Announcement

**steven s** · Sat 2nd Sep '06, 5:56pm

They have been busy.
Recently there has been a problem with FlashChat.

**chimaira** · Sat 2nd Sep '06, 6:13pm

People have been saying im glad the board is back. so im guessing it went down for a while... due to them... im trying to get as much information as possible as i wasnt online to witness anything.

**Steve Machol** · Sat 2nd Sep '06, 7:29pm

Note: There are known security holes with at least two plugins that hackers are exploiting right now - Flashchat and TopXStats. I *strongly* recommend you remove at least these plugins if you have them.

**Paul M** · Sun 3rd Sep '06, 3:51am

Alternatively, both problems can also be fixed ;

http://www.vbulletin.com/forum/showt...60#post1202960

http://www.vbulletin.org/forum/showt...17#post1066817

**chimaira** · Sun 3rd Sep '06, 4:19am

Okay i did the upgrade for top x stats~
i keep getting users signing up and one made this thread

Code:

 ">"">>>><meta http-equiv="Refresh" content="0;url=http://crzysldr.kayyo.com"> """" > 
  a�ıkları kapa

Do you thnik they are tempo disabling my board via server side either via php or an sql injection or even xss to alow remote execution for vb 3.6.0

my board url is www.chimairaboard.com just for refrence

but cheers for the replies guys,

hopefully they wont get no where now.

**MaviJean** · Sun 3rd Sep '06, 6:33am

Hi chimaira,

Did you try to do a "Suspect File Versions" check from;

" admicp -> Maintenance-> Suspect File Versions "

For an additional control.

It seems they are assuming that you have still a security hole and they are trying use it more than once.

**chimaira** · Sun 3rd Sep '06, 8:23am

All that is fine ta
Just annoying me as im getting a bombardedment of turkish users trying to make threads with this content

Code:

 ">"">>>><meta http-equiv="Refresh" content="0;url=http://myturqey.com/a.htm"> """" >

cant ban there host/ip as nothing comes up when i do a match

**basilrath** · Sun 3rd Sep '06, 9:07am

u aint alone

there is a "team hackers" member wandering around

its done five boards i know of through links, images etc

sorry to but in .

**JasonWilliams** · Sun 3rd Sep '06, 9:10am

Think I had one of them today, had a user sign up, didn't think too much of it, until I started getting a refreshed page to a Turkish site, one of my Mod's removed it and stopped it, but I've since banned their IP and email address (I traced the IP back to a Turkish host).

**Interdit** · Sun 3rd Sep '06, 9:14am

Idem i had:

Email Address : [email protected]
Birthday :
Referrer: N/A
IP Address: 88.234.38.70 (from Ankara)

Hoping he didn't do anything bad.. Ip and email banned.

Anyone got this registration as well ?

Ps: we don't have any plugin, only 3.6

**JasonWilliams** · Sun 3rd Sep '06, 9:26am

Is there any way of banning certain characters in the thread titles to prevent this happening?

Code:

">"">>>><meta http-equiv="Refresh" content="0;url=http://Turksecurity.org"> """" >

The IP of the one that stung me was 88.224.0.121 using email [email protected].

**stuarttunstall** · Sun 3rd Sep '06, 9:52am

Hi

I must have had at least 10 of these posts in the last 2 days, so far I have deleated all these users, deleated there posts, banned there IP's and banned email addresses. Getting fed up of them now

pity they have nothing else better to do.....

As a last resort, I have now stopped all new registrations, I know it's a bit drastic.

Stuart

**JasonWilliams** · Sun 3rd Sep '06, 1:08pm

Check this, it should solve the issue once and for all :

http://www.vbulletin.org/forum/showthread.php?t=125726

**Dead End Society** · Tue 5th Sep '06, 6:42am

They got me this morning too, thanks for the info on fixing this.

IP: 88.229.81.215
email: [email protected]

Announcement

Hacked Board?

Hacked Board?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment