Announcement

Collapse
No announcement yet.

leaked login info

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] leaked login info

    I have outbound email originating from my vB 4.2.0 forum that contains login info with the following format:

    Code:
    user: hello
    pass: 6110144
    IP:xx.xx.xx.xx
    REFERER:http://xxx.xx/showthread.php?xxxxxx
    date: 8 June, 2012, 10:25 pm
    All these are going to the same address (a gmail address). I created an alias in my mail program to capture several of the emails before bitbucketing them.

    I've searched the database, the templates, and all the static files for the email address and can not find anything. I'm at a loss at to how to find this and kill it.

    Any help would be appreciated!!

    - - - Updated - - -

    Most of them have the user, pass, and REFERER emply, like this:

    Code:
    user:
    pass:
    IP: xx.xx.xx.xx
    REFERER:
    date: 8 June, 2012, 11:10 pm
    No clue how these are generated and how to stop them.

    - - - Updated - - -

    The ones with populated user and password information I have verified have legitimate login info for user accounts. This is BAD!!!!

    Any help would be appreciated!!!

  • #2
    1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

    2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

    3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

    4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

    5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

    6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru(), gzencode() or iframes. These are also often signs of a hacked site.

    Query for step 4 and 5 -
    SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%' OR phpcode like '%gzencode%';

    7) Run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%' OR template like '%gzencode%';

    It checks the templates for compromising code.

    8) Check .htaccess to make sure there are no redirects there.
    Last edited by Riasat; Sat 9 Jun '12, 3:43pm.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment


    • #3
      Originally posted by mavherzog View Post
      I've searched the database, the templates, and all the static files for the email address and can not find anything. I'm at a loss at to how to find this and kill it.
      It might be another application which does that.


      vB5 is unequivocally the best forum software, but not yet...

      Comment


      • #4
        I've got two plugins with base64 code:

        Click image for larger version

Name:	Screen Shot 2012-06-09 at 6.26.48 AM.jpg
Views:	1
Size:	17.1 KB
ID:	3687470

        When I disable the first one, the emails stop. Should I whack both of these?? (are either of them valid?)

        Comment


        • #5
          There are no plugins by default in the vBulletin product.

          Comment


          • #6
            vBulletin doesn't have any plugins by default so get rid of them both because they're not mean't to be there unless you or another administrator added them.
            Aakif Nazir

            Comment


            • #7
              How can this happen? I mean, hashes only should be stored and not plain password…

              Comment


              • #8
                vBulletin has an option to disable the md5 hashing before it gets sent to the server, which they might be setting.

                Comment


                • #9
                  Thank you Zachery. Where can I find this option?

                  Comment


                  • #10
                    Originally posted by lovecraft22 View Post
                    How can this happen? I mean, hashes only should be stored and not plain password…
                    If you modify the code, you can capture the plain password as it is typed in. Not really difficult to do. It doesn't happen when you keep your site secure though.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API

                    Comment


                    • #11
                      Check the source code of the first plugin, i think there will be some nasty code inside...

                      Also check admin log to see who added that plugin (Statistics & Logs -> Log Manager)
                      --> If you receive message like "Control Panel log viewing restricted.", you will need to add your userID in the config.php file to allow access to the logs.

                      Comment

                      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                      Working...
                      X