Tweet
Forums Attacking MYSQL?!
Hey all, Well my server tech tells me that someone has been exploting my vB and attacking our MYSQL with it. Unfortunately this sucks for me cause I do not know how to patch these exploits. We are on a server with the latest stuff we got from ServerMatrix.com and also I am using vBulletin 3.0.3. So I am not sure what patches can be done to prevent people from gaining access to my MYSQL from vB. I even added .htacces files to both admincp and modcp and they still got into and deleted the MYSQL socket file I believe. Also, someone was able to register an account on my forums, become admin, de-admin me and destroy everything. Ughh...can anyone advise me what to do or where to find patches for MYSQL and vBulletin. Thanks!
-
-
If you are running vBulletin 3 there is only one known exploit at this time and it is with a specific file in your includes folder
If you read that, you just need to replace the file in on your server with the file from that post
-
There is a small patch for 3.0.3 here.
The first thing you need to do is figure out exactly how this person is taking over your forum. They might have hacked your server, brute forced your password or got it by some other means, etc. All I can do is take some guesses.
- make sure the tools.php file is not uploaded to any of your forum directories
- turn on the "strikes" system
- make sure your password is complex and not easy to guess
- don't use the same password for anything else
- change your htaccess password
- update your server software to the latest secure versions
- etcComment
-
They cannot use vBulletin to delete the MySQL socket file. You have to be a Root level user to delete that file from a server. You need to change your root passwords on your machine and make sure you assign a root password to MySQL (Servermatrix servers don't come with one by default) as well. These passwords need to be different and you should not use them to access your server on a regular basis. In fact, I would make it so Root couldn't log in directly via telnet/ssh but needs another user in the wheel group to log in and then SU into the root account.Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
Thank you for the speedy replies, I will show my server tech this page and have him plan accordingly. Thanks again. I will tell you how things came out soon.Comment
-
Could you email us the exploits used to create an admin account? I am sure it is logged somewhere.Comment
-
Actually, there are no exploits I know off, but my server tech claims that the server is being attacked through a vBulletin exploit. I have most of the things you said already done, the only thing not done was the authorize.net patch. My server tech claims that it has nothing to do with the server but is a vBulletin issue. So I am not sure what to tell you.Comment
-
How does he know?Comment
-
Well if I knew that much, then I wouldn't be posting here. But he has not told me anything except that vBulletin is causing the problems, which I find hard to believe. He suggested that I switch to vB 2.x.x so that I can have more security, but I thought that vB 3.x.x was more secure, no? I don't know, but these issues are making me sour, why should I have to go through this nonesense for something I pay 80$ for? Someone tell me that...Comment
-
Well, you cannot switch to vBulletin 2.X from 3.X, the database structure is not backwards compatible. Second, vBulletin 3.X is a lot more secure than 2.X and includes a lot more data sanitization and data checks than vBulletin 2.X does.
We would be more than happy to help more but we need to know what he actually thinks is being exploited here.Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
The latest versions of both vB3 and vB2 are considered to be secure.
But as Wayne pointed out, it sounds like the root login was compromised.Comment
-
Here is the exploit, I was told it was being exploited through the avatar upload section.
My server tech has suggested that "it would be wise to go as high as possible, but not outside .2x range".
They used vBulletin as a means to work this crash, hopefully you guys can work on this and if you need more info, please let me know. Thank you.Comment
-
I read that but I still don't see how this is a vBulletin issue. This exploint involves running a C program on the server.Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
Change CKEditor Colors to Match Style (for 4.1.4 and above)
Steve Machol Photography
Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.
Comment
-
This doesnt relate to vBulletin in any way shape or form, it is speciflcy a kernel problem with linux.Comment
-
Sorry, maybe I didn't specify it too well, let me see. I will show you the convo we had to explain better what he is talking about.
AM] exjayde: okay well, on your vbb, it has that avatar upload
AM] JohnBoi71785: yea
AM] exjayde: there was an exploit on crashtalk or something like that for vbb3 avatar upload, so you could upload anything
AM] exjayde: he uploaded it to the vbb /tmp directory, which happened to be not configured properly (supposed to be pointing at the server /tmp) and it was executable
AM] exjayde: so it was executed, and he got your ftp passwords
AM] exjayde: from there
AM] exjayde: he went into a cgi-bin somewhere
AM] exjayde: because his use rstatus was null, so he was ghost kind of
AM] exjayde: and he went to someone's cgi bin, and executed a cgi file
So basically there is this avatar exploit somewhere on someone's website, but I am not sure where. If I find it, I will direct you all to it. Thanks.Comment
Comment