Announcement

Collapse
No announcement yet.

Zero Day Exploit Patch Questions

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Zero Day Exploit Patch Questions

    So just to be sure, the advice to comment out the code here: https://forum.vbulletin.com/forum/vb...17#post4422617 didn't really address the issue and should be un-commented?

  • #2
    Or maybe it did help, but the patch is a better way, and regardless we should un-comment that block now I am guessing?

    Comment


    • #3
      The post you're referring to will prevent any exploit from occurring. But it will disable the PHP Module as well. So if you use the PHP Module, it will be broken.

      The patch fixes the issue while preserving the PHP Module so it continues to work. Your choice on which you use.
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API

      Comment


      • #4
        Gotcha, thanks!

        Comment


        • #5
          Man, the threads I want to share my information in keep getting closed.

          From the root of my hacked vb5 directory I ran a command to see what files have changed in the past 3 days. I got:

          # find ./ -type f -mtime -3 -ls
          276834021 476 -rw-r--r-- 1 daemon daemon 484488 Sep 25 04:59 ./core/adminer-4.7.3.php
          325066633 80 -rw-r--r-- 1 daemon daemon 81176 Sep 25 05:02 ./js/ckeplugins/widget/.dab81595.ico
          369145049 84 -rw-r--r-- 1 daemon daemon 85019 Sep 25 00:27 ./js/wso.php.suspected

          Not buying that the .ico is actually a .ico file, I ran this:

          # file ./js/ckeplugins/widget/.dab81595.ico
          ./js/ckeplugins/widget/.dab81595.ico: PHP script, ASCII text, with very long lines

          Opening it in vi shows that it is indeed an obfuscated PHP script.

          The wso.php.suspected file is NOT obfuscated and clearly some version of this: https://github.com/Josexv1/wso-webshell

          It's closest to wso_v_4.2.5.php, but not identical. Probably from some other repository.

          The .dab81595.ico file is most certainly the base64 version of the WSO webshell.

          Comment


          • #6
            I'm begging you guys to not use this thread to ***** about vbulletin's response. Please only use it to share information that could be helpful to the user community.

            Comment


            • #7
              There is no consistency to how the exploit affected sites. That's the reason there is no "one-size-fits-all" list of files or folders.

              Wayne Luke has offered the only supported solution in multiple locations.

              Comment


              • #8
                Originally posted by In Omnibus View Post
                There is no consistency to how the exploit affected sites. That's the reason there is no "one-size-fits-all" list of files or folders.

                Wayne Luke has offered the only supported solution in multiple locations.
                Exactly right, everyone should apply the patch. It is still informative and helpful to share the results of the "aftermath" analysis.

                Comment


                • #9
                  Many different exploits are being used. This is not one person doing this. I've seen exploits where they have installed backdoors to their backdoors.

                  This is why I recommend using a clean set of files in a new directory. I'll look at your files because I would like to try to future proof the software but next time, the files will have different signatures. It becomes a cat and mouse game over time. It is something we're always working against.

                  I would like to say that Adminer is a valid tool. I use it all the time. However, it shouldn't be on your server all the time or in that directory. You should reset all user passwords.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API

                  Comment


                  • #10
                    How do we reset all user passwords?

                    Comment


                    • #11
                      You can reset all user passwords by running this query:

                      UPDATE user SET token="$2y$10$F90N8UoXtKxezXjkTI1osO49i1CTNlasHbzIS0yUVR0uvrBwlAxe6" where usergroupid=2;

                      If you have a table prefix set in the /core/includes/config.php file then you would need to prepend that to the user table name.

                      They won't be able to use their old password and will be required to use a new one. I don't even know what the password for this key is anymore. I randomly generated it earlier and then discarded it.

                      For security, you would want to create your own blowfish string by using this tool and putting the results in the query above. Set the "rounds" in the tool to 10. This wouldn't change custom usergroups, administrators or moderators. You can change the usergroupid for other usergroups. Of course, Administrators and Moderators should be using 2FA and be restricted by IP Address.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud demonstration site.
                      vBulletin 5 API

                      Comment

                      Related Topics

                      Collapse

                      Working...
                      X