Announcement

**steven s** · Sat 2 Sep '06, 5:56pm

They have been busy.
Recently there has been a problem with FlashChat.

**chimaira** · Sat 2 Sep '06, 6:13pm

People have been saying im glad the board is back. so im guessing it went down for a while... due to them... im trying to get as much information as possible as i wasnt online to witness anything.

**Steve Machol** · Sat 2 Sep '06, 7:29pm

Note: There are known security holes with at least two plugins that hackers are exploiting right now - Flashchat and TopXStats. I *strongly* recommend you remove at least these plugins if you have them.

**Paul M** · Sun 3 Sep '06, 3:51am

Alternatively, both problems can also be fixed ;

http://www.vbulletin.com/forum/showt...60#post1202960

http://www.vbulletin.org/forum/showt...17#post1066817

**chimaira** · Sun 3 Sep '06, 4:19am

Okay i did the upgrade for top x stats~
i keep getting users signing up and one made this thread

Code:

 ">"">>>><meta http-equiv="Refresh" content="0;url=http://crzysldr.kayyo.com"> """" > 
  açıkları kapa

Do you thnik they are tempo disabling my board via server side either via php or an sql injection or even xss to alow remote execution for vb 3.6.0

my board url is www.chimairaboard.com just for refrence

but cheers for the replies guys,

hopefully they wont get no where now.

**MaviJean** · Sun 3 Sep '06, 6:33am

Hi chimaira,

Did you try to do a "Suspect File Versions" check from;

" admicp -> Maintenance-> Suspect File Versions "

For an additional control.

It seems they are assuming that you have still a security hole and they are trying use it more than once.

**chimaira** · Sun 3 Sep '06, 8:23am

All that is fine ta
Just annoying me as im getting a bombardedment of turkish users trying to make threads with this content

Code:

 ">"">>>><meta http-equiv="Refresh" content="0;url=http://myturqey.com/a.htm"> """" >

cant ban there host/ip as nothing comes up when i do a match

**basilrath** · Sun 3 Sep '06, 9:07am

u aint alone

there is a "team hackers" member wandering around

its done five boards i know of through links, images etc

sorry to but in .

**JasonWilliams** · Sun 3 Sep '06, 9:10am

Think I had one of them today, had a user sign up, didn't think too much of it, until I started getting a refreshed page to a Turkish site, one of my Mod's removed it and stopped it, but I've since banned their IP and email address (I traced the IP back to a Turkish host).

**Interdit** · Sun 3 Sep '06, 9:14am

Idem i had:

Email Address : [email protected]
Birthday :
Referrer: N/A
IP Address: 88.234.38.70 (from Ankara)

Hoping he didn't do anything bad.. Ip and email banned.

Anyone got this registration as well ?

Ps: we don't have any plugin, only 3.6

**JasonWilliams** · Sun 3 Sep '06, 9:26am

Is there any way of banning certain characters in the thread titles to prevent this happening?

Code:

">"">>>><meta http-equiv="Refresh" content="0;url=http://Turksecurity.org"> """" >

The IP of the one that stung me was 88.224.0.121 using email [email protected].

**stuarttunstall** · Sun 3 Sep '06, 9:52am

Hi

I must have had at least 10 of these posts in the last 2 days, so far I have deleated all these users, deleated there posts, banned there IP's and banned email addresses. Getting fed up of them now

pity they have nothing else better to do.....

As a last resort, I have now stopped all new registrations, I know it's a bit drastic.

Stuart

**JasonWilliams** · Sun 3 Sep '06, 1:08pm

Check this, it should solve the issue once and for all :

http://www.vbulletin.org/forum/showthread.php?t=125726

**Dead End Society** · Tue 5 Sep '06, 6:42am

They got me this morning too, thanks for the info on fixing this.

IP: 88.229.81.215
email: [email protected]

Announcement

Hacked Board?

Hacked Board?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment