Announcement

**Steve Machol** · Sat 26 Jun '04, 10:44pm

You are running an insecure version of vB. You should upgrade to at least 2.3.5 to get rid of known security holes.

Do you still have ftp access? Do you have phpMyAdmin access? If so, fill out a support ticket at:

http://www.vbulletin.com/members/mem...ontactform.php

Be sure to include the login info to your Admin CP, phpMyAdmin and FTP.

**ImageConstrux** · Sat 26 Jun '04, 11:10pm

It appears I still have FTP and phpmyadmin access. Thanks for the link - sending a ticket now....

I have a few custom hacks on our boards, so I've been apprehensive about upgrading. Maybe I could hire a member of the vB staff to make the needed upgrades without altering the hacks?

**ImageConstrux** · Sun 27 Jun '04, 12:33am

Here's something I can't quite understand - I looked into the code that was placed in my Forumhome template, and found code that led me to this address: http://www.xp10.com/vb/

Go there, and you'll find a forum being run with vB version 3.0.0.

So I guess my obvious question is, why hasn't a back door been employed by the staff at vB to take this site down? I looked at a subdirectory of files on that site and it's a bunch of jpegs and other stuff to use when putting code into vB sites like mine.

**ImageConstrux** · Sun 27 Jun '04, 1:17am

Is there a thread somewhere that lists off which files were changed freom version to version (2.1.X to 2.1.x+1, for example)?

I have some hacks on my board and don't want them goofed, so I'd prefer to just address the files as I need to.

Thanks!

**Steve Machol** · Sun 27 Jun '04, 6:26pm

Originally posted by ImageConstrux

I have a few custom hacks on our boards, so I've been apprehensive about upgrading. Maybe I could hire a member of the vB staff to make the needed upgrades without altering the hacks?

No sorry. We do not provide this service or official support for hacks.

**Steve Machol** · Sun 27 Jun '04, 6:28pm

Originally posted by ImageConstrux

Is there a thread somewhere that lists off which files were changed freom version to version (2.1.X to 2.1.x+1, for example)?

Look at each one of the annoucements in the Announcement for all the versions in between:

http://www.vbulletin.com/forum/forumdisplay.php?f=1

**ImageConstrux** · Sun 27 Jun '04, 6:32pm

I was wondering about 'unofficial' support. I can certainly understand vB not wanting to accept liability for the success of a site they had no hand in hacking in the first place. I was just fishing to see if someone would be interested in some side programming income, without wearing the vB hat or t-shirt.

**Steve Machol** · Sun 27 Jun '04, 6:35pm

Try the Service Requests forum at vbulletin.org.

**ImageConstrux** · Sun 27 Jun '04, 7:59pm

Thanks Steve.

I have another odd question, and am wondering if it's related - we had a member register, and the WWW link that was sent to me when the new user notification was sent was to a porn site. We've had 5 other new members register since we were hacked, and none had this issue. The guy seems to be an upstanding guy, and of course told me to shove it when I said 'please don't link to porn'.

My gut tells me he was caught in something stupid and is now trying to cover for it, but I wanted to double check here to see if anyone has heard of something like this.

**Steve Machol** · Sun 27 Jun '04, 9:05pm

Don't blame him. There is a trojan going around that automatically enters links to porn sites into fields like this. Tell him to update his virus checker and to throughly scan his PC.

**ImageConstrux** · Tue 29 Jun '04, 4:11pm

FYI, here's the IP of the hacker: 212.138.47.29 This IP is from Saudi Arabia

Today, I had an unregistered visitor trying to look at the calendar system, which had already been disabled. The IP: 65.215.3.116 The 65.215 block is reserved for Kuwait.

Just some info for people to use when blocking IP address blocks.

**VOM** · Wed 30 Jun '04, 10:22am

That same scumbag has tried to hack our forums several times this morning using several different IPs (212.138.47.11 thru 212.138.47.29) from that same subnet so we firewalled the entire subnet. It is indeed in Saudi Arabia. They seem to be using an SQL Injection attack like the following:

URL=/forums//calendar.php&SQL=action=%3Dedit%26eventid%3D14_union_select_userid.username.email.'0000-0-0'.password.username_from_user_where_userid%3D1

The latest digit (=1) increments with successive each attack attempt (each is from a different IP address on that subnet).

It would seem that they are targeting even vB 2.3.5 installations.

**Cosmogirl** · Wed 30 Jun '04, 5:07pm

The Same

The same thing happened to us, a noticed getting a person trying to register using different porn sites etc. And I was just hacked. Here is the message I got?

404 Not Found

http://www.southbeachdiet.co.uk/forums/index.php?

Also, when I tried to block IP`s it did not work???

I am just an admin, I have no idea how to get this up and going again, biggest fear is why was I hacked? And can I replace all the posts etc, it seems all were erased!

**ImageConstrux** · Wed 30 Jun '04, 5:52pm

Cosmo - do you have any access to the control panel of the server? If not, contact whomever does ASAP. That's where you need to go to regain some control, I believe.

Hey, isn't it possible to have the domain registrar revoke a domain? If so, I believe that should be our next step. Tucows is the registrar of xo10.com.

Announcement

Site Hacked

Site Hacked

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment