Announcement

Collapse
No announcement yet.

vb 4.1.7 - exploit TRUNCATE TABLE vb3_attachmentviews?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] vb 4.1.7 - exploit TRUNCATE TABLE vb3_attachmentviews?

    Hello all,

    I have a forum with VB 4.1.7 that keeps sending me emails about database errors.

    I had my hoster disable the "DROP" command to the forum mysql user, as some time ago someone managed to DROP all the tables and had to recover from a backup.
    Disabling the DROP/TRUNCATE is just a workaround but i'm unable to find the real source of the problem - someone is trying to exploit somewhere.. but i don't really understand what.
    maybe it has something to do about the cron jobs (?)
    furthemore vbulletin keeps creating tables like vb3_aaggregate_temp_xxxx - maybe that's normal behaviour but with the DROP disabled, of course, those could't be deleted automatically and are filling my db of useless stuff.

    sample error:

    Code:
    Database error in vBulletin 4.1.7:
    
    
    Invalid SQL:
    TRUNCATE TABLE vb3_attachmentviews;
    
    
    MySQL Error   : DROP command denied to user xxxx for table 'vb3_attachmentviews'
    Error Number  : 1142
    Request Date  : Monday, November 12th 2012 @ 04:10:16 PM
    Error Date    : Monday, November 12th 2012 @ 04:10:16 PM
    Script        : http://www.xxxx/cron.php?rand=1352733013
    Referrer      : http://www.xxxx/search.php?searchid=1292630
    IP Address    : 194.244.5.4
    Username      : Non registrato
    Classname     : vB_Database
    MySQL Version :
    The source IP addresses are really various so i suppose it's some kind of known bug/exploit?

    Thanks!
    Last edited by Cornolio; Mon 12th Nov '12, 8:46am. Reason: code works better than quote ...

  • #2
    If you have disabled the DROP command, then you will need to somehow remove the aggregate tables yourself since vbulletin cannot.

    Please don't PM or VM me for support - I only help out in the threads.
    vBulletin Manual & vBulletin 4.0 Code Documentation (API)
    Want help modifying your vbulletin forum? Head on over to vbulletin.org
    If I post CSS and you don't know where it goes, throw it into the additional.css template.

    W3Schools <- awesome site for html/css help

    Comment


    • #3
      That's fine, but what about the bug exploiting?
      I'm really receiving tons of these emails a day, about one every 1/2 hour, from different IP addressess but the called script is always cron.php.
      It's getting annoying .. and disabled the DROP command, as said, it's just a workaround. I want to fix it ...

      thanks

      Comment


      • #4
        Nothing is being exploited, and there is no bug.
        That area of vbulletin requires the DROP command to function correctly - by removing it you have broken the functionality, and will continue to receive database e-mails.
        Baby, I was born this way

        Comment


        • #5
          I got my database (totally!) dropped TWO times, and had to recover it from backup.
          That's the reason why i had to disable the DROP command, as a workaround to search for a solution in the meantime.
          You could be right and that email could be normal behaviour (it's really normal to auto-truncate vb3_attachmentviews and vb3_threadviews every 30 minutes?!) but believe me, if i re-enable the DROP command my forum will be empty in some hours.

          Comment


          • #6
            Originally posted by Cornolio View Post
            but believe me, if i re-enable the DROP command my forum will be empty in some hours.
            Then you also please go and change passwords for your database etc. as this should not be possible as there isn't such an exploit in vBulletin.
            No private support, only PM me when I ask for it. Support in the forums only.

            Comment


            • #7
              Originally posted by Cornolio View Post
              I got my database (totally!) dropped TWO times, and had to recover it from backup.
              That's the reason why i had to disable the DROP command, as a workaround to search for a solution in the meantime.
              You could be right and that email could be normal behaviour (it's really normal to auto-truncate vb3_attachmentviews and vb3_threadviews every 30 minutes?!) but believe me, if i re-enable the DROP command my forum will be empty in some hours.
              Than you have other issues. The two tables above are temporary holding tables for non-critical data. They are collated and emptied every hour.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API - Full / Mobile
              Vote for your favorite feature requests and the bugs you want to see fixed.

              Comment


              • #8
                Originally posted by Hartmut View Post
                Then you also please go and change passwords for your database etc. as this should not be possible as there isn't such an exploit in vBulletin.
                i will, but i'm sure that no one has the db password (changed several times)

                Originally posted by Wayne Luke View Post
                Than you have other issues. The two tables above are temporary holding tables for non-critical data. They are collated and emptied every hour.
                indeed, i HAVE other issues. The problem is .. i couldn't identify them.
                thanks for the advice about the table truncation & collation - infact this was not a real problem.
                i'm trying to search for the source of the error but i think i have deleted the message.
                The only thing i'm sure about is that i had, in past, the db dropped with a SQL query "DROP DATABASE xxx", (two times!) even if i couldn't identify the source.

                Thanks.

                Comment


                • #9
                  You should check your server for issues, contact your host for this. Check the systemlogs, update to the latest version of the software you use, etc.
                  No private support, only PM me when I ask for it. Support in the forums only.

                  Comment


                  • #10
                    The source is most likely outside of vBulletin. For example someone with direct access to the database. However for the sake of argument someone is doing it in vBulletin -

                    First I would recommend upgrading because you're version of vBulletin is out of date and probably has about 500-600 bugs in it that do not exist in vBulletin 4.2.0 pl3. It could also have security issues since it is no longer maintained or patched. Make sure install.php is deleted from your install directory as well. It can drop all tables if someone has your customer number. I'd recommend blocking this directory from all access using .htaccess though. Just rename the file backup.htaccess when you want to run an upgrade and then name it back to .htaccess when you're done. Your hosting provider can help with this.

                    From there you should secure your Admin CP with .htaccess. You should also prevent other administrators from accessing the Execute SQL Query function, which is the only place raw queries can be run from. You would do this in your config.php in the /includes directory. I recommend you don't give access to anyone even yourself. Better ways to run queries if you need to do so.

                    I also recommend updating your Admin password to 12-16 characters using numbers, letters and special characters. The less dictionary like, the better.

                    Removing the Drop/Delete permissions from your database user can cause issues with data down the road and prevent upgrades in the future as well.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API - Full / Mobile
                    Vote for your favorite feature requests and the bugs you want to see fixed.

                    Comment

                    Related Topics

                    Collapse

                    Working...
                    X