Announcement

Collapse
No announcement yet.

exploit? forcefully resetting password issue.

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by hipster View Post
    I tried to duplicate this
    and the only way to get a message like this
    is to try and save a score with a second window openand try to save it again ..

    But Never seens anything about reseting passwords..

    from your log it looks like they tried to save score and then logged them out

    I have this arcade running on 95 % of my Clients
    they all run vb with the lastest creation from MrZeropage
    and the logs are checked every day
    and never seen this one

    If there is a issue MrZeroPage will fix it up..
    My forum is quite popular so i'm a bigger target to a lot of people so I'm sure it wouldn't be used on just anybody.

    - - - Updated - - -

    I been following the logs the past few days with the specific browser tag given its rather unique and i notice that the browser matches up with a specific person trying to access the arcade a lot but keeps being redirected. I'm still positive this came from arcade.php given this is the only URL they were accessing and somehow managed to obtain the key required to forcefully reset the password.

    Code:
    root@dmca [/home/domain/access-logs]# cat forum.domain.com | grep "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    200.61.162.246 - - [23/Jan/2013:11:19:28 +0000] "GET /f459/ep8-server-files-db-justin-905705/index23.html HTTP/1.1" 200 25757 "http://forum.domain.com/f459/ep8-server-files-db-justin-905705/index22.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    186.215.116.36 - - [23/Jan/2013:12:01:56 +0000] "GET /f563/windows-7-serial-keys-x0x-746813/ HTTP/1.1" 200 12735 "https://www.google.com.br/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    200.61.162.246 - - [23/Jan/2013:12:19:34 +0000] "POST /ajax.php HTTP/1.1" 200 134 "http://forum.domain.com/f459/ep8-server-files-db-justin-905705/index23.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    200.61.162.246 - - [23/Jan/2013:13:19:34 +0000] "POST /ajax.php HTTP/1.1" 200 135 "http://forum.domain.com/f459/ep8-server-files-db-justin-905705/index23.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:08 +0000] "GET /arcade.php HTTP/1.1" 301 26 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:08 +0000] "GET / HTTP/1.1" 200 11454 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:10 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:11 +0000] "GET / HTTP/1.1" 200 11454 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:19 +0000] "GET /f71/ HTTP/1.1" 200 13239 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:29 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/f71/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:29 +0000] "GET / HTTP/1.1" 200 11457 "http://forum.domain.com/f71/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:35 +0000] "GET /raffles.php HTTP/1.1" 200 6823 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:15:30:05 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/raffles.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:15:30:05 +0000] "GET / HTTP/1.1" 200 11464 "http://forum.domain.com/raffles.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    90.185.88.194 - - [23/Jan/2013:21:44:04 +0000] "GET /f563/windows-7-serial-keys-x0x-746813/ HTTP/1.1" 200 12734 "https://www.google.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    - - - Updated - - -

    here is the ip log for that person again today
    Code:
    root@dmca [/home/domain/access-logs]# cat forum.domain.com | grep "91.236.116.142"
    91.236.116.142 - - [23/Jan/2013:14:19:47 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 301 26 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
    91.236.116.142 - - [23/Jan/2013:14:19:48 +0000] "GET / HTTP/1.1" 200 11391 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
    91.236.116.142 - - [23/Jan/2013:14:20:08 +0000] "GET /arcade.php HTTP/1.1" 301 26 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:08 +0000] "GET / HTTP/1.1" 200 11454 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:10 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:11 +0000] "GET / HTTP/1.1" 200 11454 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:19 +0000] "GET /f71/ HTTP/1.1" 200 13239 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:29 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/f71/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:29 +0000] "GET / HTTP/1.1" 200 11457 "http://forum.domain.com/f71/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:35 +0000] "GET /raffles.php HTTP/1.1" 200 6823 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:14:20:56 +0000] "HEAD /arcade.php HTTP/1.1" 301 0 "-" "curl/7.26.0"
    91.236.116.142 - - [23/Jan/2013:14:21:03 +0000] "HEAD /afds.php HTTP/1.1" 301 0 "-" "curl/7.26.0"
    91.236.116.142 - - [23/Jan/2013:15:30:05 +0000] "GET /arcade.php HTTP/1.1" 301 26 "http://forum.domain.com/raffles.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    91.236.116.142 - - [23/Jan/2013:15:30:05 +0000] "GET / HTTP/1.1" 200 11464 "http://forum.domain.com/raffles.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
    root@dmca [/home/domain/access-logs]#
    His first access to the forum is directly going to arcade.php again.

    Comment


    • #17
      Originally posted by Mark.B View Post
      yes...pnFStoreScore is connected with sending scores for pnFlash games, but I seem to recall there was an exploit surrounding it that was patched last year.

      Make sure the arcade is fully up to date.

      For further help with that aspect, www.vbulletin.org can assist.
      as MarkB said

      If you feel it's the arcade then this thread belongs in vb.org
      this is not a vb issue per say
      Also many people save links to the arcade rather than the forum
      Becasue that all they are looking to do is play games..
      Does the IP match a member ?
      How long has her or she been there ?

      Just thinking out loud
      Back up back up Back up, thats all the advice I can give.

      Comment


      • #18
        Indeed. You should post this at the Arcade mod at vb.org so its author can look into this a.s.a.p.

        Comment


        • #19
          This is the most insane coincidence ever. My current VPN provider is having network connectivity issues with my main VPN so i was offered a free switch to various countries and I chose Sweden. My new IP is ALMOST identical to that one above that tried running the 0day. IS this insane!?

          Comment


          • #20
            Originally posted by borbole View Post
            Indeed. You should post this at the Arcade mod at vb.org so its author can look into this a.s.a.p.
            I am already following this here, but don't see anything that is wrong with arcade.php / ibProArcade at the moment...
            Developer of ibProarcade for vBulletin (professional Arcade System for your vBulletin)

            Comment


            • #21
              If anyone feels there is an exploit in the arcade modification, this really should be reported, with as much detail as possible, to vbulletin.org using the "Report Modification" button in the modification itself.

              Discussion of it here isn't going to help, since there's absolutely nothing we can do here.

              If a valid exploit is found as a result of the report vbulletin.org can quarantine it which will alert both the author and anyone who has the modification marked as installed.
              MARK.B | vBULLETIN SUPPORT

              TalkNewsUK - My vBulletin 5.5.2 Demo
              AdminAmmo - My Cloud Demo

              Comment


              • #22
                I am the Author of the Arcade and already following up here.
                But I don't see any flaw in Arcade.php yet with the details in this thread, if anybody provides detailed infirmation I can and will fix immediatly, right now I don't see a problem
                Developer of ibProarcade for vBulletin (professional Arcade System for your vBulletin)

                Comment


                • #23
                  i did post an exploit code that works in a similar fashion to the one i mentioned but someone removed it from here sorry. It may have been the one I reported a few months ago but unsure yet. I don't have the code at hand thus i cannot send it to you unless one of these fine moderators send it your way.

                  Comment


                  • #24
                    I hvae forwarded what you posted to Mr ZeroPage for him to look at.
                    It's not a good idea posting exploit code for modifications - even if, as I suspect, it transpires that it's an earlier one that has long since been patched - because there may be older unpatched arcades out there.

                    Threads like this can also needlessly panic people, so just to be clear, there is no exploit in vBulletin, this thread relates to the iBProArcade modification, and it is not definite that there is an exploit in there either. The author of the arcade modification is aware.
                    MARK.B | vBULLETIN SUPPORT

                    TalkNewsUK - My vBulletin 5.5.2 Demo
                    AdminAmmo - My Cloud Demo

                    Comment


                    • #25
                      Closing this now, please follow up on vbulletin.org if required.
                      MARK.B | vBULLETIN SUPPORT

                      TalkNewsUK - My vBulletin 5.5.2 Demo
                      AdminAmmo - My Cloud Demo

                      Comment

                      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                      Working...
                      X