No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts

  • Vulnerability

    So an admin's account got hacked (one that back in vBulletin 4 posted a thread in an admin-only area whenever a duplicate IP member was seen). Shame the IPs are cloudflare IPs but you can see what he was doing

    19897 AdminBot 23:13, 9th Sep 2013 query = 'SELECT "lol" INTO OUTFILE "/var/www/forum/core/customavatars/lol.txt"'
    19897 AdminBot 23:12, 9th Sep 2013 index.php modify
    19896 AdminBot 23:12, 9th Sep 2013 index.php edit user id = 288
    19895 AdminBot 23:12, 9th Sep 2013 index.php find
    19894 AdminBot 23:12, 9th Sep 2013 index.php modify
    19893 AdminBot 23:11, 9th Sep 2013 index.php
    19892 AdminBot 23:11, 9th Sep 2013 index.php doquery query = 'SELECT "lol" INTO OUTFILE "/var/www/forum/lol.txt"'

    Earlier in the log there's a bit of adding then removing products and uploading smilies (well, were they smilies? No, and nothing he uploaded was there by the time I got to the admincp)

    The site got visibly hacked a few days later, a Syrian anti-Zionist hacking group (no idea why they felt our site had something to do with their cause - they didn't even mention their cause on the site, I found it through their Facebook page!)

    So there might be a vulnerability somewhere?

  • #2
    First you need to follow our advisory about deleting the install folder off your forums.

    Then please read the following two blog posts:

    Also please see these recent security announcements:

    vBulletin 4.1.x-4.2.x & All versions of vBulletin 5:
    vBulletin 5.0.x patch released, for a different security issue:

    TalkNewsUK - My vBulletin 5.6.4 Demo
    AdminAmmo - My Cloud Demo


    • #3
      Sorry but the install forum isn't/wasn't there, and I have already cleared all traces. Just posting the admin log in case you can see a vulnerability with the SQL Query box and the smilie uploading page


      • #4
        I would check the file ;/var/www/forum/core/customavatars/lol.txt - first does it exist, and second, what is in it if it does, I would suspect some kind of PHP shell. Delete the file for sure if it exists- maybe keep a backup so you can see what it did/does.

        It would seem to be some type of server vulnerability that let a txt file get uploaded to the avatar directory.


        • #5
          The file no longer exists unfortunately so I can't see what it does. Isn't it vBulletin's job to check if the file type is valid? How could I limit the file type in Debian?


          • #6
            I would suspect the file wasn't uploaded through vBulletin, whoever uploaded it took advantage of a directory that needs to be writable.


            • #7
              Ah, but it was. The admin log clearly shows a blob named 'lol' being moved from the database to a file named lol.txt

              Maybe it was uploaded as lol.jpg or something like that (to disguise its actual content)


              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.