Announcement

Collapse
No announcement yet.

exploit? forcefully resetting password issue.

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] exploit? forcefully resetting password issue.

    Hi

    I cannot 100% pinpoint the location or the method but I had an email saying I requested to reset my password then i had another saying it was successfully changed despite not clicking it. I checked my mail history and its not been accessed since it requires mobile access to login. Now, I checked the logs for the IP and found the following;

    Code:
    root@dmca [/home/domain/access-logs]# cat forum.domain.com | grep 91.236.116.142
    
    
    91.236.116.142 - - [21/Jan/2013:17:13:46 +0000] "GET / HTTP/1.1" 200 11488 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:14:22 +0000] "GET /register.php HTTP/1.1" 200 10000 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:14:28 +0000] "GET /clientscript/vbulletin_css/style00115l/register.css?d=1358021545 HTTP/1.1" 200 338 "http://forum.domain.com/register.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:14:34 +0000] "GET /login.php HTTP/1.1" 303 26 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:14:39 +0000] "GET /index.php HTTP/1.1" 200 11494 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:14:45 +0000] "GET /f71/ HTTP/1.1" 200 13247 "http://forum.domain.com/index.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:14:50 +0000] "GET /f71/forum-rules-101410/ HTTP/1.1" 200 12843 "http://forum.domain.com/f71/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:14:50 +0000] "GET /f71/forum-rules-101410/images/styles/AnimatedArena/style_blue/loginButton.gif HTTP/1.1" 404 40 "http://forum.domain.com/f71/forum-rules-101410/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:14:50 +0000] "GET /f71/forum-rules-101410/images/styles/AnimatedArena/style_blue/footerLogo.png HTTP/1.1" 404 40 "http://forum.domain.com/f71/forum-rules-101410/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:14:51 +0000] "GET /f71/forum-rules-101410/images/styles/AnimatedArena/style/logo_blue.png HTTP/1.1" 404 40 "http://forum.domain.com/f71/forum-rules-101410/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:14:59 +0000] "GET /usercp.php HTTP/1.1" 200 6749 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:15:07 +0000] "POST /login.php?do=login HTTP/1.1" 200 6594 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:15:12 +0000] "GET /login.php?do=lostpw HTTP/1.1" 200 6619 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:30:02 +0000] "GET /usercp.php HTTP/1.1" 200 6782 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:30:04 +0000] "GET /cron.php?rand=1358789402 HTTP/1.1" 200 43 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:30:37 +0000] "POST /login.php?do=login HTTP/1.1" 200 2365 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:30:41 +0000] "GET /usercp.php HTTP/1.1" 200 6868 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:31:01 +0000] "GET / HTTP/1.1" 200 6398 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:32:39 +0000] "GET / HTTP/1.1" 200 11489 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:32:49 +0000] "GET /usercp.php HTTP/1.1" 200 6749 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:33:06 +0000] "POST /login.php?do=login HTTP/1.1" 200 6244 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:33:14 +0000] "GET / HTTP/1.1" 200 11488 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:33:08 +0000] "GET /login.php?do=lostpw HTTP/1.1" 200 6618 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:34:17 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 666 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
    91.236.116.142 - - [21/Jan/2013:17:34:17 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 623 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
    91.236.116.142 - - [21/Jan/2013:17:34:24 +0000] "POST /login.php?do=emailpassword HTTP/1.1" 200 2403 "http://forum.domain.com/login.php?do=lostpw" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:34:27 +0000] "GET /login.php?do=login HTTP/1.1" 303 26 "http://forum.domain.com/login.php?do=emailpassword" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:34:27 +0000] "GET /index.php HTTP/1.1" 200 11494 "http://forum.domain.com/login.php?do=emailpassword" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:36:13 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 665 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
    91.236.116.142 - - [21/Jan/2013:17:36:13 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 659 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
    91.236.116.142 - - [21/Jan/2013:17:36:18 +0000] "GET /login.php?do=resetpassword&u=1&i=8e3849c72ee420c426fea00f50947f226aabf1f6 HTTP/1.1" 200 6381 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [21/Jan/2013:17:36:46 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 667 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
    91.236.116.142 - - [21/Jan/2013:17:36:46 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 648 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
    What I find interesting is the browser identity string. Most are normal but some contain no valid header so it appears to be some sort of script coming from arcade.php? But no injection code is actually being displayed. What do you suggest?

    Regards.

  • #2
    What version of vb are you using?

    Comment


    • #3
      4.1.12 manually patched w/ security fixes.

      Comment


      • #4
        It looks like something to do with arcade.php.
        The user appears to create an account which allows them to probe arcade.php.
        I suspect
        Code:
        "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 666 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"

        is a tool that is using the new accounts login credentials to expliot something in that function probably allowing them to retrieve the reset password auth key.
        I would pull arcade.php for now though until you can check that function.

        Comment


        • #5
          first thing i did was pull arcade.php.

          Comment


          • #6
            yes...pnFStoreScore is connected with sending scores for pnFlash games, but I seem to recall there was an exploit surrounding it that was patched last year.

            Make sure the arcade is fully up to date.

            For further help with that aspect, www.vbulletin.org can assist.
            MARK.B | vBULLETIN SUPPORT

            TalkNewsUK - My vBulletin 5.5.2 Demo
            AdminAmmo - My Cloud Demo

            Comment


            • #7
              i was the one who reported the exploit for the addon last year. This is a different one.

              Comment


              • #8
                would this be an issue with this mod to v3 Arcade - Professional vBulletin Gaming (vB4) as i get the same message e.g unathurised access

                Comment


                • #9
                  Originally posted by topladz View Post
                  would this be an issue with this mod to v3 Arcade - Professional vBulletin Gaming (vB4) as i get the same message e.g unathurised access
                  What? No...

                  Comment


                  • #10
                    There is probably another sql exploit allowing them to retrieve the reset id.

                    Comment


                    • #11
                      by now I don't see how this should be related to arcade.php but if there is any information, just let me know and I will fix it (developer of ibProArcade).

                      I just see that there are different browser-identifications, Mozilla for arcade.php and Chrome/Safari for usercp.php
                      Developer of ibProarcade for vBulletin (professional Arcade System for your vBulletin)

                      Comment


                      • #12
                        Originally posted by MrZeropage View Post
                        by now I don't see how this should be related to arcade.php but if there is any information, just let me know and I will fix it (developer of ibProArcade).

                        I just see that there are different browser-identifications, Mozilla for arcade.php and Chrome/Safari for usercp.php
                        Upon removing arcade.php the password resetting had stopped. The person continued to try and access that specific url. The person is clearly running some sort of script. The fact he is using linux / chrome and then upon directly accessing the URL his browser string would lead me to believe it was some command line based script (hence why no header strings are being sent). Plus your last 0day exploit that was going around giving out MD5 of any user account I reported and turned out I was correct on that too.

                        Comment


                        • #13
                          Originally posted by MrZeropage View Post
                          by now I don't see how this should be related to arcade.php but if there is any information, just let me know and I will fix it (developer of ibProArcade).

                          I just see that there are different browser-identifications, Mozilla for arcade.php and Chrome/Safari for usercp.php
                          The tag for a software probe could easily be anything the person wants. The fact its missing details means its faked and they have been able to probe via the newly created user account (probably).

                          Comment


                          • #14
                            Still no issues since removing arcade.php.

                            Comment


                            • #15
                              I tried to duplicate this
                              and the only way to get a message like this
                              is to try and save a score with a second window openand try to save it again ..

                              But Never seens anything about reseting passwords..

                              from your log it looks like they tried to save score and then logged them out

                              I have this arcade running on 95 % of my Clients
                              they all run vb with the lastest creation from MrZeropage
                              and the logs are checked every day
                              and never seen this one

                              If there is a issue MrZeroPage will fix it up..
                              Back up back up Back up, thats all the advice I can give.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X