Last edited by Martyn_s30v; Tue 10th Sep '13, 3:37am.

    Leave a comment:


  • Mark.B
    replied
    Originally posted by Martyn_s30v View Post

    No, you have to delete the install file after installation, not the folder - unless it's changed since I last did an update.
    It has. You now need to delete the entire /install folder (or /core/install on vB5) to avoid security issues.

    Leave a comment:


  • Martyn_s30v
    replied
    Originally posted by Kyo-dono View Post
    This is a TOR ip https://www.torproject.org and is not a user from sweden.
    Most hackers use this anonymizer service.

    I not understand how user can have INSTALL folder in forum system. After install/upgrade you MUST delete it to login as admin!? Why you have a INSTALL folder in your system?
    No, you have to delete the install file after installation, not the folder - unless it's changed since I last did an update.

    Leave a comment:


  • Kyo-dono
    replied
    This is a TOR ip https://www.torproject.org and is not a user from sweden.
    Most hackers use this anonymizer service.

    I not understand how user can have INSTALL folder in forum system. After install/upgrade you MUST delete it to login as admin!? Why you have a INSTALL folder in your system?
    Last edited by Kyo-dono; Tue 10th Sep '13, 2:25am.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X