Announcement

Collapse
No announcement yet.

Site Hacked

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Site Hacked

    We've been hacked by the same dingleberry(s) as some of the other people posting lately. I'm in the process of regaining control, but am looking for any advice I can get.

    The URL is www.groundtradesxchange.com - My admin signon does not work, and other Admin signons also are now invalid. Only one button works on our headline page, leading to some 'ha-ha you've been hacked' page, half in some Arabic language. We're running 2.2.9.

    We can't view posts, forums, nada. Just our portal page.

    I believe the hack happened shortly after 7pm CST today - that's the stamp on the email I got from a new user that is most likely the culprit.

    Can someone help?


  • #2
    You are running an insecure version of vB. You should upgrade to at least 2.3.5 to get rid of known security holes.

    Do you still have ftp access? Do you have phpMyAdmin access? If so, fill out a support ticket at:

    http://www.vbulletin.com/members/mem...ontactform.php

    Be sure to include the login info to your Admin CP, phpMyAdmin and FTP.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      It appears I still have FTP and phpmyadmin access. Thanks for the link - sending a ticket now....


      I have a few custom hacks on our boards, so I've been apprehensive about upgrading. Maybe I could hire a member of the vB staff to make the needed upgrades without altering the hacks?

      Comment


      • #4
        Here's something I can't quite understand - I looked into the code that was placed in my Forumhome template, and found code that led me to this address: http://www.xp10.com/vb/

        Go there, and you'll find a forum being run with vB version 3.0.0.

        So I guess my obvious question is, why hasn't a back door been employed by the staff at vB to take this site down? I looked at a subdirectory of files on that site and it's a bunch of jpegs and other stuff to use when putting code into vB sites like mine.
        Last edited by ImageConstrux; Sun 27 Jun '04, 12:58am.

        Comment


        • #5
          Is there a thread somewhere that lists off which files were changed freom version to version (2.1.X to 2.1.x+1, for example)?


          I have some hacks on my board and don't want them goofed, so I'd prefer to just address the files as I need to.

          Thanks!

          Comment


          • #6
            Originally posted by ImageConstrux
            I have a few custom hacks on our boards, so I've been apprehensive about upgrading. Maybe I could hire a member of the vB staff to make the needed upgrades without altering the hacks?
            No sorry. We do not provide this service or official support for hacks.
            Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
            Change CKEditor Colors to Match Style (for 4.1.4 and above)

            Steve Machol Photography


            Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


            Comment


            • #7
              Originally posted by ImageConstrux
              Is there a thread somewhere that lists off which files were changed freom version to version (2.1.X to 2.1.x+1, for example)?
              Look at each one of the annoucements in the Announcement for all the versions in between:

              http://www.vbulletin.com/forum/forumdisplay.php?f=1
              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
              Change CKEditor Colors to Match Style (for 4.1.4 and above)

              Steve Machol Photography


              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


              Comment


              • #8
                I was wondering about 'unofficial' support. I can certainly understand vB not wanting to accept liability for the success of a site they had no hand in hacking in the first place. I was just fishing to see if someone would be interested in some side programming income, without wearing the vB hat or t-shirt.

                Comment


                • #9
                  Try the Service Requests forum at vbulletin.org.
                  Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                  Change CKEditor Colors to Match Style (for 4.1.4 and above)

                  Steve Machol Photography


                  Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                  Comment


                  • #10
                    Thanks Steve.


                    I have another odd question, and am wondering if it's related - we had a member register, and the WWW link that was sent to me when the new user notification was sent was to a porn site. We've had 5 other new members register since we were hacked, and none had this issue. The guy seems to be an upstanding guy, and of course told me to shove it when I said 'please don't link to porn'.

                    My gut tells me he was caught in something stupid and is now trying to cover for it, but I wanted to double check here to see if anyone has heard of something like this.

                    Comment


                    • #11
                      Don't blame him. There is a trojan going around that automatically enters links to porn sites into fields like this. Tell him to update his virus checker and to throughly scan his PC.
                      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                      Change CKEditor Colors to Match Style (for 4.1.4 and above)

                      Steve Machol Photography


                      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                      Comment


                      • #12
                        FYI, here's the IP of the hacker: 212.138.47.29 This IP is from Saudi Arabia

                        Today, I had an unregistered visitor trying to look at the calendar system, which had already been disabled. The IP: 65.215.3.116 The 65.215 block is reserved for Kuwait.

                        Just some info for people to use when blocking IP address blocks.

                        Comment


                        • #13
                          That same scumbag has tried to hack our forums several times this morning using several different IPs (212.138.47.11 thru 212.138.47.29) from that same subnet so we firewalled the entire subnet. It is indeed in Saudi Arabia. They seem to be using an SQL Injection attack like the following:

                          URL=/forums//calendar.php&SQL=action=%3Dedit%26eventid%3D14_union_select_userid.username.email.'0000-0-0'.password.username_from_user_where_userid%3D1

                          The latest digit (=1) increments with successive each attack attempt (each is from a different IP address on that subnet).

                          It would seem that they are targeting even vB 2.3.5 installations.

                          Comment


                          • #14
                            The Same

                            The same thing happened to us, a noticed getting a person trying to register using different porn sites etc. And I was just hacked. Here is the message I got?



                            Also, when I tried to block IP`s it did not work???

                            I am just an admin, I have no idea how to get this up and going again, biggest fear is why was I hacked? And can I replace all the posts etc, it seems all were erased!

                            Comment


                            • #15
                              Cosmo - do you have any access to the control panel of the server? If not, contact whomever does ASAP. That's where you need to go to regain some control, I believe.



                              Hey, isn't it possible to have the domain registrar revoke a domain? If so, I believe that should be our next step. Tucows is the registrar of xo10.com.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X