Announcement

Collapse
No announcement yet.

Zero Day Hack - Database

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Wayne Luke
    replied
    Additionally, I'm currently on in Forum Site "Off Mode", but I've seen forum members login (although it doesn't appear they can do anything) and I currently see Guests in the site. Is this normal?
    They would be seeing a maintenance message. Turning off your forum doesn't remove logging in or and some other actions. If someone visits the page, they will be logged in with remember me, issued a session and so forth. If that is a guest, they get a session and can sit there and view the page.

    Leave a comment:


  • Wayne Luke
    replied
    The only way to tell if your data was exposed would be to inspect your server logs for the webserver and MySQL. vBulletin has no methods to download the database. To run queries, the person would need a super administrator with permission to do so. If you use strong passwords and two-factor authentication as recommended, this would be difficult to do.

    Leave a comment:


  • clearvue
    replied
    After an install as described above, is there any chance of corruption of the forum data in the database? In other words, I've fixed the folders and the install, but am I sure that my data isn't still exposed?

    Additionally, I'm currently on in Forum Site "Off Mode", but I've seen forum members login (although it doesn't appear they can do anything) and I currently see Guests in the site. Is this normal?

    Thank you

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by clearvue View Post
    When I perform these steps listed above, I receive an error on the upgrade.php step. Any thoughts as to what may cause a blank page and "PHP Parse error: syntax error, unexpected '?' in /xxx/core/vb/request.php on line 68 in the error_log
    This usually means you need to upgrade to PHP 7.1 or higher. I recommend PHP 7.3 if your hosting provider allows it.

    Leave a comment:


  • In Omnibus
    replied
    Originally posted by clearvue View Post
    When I perform these steps listed above, I receive an error on the upgrade.php step. Any thoughts as to what may cause a blank page and "PHP Parse error: syntax error, unexpected '?' in /xxx/core/vb/request.php on line 68 in the error_log
    Are you running a proxy server like CloudFlare?

    Leave a comment:


  • clearvue
    replied
    When I perform these steps listed above, I receive an error on the upgrade.php step. Any thoughts as to what may cause a blank page and "PHP Parse error: syntax error, unexpected '?' in /xxx/core/vb/request.php on line 68 in the error_log

    Leave a comment:


  • Wayne Luke
    commented on 's reply
    These are valid if you are worried about exploit files on your server. They wouldn't be followed on a standard upgrade.

    1. You haven't updated the database information in the /core/includes/config.php file.
    2. You should run upgrade.php, not install.php.
    3. You can see if your site is using the file system to store attachments (Attachments -> Attachment Storage Type) and avatars (Settings -> User Picture Storage Type) in the AdminCP.

  • NeoDB
    replied
    Originally posted by Wayne Luke View Post
    Follow these steps:
    1. Download vBulletin 5.5.4 Patch Level 1.
    2. Create a new directory on your server (i.e. forums_new)
    3. Upload 5.5.4 Patch Level 1 to this new forum.
    4. In the new directory rename /config.php.bkp to /config.php.
    5. Rename /core/includes/config.php.new to /core/includes/config.php
    6. Rename /htaccess.txt to .htaccess
    7. Turn off your forums
    8. Create a Database Backup.
    9. Rename the old vBulletin directory (i.e. forums_old)
    10. Rename the new directory to replace your old vBulletin directory (i.e. forums)
    11. Run /core/install/upgrade.php in your new forum directory.
    12. Delete /core/install
    13. Turn on your forums.
    14. If you store attachments and avatars in the file system inspect your attachment and customavatar directories for any PHP or HTML files. Delete these Files. Move the attachments and customavatar directories to your new vBulletin forum directory.
    15. Delete the old vBulletin directory off the server.
    Outside of vBulletin, you should review any files that you have for other services as well.
    Are these valid instructions for upgrading? Where would I find the "attachments and avatars in the file system"?

    Also, I followed the instructions to the letter but it says this after I execute install.php

    Startup Errors
    Due to the following errors, the install/upgrade can not continue:
    • Error description: 2: mysqli_real_connect(): (28000/1045): Access denied for user 'root'@'localhost' (using password: NO)
    • The database has failed to connect because you do not have permission to connect to the server. Please confirm the values entered in the core/includes/config.php file
    Last edited by NeoDB; Mon 30 Sep '19, 1:54pm.

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by pdisme View Post

    Depending on the age of your forum, and password changing policies, you may have had very weak (by current standards) password hashes stolen from the database. Those are typically easy to brute force, so you should change the password of anyone with elevated privileges regardless (admins, moderators), but also lock out users with old passwords, or email them and let them know their password may have been compromised, as many users use the same password in many places. You can look at the 'users' table in your vB database and the token field, if the password hash starts with $2y$ it's more recent and less vulnerable, but if it's something like 1b8083c18193c5c812d17b6a83216e1d then it's vulnerable.
    When using default files, all vBulletin 5 forums will automatically store passwords in the bcrypt format after the first login.

    Leave a comment:


  • pdisme
    replied
    Originally posted by clearvue View Post
    Our forum was compromised by the zero day hack. In our case, the forum code folder was completely deleted. We have downloaded the lasted update and plan to install fresh in the folder and run the upgrade script as directed. Can someone please explain what we should look for/address in the database itself? Additionally, did this exploit potentially expose usernames/passwords and other private information about the users?

    Thank you.
    Depending on the age of your forum, and password changing policies, you may have had very weak (by current standards) password hashes stolen from the database. Those are typically easy to brute force, so you should change the password of anyone with elevated privileges regardless (admins, moderators), but also lock out users with old passwords, or email them and let them know their password may have been compromised, as many users use the same password in many places. You can look at the 'users' table in your vB database and the token field, if the password hash starts with $2y$ it's more recent and less vulnerable, but if it's something like 1b8083c18193c5c812d17b6a83216e1d then it's vulnerable.

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by clearvue View Post
    Can someone please explain what we should look for/address in the database itself?
    Unlike vBulletin 3 and 4, we don't store a lot of PHP code in the database in vBulletin 5. We do store parsed versions of the templates in the database. However, when you run the Upgrade script, all of the templates in the master style will be replaced with valid copies. You would only have to look at templates that are modified. They show with Red Titles in the Template Editor. If you're not using one of the provided Language Packs, you'll want to reimport your language as well.

    Leave a comment:


  • Wayne Luke
    replied
    Follow these steps:
    1. Download vBulletin 5.5.4 Patch Level 1.
    2. Create a new directory on your server (i.e. forums_new)
    3. Upload 5.5.4 Patch Level 1 to this new forum.
    4. In the new directory rename /config.php.bkp to /config.php.
    5. Rename /core/includes/config.php.new to /core/includes/config.php
    6. Rename /htaccess.txt to .htaccess
    7. Turn off your forums
    8. Create a Database Backup.
    9. Rename the old vBulletin directory (i.e. forums_old)
    10. Rename the new directory to replace your old vBulletin directory (i.e. forums)
    11. Run /core/install/upgrade.php in your new forum directory.
    12. Delete /core/install
    13. Turn on your forums.
    14. If you store attachments and avatars in the file system inspect your attachment and customavatar directories for any PHP or HTML files. Delete these Files. Move the attachments and customavatar directories to your new vBulletin forum directory.
    15. Delete the old vBulletin directory off the server.
    Outside of vBulletin, you should review any files that you have for other services as well.

    Leave a comment:


  • Hoca
    replied
    Mohammed abu risha thank you

    My hosting service is still working on a backup
    Has a backup of 25 September

    Leave a comment:


  • Mohammed Abu Risha
    commented on 's reply
    Vbulletin has now published patches to close the vulnerability. Check the member areas. My hosting service is still working on restoring a backup.

  • Hoca
    replied
    I had the same problem
    September 27, the site was attacked
    authorized to give information on how to clean files from viruses

    Leave a comment:

Related Topics

Collapse

  • mna
    zero day hack
    by mna
    If I have a backup of my site/database from 1-2 weeks ago, would it be OK to restore the forum to that day, then apply the security patch? Or do I need to do a fresh install? Since it seems my site has...
    Fri 27 Sep '19, 9:06pm
Working...
X