Will running the Suspect File Versions be an effective way to identify the rogue files for removal?
Announcement
Collapse
No announcement yet.
Zero Day Exploit and Suspect File Versions
Collapse
X
-
Zero Day Exploit and Suspect File Versions
adktramping ~ my happy place.
"Whoever said practice makes perfect was an idiot. Humans can't be perfect because we're not machines." ~ Sam Gardner.
Vote for your favorite feature requests and the bugs you want to see fixed.Tags: None
-
On our site, the offending .php files were in the attachments directory as well as in the directories of each of the admins listed in the core/includes/config.php file as well as the attachments/1 directory which would usually be the first user and therefore the admin. The suspect file versions check did not identify any of them. We restored to the prior day's backup and deleted any files in the site directory created on or after 9/24.
- 1 like
Comment
-
Originally posted by twistsol View PostOn our site, the offending .php files were in the attachments directory as well as in the directories of each of the admins listed in the core/includes/config.php file as well as the attachments/1 directory which would usually be the first user and therefore the admin. The suspect file versions check did not identify any of them. We restored to the prior day's backup and deleted any files in the site directory created on or after 9/24.
I think restoration is not a solution!
I have deleted more than 15 php files and many folders
i have deleted all files from 18 September, but unfortunately i found out that they are able to inject files with very old dates, i had to check folder by folder regardless of sate for any strange file.
I have updated forum to the latest vbulletin and patch
Is there any important step to do?
Comment
-
Restoration does not terminate any malicious processes.
Here is the official solution:- Create a new directory.
- Upload the files from a new patched vBulletin Package to this directory.
- Point the /core/includes/config.php to your database.
- Make sure there are no PHP or Javascript files in the attachment or customavatar directories.
- Copy over your attachment and customavatar directories.
- Run /core/install/upgrade.php
- Revert any template customizations that you have not documented as creating
Comment
-
Step:
8. Inform all your users that your server and their accounts have been compromised.
9. Perform a complete reinstall of your server.
10. Verify every record of the database to make sure that no malicious entries exist.
11. Reduce the operating system permissions of vBulletin as much as you can.
12. Monitor #vBulletin at Twitter, so that when the next exploit is released, you can immediately shutdown your forum to minimize damage. Don't rely on the swift manner of the official announcements.Last edited by LBS; Fri 27 Sep '19, 8:27am.
-
That depends on the security of the system. For example, if the system is running on outdated software, then this exploit increases the attack surface a lot by providing shell access from which privilege escalation may be performed. So if you want reduce the likelihood that things are left, then re-install the server.
-
Folks, there has never been a better example of the security principle: "don't run your web server as root"
The damage caused by this exploit is reduced by MAGNITUDES if you aren't "that guy". Make sure you never run your web server software as root. Just don't. If you are, educate yourself on how to change that.
Make sure your vb5 folder owner is a non-root user and make sure your web server is running as a non-root user. If you do that, then the worst part of this issue is the database being compromised (which still sucks but it's fairly straight forward to recover from with a good backup).
Comment
Related Topics
Collapse
-
by pmquistWhen running Diagnostics for suspect file versions i get errors on file that is not in that directory and also errors about file that is not there, which I believe shouldnt be there. It is in the root....1 Photo
-
Channel: vBulletin 5 Installs & Upgrades
Mon 11 Jan '16, 6:11am -
Comment