Announcement

Collapse
No announcement yet.

Hacked Board?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hacked Board?

    Hey guys visited my board today to be alerted by a thread about my board getting hacked? its running vb 3.6.0...
    the posts are as follows

    Code:
     Degeniz Team hacked the message board via redirection to an image on their site, and it showed a penguin with the turkey Flag symbol, and a map with Turkey on it. Apparently they're a hacker site, with a message board and applications to go along with it.
    and various other posts.. i noticed a member called Degeniz team registered which its now banned... rumour has it they have hacked and disabled a few other boards in there time.. ive no idea what to beilve? as i wasnt online at the time.

    Is vbulletin easy to exploit and disable.. any precautions other than a backup to take? i apriciate some advice.. thanks

    anyone heard of dengesizteam team before?
    Last edited by chimaira; Sat 2nd Sep '06, 5:41pm.

  • #2
    They have been busy.
    Recently there has been a problem with FlashChat.
    ...steven
    www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
    bmwcca.org/forum | m135i.net
    "I tried to clean this up but this thread is beyond redemption." - Steve Machol

    Comment


    • #3
      People have been saying im glad the board is back. so im guessing it went down for a while... due to them... im trying to get as much information as possible as i wasnt online to witness anything.

      Comment


      • #4
        Note: There are known security holes with at least two plugins that hackers are exploiting right now - Flashchat and TopXStats. I *strongly* recommend you remove at least these plugins if you have them.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment


        • #5
          Alternatively, both problems can also be fixed ;

          http://www.vbulletin.com/forum/showt...60#post1202960

          http://www.vbulletin.org/forum/showt...17#post1066817

          Baby, I was born this way

          Comment


          • #6
            Okay i did the upgrade for top x stats~
            i keep getting users signing up and one made this thread

            Code:
             ">"">>>><meta http-equiv="Refresh" content="0;url=http://crzysldr.kayyo.com"> """" > 
              ašıkları kapa
            Do you thnik they are tempo disabling my board via server side either via php or an sql injection or even xss to alow remote execution for vb 3.6.0

            my board url is www.chimairaboard.com just for refrence

            but cheers for the replies guys, hopefully they wont get no where now.
            Last edited by chimaira; Sun 3rd Sep '06, 4:45am.

            Comment


            • #7
              Hi chimaira,

              Did you try to do a "Suspect File Versions" check from;

              " admicp -> Maintenance-> Suspect File Versions "

              For an additional control.

              It seems they are assuming that you have still a security hole and they are trying use it more than once.

              Comment


              • #8
                All that is fine ta
                Just annoying me as im getting a bombardedment of turkish users trying to make threads with this content

                Code:
                 ">"">>>><meta http-equiv="Refresh" content="0;url=http://myturqey.com/a.htm"> """" >
                cant ban there host/ip as nothing comes up when i do a match
                Last edited by chimaira; Sun 3rd Sep '06, 8:29am.

                Comment


                • #9
                  u aint alone

                  there is a "team hackers" member wandering around

                  its done five boards i know of through links, images etc

                  sorry to but in .
                  www.tabletennistalk.co.uk

                  Comment


                  • #10
                    Think I had one of them today, had a user sign up, didn't think too much of it, until I started getting a refreshed page to a Turkish site, one of my Mod's removed it and stopped it, but I've since banned their IP and email address (I traced the IP back to a Turkish host).

                    Comment


                    • #11
                      Idem i had:

                      Email Address : windows__@hotmail.com
                      Birthday :
                      Referrer: N/A
                      IP Address: 88.234.38.70 (from Ankara)

                      Hoping he didn't do anything bad.. Ip and email banned.

                      Anyone got this registration as well ?


                      Ps: we don't have any plugin, only 3.6
                      BPowers.com: Eu Web Hosting Solutions
                      Shared hosting with Cpanel/Fantastico
                      Live Help: http://www.bpowers.com

                      Comment


                      • #12
                        Is there any way of banning certain characters in the thread titles to prevent this happening?


                        Code:
                        ">"">>>><meta http-equiv="Refresh" content="0;url=http://Turksecurity.org"> """" >
                        The IP of the one that stung me was 88.224.0.121 using email emsalsiz_01@hotmail.com.

                        Comment


                        • #13
                          Hi

                          I must have had at least 10 of these posts in the last 2 days, so far I have deleated all these users, deleated there posts, banned there IP's and banned email addresses. Getting fed up of them now pity they have nothing else better to do.....

                          As a last resort, I have now stopped all new registrations, I know it's a bit drastic.

                          Stuart

                          Comment


                          • #14
                            Check this, it should solve the issue once and for all :

                            http://www.vbulletin.org/forum/showthread.php?t=125726

                            Comment


                            • #15
                              They got me this morning too, thanks for the info on fixing this.

                              IP: 88.229.81.215
                              email: dengesizteam@mynet.com

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X