Announcement

Collapse
No announcement yet.

Database leak at the VB 3.6.8 PL2

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Database leak at the VB 3.6.8 PL2

    Hi guys,

    I have a problem with my database. I updated the vbulletin form 3.6.2 up to the 3.6.8 PL2.

    My vbulletin 3.6.2 was hacked and somebody droped all my database. I recovered database from the backup and updated it to the latest 3.6.8 PL2 version.

    I denied DROP permissions for the vbulletin MySQL user, and now I have tons of these tables in my database:

    aaggregate_temp_********* (this tables are empty) | type --> MEMORY
    taggregate_temp_********* ( there is some data there) | type --> MEMORY

    and I started receiveing database errors like this:

    Invalid SQL:
    DROP TABLE IF EXISTS taggregate_temp_***********;

    Error MySQL : DROP command denied to user 'user'@'host' for table 'taggregate_temp_**********'
    Error Number : 1142
    Script : http://****************/forum/cron.php?&rand=91523
    Refferer : http://****************/forum/showthread.php?t=2526

    Could you help me with these unknown tables in my database? Which previliges for vbulletin mysql users should I set ( Select Insert Update Delete Create Drop Index Alter Tmp Lock)? Which security settings would you suggest to have for vbulletin in MySQL?

    Thanks a lot in advance.
    Last edited by AnT0NiuS; Mon 28th Jan '08, 8:12am.

  • #2
    The database user actually needs DROP privileges for some forum operations. That is why you are getting that error.

    I usually just enable all MySQL privileges for the database user. Here are some security tips:

    http://www.vbulletin.com/forum/showthread.php?t=194701

    Comment


    • #3
      I had all MySQL privileges enebled untill somebody DROPed my vbulletin 3.6.2 database...

      Thanks for quick reply and link

      Comment


      • #4
        Originally posted by AnT0NiuS View Post
        I had all MySQL privileges enebled untill somebody DROPed my vbulletin 3.6.2 database...

        Thanks for quick reply and link
        Do you know what page/script they used to drop the tables? It seems like you should disable whatever plugin was used to do this or go see if there is an update to the plugin to fix this issue.

        Please don't PM or VM me for support - I only help out in the threads.
        vBulletin Manual & vBulletin 4.0 Code Documentation (API)
        Want help modifying your vbulletin forum? Head on over to vbulletin.org
        If I post CSS and you don't know where it goes, throw it into the additional.css template.

        W3Schools <- awesome site for html/css help

        Comment


        • #5
          Originally posted by U2Lynne View Post
          Do you know what page/script they used to drop the tables? It seems like you should disable whatever plugin was used to do this or go see if there is an update to the plugin to fix this issue.
          How can I figure out from which page/script was the attack?

          Comment


          • #6
            I would have looked in my access_logs and possibly my error_logs for that date and, if you know the time, that time.

            Please don't PM or VM me for support - I only help out in the threads.
            vBulletin Manual & vBulletin 4.0 Code Documentation (API)
            Want help modifying your vbulletin forum? Head on over to vbulletin.org
            If I post CSS and you don't know where it goes, throw it into the additional.css template.

            W3Schools <- awesome site for html/css help

            Comment


            • #7
              You will probably need to consult with your host to analyze the logs that U2Lynne is talking about.

              Comment


              • #8
                Thank you very much for suggestions.

                I started investigation with the host provider. As soon as I find the script or page I will let you know.

                I have a suspicion that it could be script related to the customavatar table. But may be i'm wrong. Let's wait when my investigation will be done.

                Comment


                • #9
                  Originally posted by U2Lynne View Post
                  Do you know what page/script they used to drop the tables? It seems like you should disable whatever plugin was used to do this or go see if there is an update to the plugin to fix this issue.
                  If PhotoPost is installed it was probably that... All of my sites with it installed got F-ed a couple weeks ago (some multiple times) because PP was deleting forum threads and refusing to admit that they had a huge problem with their software that was letting people run whatever PHP code they wanted.
                  Jason Litka - Utter Ramblings

                  Comment


                  • #10
                    Originally posted by jason|xoxide View Post
                    If PhotoPost is installed it was probably that... All of my sites with it installed got F-ed a couple weeks ago (some multiple times) because PP was deleting forum threads and refusing to admit that they had a huge problem with their software that was letting people run whatever PHP code they wanted.
                    PhotoPost was not deleting the threads in your forum; someone was exploiting a PHP issue via PhotoPost to delete threads - big difference.

                    Comment


                    • #11
                      Originally posted by DanaSoft View Post
                      PhotoPost was not deleting the threads in your forum; someone was exploiting a PHP issue via PhotoPost to delete threads - big difference.
                      It was a vulnerability in PhotoPost that the developers refused to acknowledge. As far as I'm concerned that makes them and their software just as responsible as the person who wrote the hack script and the tool who decided to use it.
                      Jason Litka - Utter Ramblings

                      Comment

                      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                      Working...
                      X