Announcement

Collapse
No announcement yet.

Known Exploit Warning Question

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by NumNum View Post
    My 5.6.1 site was hit and I cannot access either url. I have 444'd it.
    For me, I had to remove index.html and replace it with a backup to get the site back to normal. I had to remove a couple more files in my vbulletin root directory based on timestamp too.

    And at this time I cannot use 444 permissions, or it causes a different issue.

    Comment


    • OrganForum
      OrganForum commented
      Editing a comment
      My forum runs in a directory below the site root, and that was where the backdoor exploit was placed. Index.php and index.html were placed in the site root and displayed a "You've been hacked" page.

  • #17
    This site operates in a read-only mode. The webserver does not have permissions to write to the general file system.

    Okay. Another work around...
    1. Put the site into debug mode.
    2. Log into the AdminCP.
    3. Go to Styles -> Style Manager.
    4. Open the template list for the MASTER style.
    5. Scroll to the bottom where it says Module Templates.
    6. Highlight the widget_php module.
    7. Click the Revert Button.
    8. This will completely delete the template from your site and make the PHP Module inoperative.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API - Full / Mobile
    Vote for your favorite feature requests and the bugs you want to see fixed.

    Comment


    • #18
      To be clear, this subject being discussed is this story? I came here looking for what to do about this, but want to make sure this is the same thing being discussed - don't want to start a new thread if this is the same thing. Thank you.

      https://twitter.com/thedarktangent/s...13958332596224

      https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/
      Last edited by Joe Siegler; Mon 10 Aug '20, 12:59pm.
      Joe Siegler - Webmaster
      Black Sabbath Online

      Comment


      • #19
        Turning off the PHP, Ad, HTML Rendering option will stop the issue. Your Ads will not work though.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API - Full / Mobile
        Vote for your favorite feature requests and the bugs you want to see fixed.

        Comment


        • #20
          Hi, is this the best place to be kept up to date about this issue? Our 5.6.2 forum was hit as well today. Is there a CVE number of track the issue yet?

          Comment


          • #21
            Sorry, does the site shutdown (site off in admincp) option helps avoid this exploit problem?

            Comment


            • elektro-kot
              elektro-kot commented
              Editing a comment
              Ok. Thank you for the info, Wayne.

            • bcc_user
              bcc_user commented
              Editing a comment
              I have an internal-only test forum which I reverted back to 5.6.2 (stock) to test.

              Testing 5.6.2 (stock) and NONE of the patches or work-around options to avoid this exploit and with AdminCP->Options->Turn-your-vBulletin-on-and-off->Site-Active->No->Save : exploit still works. Exploit allows for remote reading files the web service user/group can see, and start programs the web server user/group can run.

              For example, consider *NIX system with shell application "cat" installed in "/bin/cat" I was able to:
              exploit-script.sh SITENAME "/bin/cat ./core/includes/config.php"

              This dumped the contents of that file to remote terminal even with AdminCP "Site-Active" set to "no".

              I did not test on VB running on a windows server, because we don't do that.

            • elektro-kot
              elektro-kot commented
              Editing a comment
              Yes, thanks., I was checked too the exploit capabilities when the site was turned off - shutting down the site has no effect.

          • #22
            Originally posted by elektro-kot View Post
            Sorry, does the site shutdown (site off in admincp) option helps avoid this exploit problem?
            I would think not, but I'm no expert. I went further than just "the off switch", tho. Imoved the entire directory elsewhere and took the whole bloody thing offline. Left an "off" message in its place.

            https://www.black-sabbath.com/vb/index.php

            I might be overreacting, but once many years ago I did have a break-in and I don't want that again.
            Joe Siegler - Webmaster
            Black Sabbath Online

            Comment


            • OrganForum
              OrganForum commented
              Editing a comment
              Be aware that this fix disables php, static html, and ad modules that you may have configured for your site.

            • Wayne Luke
              Wayne Luke commented
              Editing a comment
              The one linked in my comment above should only disable PHP Modules. Disabling HTML and Ad Modules is not a permanent fix.

            • OrganForum
              OrganForum commented
              Editing a comment
              Ok. Thanks

          • #23
            Saw your comment Wayne. You refer to that as a "permanent fix", yet the text itself is labeled a "workaround".

            I presume a proper fix will require a new version?
            Joe Siegler - Webmaster
            Black Sabbath Online

            Comment


            • Wayne Luke
              Wayne Luke commented
              Editing a comment
              Well that is really semantics. If the template isn't there the code is permanently disabled. A code patch will be made available shortly. It does the exact same thing but in a different method.

          • #24
            Originally posted by Wayne Luke View Post
            This site operates in a read-only mode. The webserver does not have permissions to write to the general file system.

            Okay. Another work around...
            1. Put the site into debug mode.
            2. Log into the AdminCP.
            3. Go to Styles -> Style Manager.
            4. Open the template list for the MASTER style.
            5. Scroll to the bottom where it says Module Templates.
            6. Highlight the widget_php module.
            7. Click the Revert Button.
            8. This will completely delete the template from your site and make the PHP Module inoperative.
            What if you've lost access to admincp url, can this be accomplished with tools.php?
            adktramping ~ my happy place.

            "Whoever said practice makes perfect was an idiot. Humans can't be perfect because we're not machines." ~ Sam Gardner.

            Vote for your favorite feature requests and the bugs you want to see fixed.

            Comment


            • Wayne Luke
              Wayne Luke commented
              Editing a comment
              Not with tools.php. Make sure there is no admincp directory on your site and there there are no index.html files in the /core/admincp directory.

              You can also run the query `delete from template where title='widget_php';`

            • NumNum
              NumNum commented
              Editing a comment
              I'm having an issue with my site being able to read htaccess since I changed it to chmod444. It shows it at 644. Any idea what else I can look at?

          • #25
            Originally posted by alfreema View Post

            I spoke too soon. Chmod 444 on the vbulletin root directory causes an issue with .htaccess not being readable .
            What issue did it cause and how did you resolve it? This might be some of my issue as well.
            adktramping ~ my happy place.

            "Whoever said practice makes perfect was an idiot. Humans can't be perfect because we're not machines." ~ Sam Gardner.

            Vote for your favorite feature requests and the bugs you want to see fixed.

            Comment


            • #26
              Patches are available. https://forum.vbulletin.com/forum/vb...security-patch
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API - Full / Mobile
              Vote for your favorite feature requests and the bugs you want to see fixed.

              Comment


              • Wayne Luke
                Wayne Luke commented
                Editing a comment
                Well it disables the PHP module completely. If you were using the PHP Module then you have to switch to the Display Template module, which doesn't allow the upload of code through the interface. The instructions are linked in the second post of the announcement.

              • NumNum
                NumNum commented
                Editing a comment
                I was just reading that. Thanks for the reply. I see it will be completely removed in 564.

              • Wayne Luke
                Wayne Luke commented
                Editing a comment
                Using files uploaded to your server via SFTP is the proper way to add PHP Code.

            • #27
              My site was also impacted again before there was any communication from vBulletin. I was a 5.6.1 and now fully uptodate. Is there anyway to get a better and earlier notification system in place, even if you are working on a fix.
              We were impacted 2 hours before the email confirming the fix came out.
              Having been caught by the previous Zero Day issue, I would prefer to know that something is known and being worked upon, and advice to prevent any intrusion.
              The email from vB was sent out at 23:56 (BST) and I was asleep. I woke to an email from my ISP who detected something I needed to investigate.
              Thankyou for fixing this, how can we be better aware of these things ?
              Mark
              Webmaster - Mustang Owners Club of Great Britain

              Comment


              • #28
                We can't notify all customers until Internet Brands top-level management and legal department sign off on it. That is often the most time consuming aspect of releasing a patch. Even the wording of announcements and the proposed fix have to be approved. Unfortunately, I do not foresee that changing in the future.

                To be better aware, these forums are the best way. People often bring up issues here before we are made aware of them. Subscribing and getting email notifications if you don't visit daily can help.
                Translations provided by Google.

                Wayne Luke
                The Rabid Badger - a vBulletin Cloud demonstration site.
                vBulletin 5 API - Full / Mobile
                Vote for your favorite feature requests and the bugs you want to see fixed.

                Comment


                • #29
                  Wayne Luke ...

                  So I was on 5.6.2 and the 5.6.2 PL 1 patch doesn't contain an "upgrade" folder, so going here (per the instructions on upgrading) doesn't resolve: https://%yourdomain/%forumroot%/install/upgrade.php

                  That seems okay, since there are only two files in it, so I just manually replaced the two files in there. When I go to the Admin I see:

                  vBulletin 5.6.2 Latest version available: 5.6.2 Patch Level 1

                  I did not restart the server, because I wasn't thinking I needed to. I feel like I am "patched" but there is no way for vBulletin to know that since there is no upgrade process.

                  Does that seem right?
                  Last edited by alfreema; Tue 11 Aug '20, 8:09am.

                  Comment


                  • Wayne Luke
                    Wayne Luke commented
                    Editing a comment
                    Did you upload /core/includes/version_vbulletin.php? That lies to the AdminCP about the installed version.

                  • alfreema
                    alfreema commented
                    Editing a comment
                    Yes, and I have verified that the PHP code references 5.6.2 Patch Level 1, just like the patch ZIP. Permissions and ownership are spot on too. Perhaps I need to restart my apache server for it to recompile and for the admin console to reflect it? Odd.

                    Edit: Well ... nevermind -- it just took some time to compile. It's proper now: vBulletin 5.6.2 Patch Level 1 Latest version available: 5.6.2 Patch Level 1

                    I bet I just needed to leave the admin console and come back to it.
                    Last edited by alfreema; Tue 11 Aug '20, 1:27pm.

                  • Wayne Luke
                    Wayne Luke commented
                    Editing a comment
                    You would have to reload the AdminCP for that to update.

                • #30

                  should I delete vb5.php and runtime.php?

                  Click image for larger version  Name:	EB74D382-19EA-4456-8F01-6433D6D6535C.jpeg Views:	0 Size:	41.1 KB ID:	4445341
                  Hosting: HostGator dedicated server
                  cloudflare enabled
                  PHP: 7.3
                  MySQL: 5.6
                  Vb5: 5.6.3

                  Comment

                  Related Topics

                  Collapse

                  Working...
                  X