Announcement

Collapse
No announcement yet.

Hacked :-(

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hacked :-(

    Oh well, I guess I should have upgraded my outdated 2.2.8 ages ago.

    He created a new user account, didn't need to confirm the email address and then managed to upgrade his account to Admin.

    First he came from this IP: 212.100.251.149
    Then he switched to 67.72.98.57

    His email is [email protected]

    He's deleted all my forums and hence all messages :-(

    Then he left me with a big FU :
    http://www.britishspanking.com/hack.html

    My advice to all you people still running 2.2.8 : UPGRADE !!
    and ban these IPs from your servers...

    >>> MODS : Please don't delete the IPs from this message - had I seen a post like this before I would have banned these IPs immediately and been enjoying a nice beer now whilst watching the tennis at Wimbledon...

    tox.
    Last edited by tox; Sun 27th Jun '04, 5:57am.

  • #2
    I got hacked a few months ago. Not nice

    Comment


    • #3
      Can you see how he's achieved it via apache access logs?

      I'd like to get a hold of yours for the past 12 hours prior to the hacking to see how he got in as there isn't a way that we know of that can simply give yourself admin permission.
      Scott MacVicar

      My Blog | Twitter

      Comment


      • #4
        ..I've PM'ed you a log file
        Last edited by tox; Sun 27th Jun '04, 6:35am.

        Comment


        • #5
          http://www.vbulletin.com/forum/showthread.php?t=108741
          Scott MacVicar

          My Blog | Twitter

          Comment


          • #6
            today I've been getting a few weird requests like : showthread.php?t=http://www.b00gle.com/s/2&page=http://www.b00gle.com/s/2

            I've banned the IP that owns it : 213.239.194.75
            My Sites :

            Comment


            • #7
              OMG.... Noooo Way! That is the same first 9 digits of the IP address of the guy who hacked my forum. He deleted like 1,000,000 posts and guess what (backups didn't work!)

              I have contact the webhost that this IP resolves to and they informed me that this was the second report of hacking from that IP and provided me with contact information (including phone number) for the customer who owns that IP! Please e-mail me at [email protected]

              We are filing a report with the FBI on the matter.

              He called himself [email protected] when he hacked me.... and his message also included arabic text.

              Originally posted by tox

              First he came from this IP: 212.100.251.149
              Then he switched to 67.72.98.57

              His email is [email protected]

              Comment


              • #8
                He got us as well over at murc. i've managed to recover the database, killed the forum titles, but the posts and threads were still there.

                running 2.2.9, i'll forward the logs if you want as soon as they are available

                to recover the forums, you need to do a little bit of hard work in phpmyadmin.

                Comment


                • #9
                  So your telling me that the posts might still have been there?

                  I upgraded to Vb 3 after the "incident" having figured that all was lost. So.... those posts might still be around? Cause if they are I would be willing to pay to have them recovered. I know little to nothing about php and mysql really. I'd be willing to pay you to help me out if you think it can be recovered ($100).

                  Come to think of it... I bet those posts are still there because the backup files are still over 400 mb.

                  Comment


                  • #10
                    Basically someone has went and looked through google for older versions of vBulletin and is picking on those who have neglected to upgrade.

                    http://www.vbulletin.com/forum/showthread.php?t=108741
                    Scott MacVicar

                    My Blog | Twitter

                    Comment


                    • #11
                      Originally posted by Scott MacVicar
                      Basically someone has went and looked through google for older versions of vBulletin and is picking on those who have neglected to upgrade.

                      http://www.vbulletin.com/forum/showthread.php?t=108741
                      Do offer a service that would check to see if I still have all the old posts and them restore them?

                      Comment


                      • #12
                        Originally posted by Scott MacVicar
                        Basically someone has went and looked through google for older versions of vBulletin and is picking on those who have neglected to upgrade.

                        http://www.vbulletin.com/forum/showthread.php?t=108741
                        It was late last night here in the US when I got your warning message about the hacking trend. I was in two minds whether to go to bed or do the update. I figured what's the likelihood that they'll get my forum (I was running vB 2.2.9). Surely not! But, curiosity got the better of me and I decided to do the upgrade to 2.3.5 there and then (I had been putting off upgrading for several months and almost let my vB lease expire). Today, coincidentally at the very moment I was maintaining our forum web server I witnessed someone trying to mess with my forums by issuing the following command:
                        myforumaddress/forums/calendar.php?action=edit&%20eventid=14%20union%20select%20userid,username,emai...


                        This is apparently a SQL injection attack (according to BlackICE which picked up the intrusion attempt).



                        IP address used was 82.129.217.130

                        A WhoIs traces back to a small subnet in Sohag, Egypt with a contact with a Hotmail address.

                        The referral to the forum web server came from a Google search. Presumably our forums are somewhere in Google as running with an older vB version.

                        Here is a chunk of the Google search expression that was used:
                        http://www.google.com/search?q=powered+by:+vbulletin+version+2.2.9&hl=en&lr=&ie=UTF-8&start=100&sa=N

                        This search yields 121,000 results. We are way, way down the list on page 10. Many of the entries in the list, including the one before us, show that they've already been hacked!

                        Here is what a hacked vB site looks like: http://boozet.xepher.net/vbulletin/

                        Presumably that is the hack attack type that you've been referring to, yes?
                        It seems to have been unsuccessful. So, it looks like I narrowly averted being hacked! Thanks for the warning!

                        So, fair warning to anyone that is putting off doing the upgrade, or that thinks it won't happen to them, do the upgrade and do it right now!
                        Last edited by Rob_Pritt; Mon 28th Jun '04, 3:28pm.

                        Comment


                        • #13
                          My website was also hacked. It is still saying that I have something like 62,999 posts in my database though. They are not showing up on my home page. Is there anyway to restore access to these posts?

                          Comment


                          • #14
                            You'd need to check if the forum and thread tables are still in tact else you'll have to restore them from a backup.
                            Scott MacVicar

                            My Blog | Twitter

                            Comment


                            • #15
                              Originally posted by tox
                              First he came from this IP: 212.100.251.149
                              Then he switched to 67.72.98.57
                              Monday I banned 212.100.251.149 from our server (since I read this post) and was surprised to find a hit every day since. Then I searched through past logs. I ended up unbanning the IP because I saw nothing but normal activity.

                              This is the second IP I've found where others have reported seeing exploit attempts in the web logs and I see nothing but normal activity? Any ideas? I don't know what the odds of a spoofed IP are, but I'd think it would be rather small.
                              Cygwin - all the tools to make Windows complete (cvs, vim, diff, grep, gcc, ssh, ...)

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X