CrackerTracker

this is a port from the standalone system of the Cback.de (http://www.cback.de) CrackerTracker (was original made for phpBB) to an Product for vB

Description
this hack search in the requeststring for definied codeparts, is found any hit the skript was die and send a little massage
in addition of security this simply skript discharged the server by automatic attacks from botskripts if the definations have a hit in the requests
Instructions
Install
upload the /elog/ directory and set the CHMOD of counter.txt and logfile_injects.txt to 666, this is only to log blocked requests
if you not want to have writeable files on youre server this hack works without logging too and you can leave this part
at last install the CrackerTracker100-product.xml
Update
uninstall product of v100
reinstall new product of v101
Uninstall

uninstall the CrackerTracker100-product.xml
upload thedelete /elog/ directory

Credits & Information
i have only port this hack to a Plugin
Authorof the Hack is Cback from www.cback.de (http://www.cback.de)
only restraint of Cback is the Copyright in the footer

(i hope my english was understandable :o )



History

10/03/06 Release 1.0.0
15/05/06 Release 1.0.1

new searchpattern and handfull old replaced
little codemodifications

15/05/06 Release 1.0.2

one typo in list (missing ",")

What does this do? Sorry didnt quite understand.

What does this do? Sorry didnt quite understand.

This hack protecs your board against people who wants to '(cr)hack your forum. Original coded by CBack for phpBB and now ported to vb. One of the best hacks ever...;)

phpBB have any problems with automated hacking attacks by botskripts was found her victim over google and send many requets to the board

this skript search for a lot of requets how '<skript>' and died the request, so the server has a littel less of load and an bad request can block befor he does work

is an similar way like the $_global handling of vb in begin of ini.php

The best Hack from cBack in the whole phpBB World. Thx Onur - absolut excellent work ! :)

If anyone does not know cBack : http://www.community.cback.de/viewforum.php?f=52

@Onur - please edit a Link to cBack and the Title of this Hack to cBack CrackerTracker. And do not forget a link to vbhacks-germany etc. ;)

And sorry - but no one can understand your english description here. ;)

This is a complete security system for phpBB2 Forums. It protects against session cracks, floods, search overloads, worm attacks, BruteForce Attacks, Mass Mailing and much more to reduce Traffic and to protect Board and other MODs.

http://sourceforge.net/project/showfiles.php?group_id=154972

ok trying to understand, what this hack do is if someone or something tried to hack your board it will keep a log and then what slow server respond or what?????:confused: :confused: :confused:

ok trying to understand, what this hack do is if someone or something tried to hack your board it will keep a log and then what slow server respond or what?????:confused: :confused: :confused:
i mean, comes a automated hackingskript (santy-webworm) who sending many requets to youre board, this skript end the bulid and delivery of the requestet site and save so cputime and traffic
some hackingrequests have no chance to do there work on patched boards, but you have a lot of traffic

What this guys trying to say is that his "addition" to your forum will kill the script if it notices any potential "bad request" are being sent to the forum.

1. Most of these request differ in "what they can do", showing phpinfo() is not going to help anyone own your server.
2. Vbulletin is not phpbb, and does not suffer from any of these problems to date.
3. If the request is being sent through a vbulletin php file they are not going to get executed anyway, this hack is Worthless on a Vbulletin Forum.

Acording to our phpbb specialist (on "my" board) :

Just a note about the CrackerTracker by CBACK.DE, some staff members of phpbb.com have looked at this mod and say there are some serious security problems, the automatic update-system is according to them unsafe. This is the stand-alone of that phpBB mdo so I think you should look at this issue.

Edit: I don't know if this is ported version of the phpBB mod, my German isn't fluent. ;)

Will this hack have any negative effects on vB through the "automatic update-system" or was this problem fixed when you ported it?

Acording to our phpbb specialist (on "my" board) :



Will this hack have any negative effects on vB through the "automatic update-system" or was this problem fixed when you ported it?

oops, I didnt see the edit note, but I'd still like to know it that "automatic update-system will cause any trouble...

Just 2 advices:
- If you don't know what this does: Don't Install
- If you think vBulletin will be vulnerable to the same sort of attacks a phpBB do install, otherwise don't.

i dont know is any need of this hack in an vB, but the one thing you can profit of this hack is you can see any attempts of hack in the log
ok phpinfo() is blocked, but i dont think it is a good idea to share this info, only if you have always the latest Version of php installed

and its true thats the problems of another boardsystem is not the same problem of vB, but i have found that vb 3.0.4+3.0.5 hase release because some problems with the santy an other holes

only in an nice and wonderfull world everbody update her system and there boards just in time, this skript can block the one try of hack how hacked youre site in the time between release the new version and you have time to do the update ;)

and if you have any blocked funktions on youre board, look at the log and found the part in the string how collided with the definations of the hack and replace it

and whether you was attact whitout success in the last time you only can see in the logs of youre server or after an testtime in the log of this CT :)

I thnk anyone that has alot of hacks, mods, and extensions in should install this just to patch up any unnecessary holes in the mods they used.

If you have your own server and want to spend a little time learning about how to configure mod_security for Apache, you can obtain peace of mind for all of the sites, forums and scripts you host.

That can be found over here:
http://www.modsecurity.org/

Nice, used to use this back in the day..

This is a Great Addition For Security on my Board.
Thank You Very Much, Works Perfectly.

this is fcking EXCELLENT, since mod-security is a handful and still not simple.

however, please make a version that skins the next time, so in other words make the error message on a normal vb page so its still in the forum theme colors etc. at least use the css.. thanku

can you PLEASE have it log a few things

1. whatever the vb variable for the currently logged in username is, LOG THE USERNAME PLEASE :) :)

2. log the date better, like YYYY-MM-DD, so it sorts chronologically. this has nothing to do with country format it is common sense for computer sorting purpose, left to right. 2006-04-03 .. and have that be the first column

... see number 1 actually thats the main thing
so you know if someone was logged, then know who they were

I have added this to my forum all seems to be working ok or atleast I think so were exactly do I find the logs of attacks?

Thanks

@sandalwood
1. no, on this hook are no userinfo avalible
2. this is possible at next release

@devil Woman
*youre forum*/elog/logfile_injects.txt (last 100 logs)
*youre forum*/elog/counter.txt (count of all attacks)

Thankyou :)

Have a Security Alert if i use vBadvanced CMPS and try to add a Module.

The Link is following:
http://www.domain.com/admincp/vba_cmps_admin.php?do=addmodule&type=php_file

What should i change, to let the System add Modules ?

th@nks

@sandalwood
1. no, on this hook are no userinfo avalible
2. this is possible at next release


ok i understand, thats too bad. though the ip address is known, and only one user will have been logged in using that ip address at that time, so perhaps you can somehow set another hook later so WHEN we do know the username, you can have a little check in there that will record it to file.

i know this would only matter for attacks from users, and that many attacks are not even from users, or from people who never log in. but some are :)

when the incident happens, record what we know, perhaps with ip address, and the set a variable like "intrusion_detected = 1" sort of thing. then in a separate hook at some point where we know the user logged in and we have username, check that variable, and if intrusion_detected is set, then record their username/ip to the file, so that way we can cross-reference it or something.

isn't there some kind of global variable that can be used? how does that work.

also, even if you can't do the second part, why not record the IP address at least. that way we can manually cross reference it, just search for the ip in the admin console and that will show us what user(s) have used that ip.

thanks :)

ps. this has never tripped for me except in testing. i guess most attacks are not in the URL part but in post string.

Hi
onur hocam bu eklenti hakkında saldırıları engelliyor gibisinden duyumlar aldık
Bu hack forum hacklama icin kullanilan bircok tehliklei scriptleri önlüyor hemde daha database ulasmadan önlüyor.
Böylece hem sunucunun gereksiz yere mesgul edilmesini hemde bircok tehlikle scriptlerin databaseinizi cökertmesii önleyen cok iyi bir korunma yöntemi.

bu şekilde bir arkadaş konu açtı vb turkiye'de yardımclı olup ne işe yaradığı hakkında türkçe açıklamasını yaparsan sevinirim..
kolay gelsin

<a href="https://vborg.vbsupport.ru/showthread.php?threadid=115351" target="_blank">https://vborg.vbsupport.ru/showt...hreadid=115351</a>

CrackerTracker is blocking this plugin... how do I allow the linked plugin?

https://vborg.vbsupport.ru/showthread.php?threadid=115351

CrackerTracker is blocking this plugin... how do I allow the linked plugin?
what blockstring was displayed, or look into /elog/logfile_injects.txt and post the list of strings, so i can search the request was blocked

1147567050,130506,24.182.112.118,u=17&admin_log_in_as_user=17,Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322)

Version 1.0.1 added

some little changes and the searchpattern was now compatible to some hacks (i hope *g*)

I did install that and i got this, when entering the ACP:

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ')' in /xxx/xxx/htdocs/board/includes/init.php(292) : eval()'d code on line 34

:cross-eyed:

There is NOW no possibility to uninstall that, because i cant enter the acp.

Kannste mir da mal helfen bitte ?

?ber dem Forum und Portal steht nun auch :

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ')' in /poltbofu/www.politikstube.de/forum/includes/init.php(292) : eval()'d code on line 81

I'm gettin same error as Lover1.. now I can't get into ACP.. wtf..

EDIT:25min later - I fixed my.. but involved of full resore and dumping whole database and restoring from .sql backup dump file.. Not a pleasent experience

same thing here and have no access to my Admin CP. What do we do now???

I'm guessing you will have to manually edit the sql database table to disable the plugin.. hmn.. now just gotta find out how or where is it the setting.. cause only site restore didin't fix it for me.. it give me more errors.. so the settings are in sql tables..

Run below sql query to disable the product (if your prefix is other than vbulletin) change to prefix_product in the code below

UPDATE `vbulletin_product` SET `active` = '0' WHERE `productid` = 'c_ct_v1' LIMIT 1 ;

then u should be able to remove/uninstall it

let me know if it works.......

I ended up doing an empty and restore on my database. Everything worked fine but lost everything from midnight last. Have gone in and uninstalled product.

Thanks for the help though and hope it helps some out there.

Works now - but :

It is unable to overwrite the old Version - means that it is going to installed double !!!

Please deinstall V1.0 and then (!) install the new one.

no doubleinstall,
first do uninstall the v1.00 product and install the 1.0.2 new, but you have not to upload the elog folders by an update

nicht doppelt installieren, wegen der ?nderung der product-id wird die alte version nicht ?berschrieben, ist aber eine einmalige sache

I did uninstall the v1.0.0 and got that error. is that fixed with 1.0.2? I solved that error with restoring from a sql backup.

vbulletin flood guard

After uninstalling it the footer remains changed..
How do I remove

Protected by CBACK.de CrackerTracker

from the footer safely ?

uninstall the product of the ct in the productmanager and the plugin is replaced with the copyright, if you have installed the plugincache(another hack here in the board) you have to regenerate the cache of the plugins too

to try if the product real uninstalled(only the 1 hook with code) open
youre-board.tld/index.php?fopen
if not come a message, the CT is uninstalled

Please keep your posts in english.

uninstall the product of the ct in the productmanager and the plugin is replaced with the copyright, if you have installed the plugincache(another hack here in the board) you have to regenerate the cache of the plugins too

to try if the product real uninstalled(only the 1 hook with code) open
youre-board.tld/index.php?fopen
if not come a message, the CT is uninstalled

I get this message..

- th SECURITY ALERT -
The Board Security System has detected, that you wanted to bring bad
Code to this Forum or you have tried to exploit something here or maybe
another attack linke this.

This attempt was blocked and we logged all information about this.


If you see this message after including a new MOD to your Forum or if
you have reached this site over a normal Forum Link, please contact
the Board Administrator to fix this Problem.

CBACK CrackerTracker



and the product is uninstalled...

Please keep your posts in english.
i can try to use google for translations :banana:

@sensimilla
thats what i mean, it is not uninstalled

is it possible that you use this hack Plugin Accelerator (https://vborg.vbsupport.ru/showthread.php?t=107315)
here the plugin was hardcoded in the boardfiles, after any change at the plugins you have to rebuild the whole plugincache (is an option near the pluginpart @acp)

TRue Onur I have plugin accelerator installed but i did run the rebuiding tool
and the footer its still there...

I will try again...

edit: ok I managed on my own thanks

Will it work in the Future with vBulletin 3.6 (http://www.vbulletin.com/forum/showthread.php?t=187654) ?

Will it work in the Future with vBulletin 3.6 (http://www.vbulletin.com/forum/showthread.php?t=187654) ?
i have seen no problem with 3.6 B1

Its stilly totally silly to use this.

vB Version: 3.5.4 is secure enough. You don't need these empty codes...

vBulletin is pretty solid and I don't have much fear of my site being hacked. What I do fear is installing "third party" plugins that could leave my site wide open for attack.

For example, I've seen allot of people request a hack similar to vBulletin's bug tracker. The answer was vBug Tracker (https://vborg.vbsupport.ru/showthread.php?t=96888&highlight=vbug+tracker) that has a known security hole (http://pridels.blogspot.com/2006/04/vbug-tracker-for-vbulletin-35x-xss.html) since April of 2006 and it has yet to be updated by the author.

It is third party plugins that make vBulletin vulnerable and as a rule of thumb I always question the reputation of the developer.

Installed, but are you suppose to see options in the admincp? I see nothing outside of it having been installed.

Its stilly totally silly to use this.
can u explain that !! I try to hack my site with some codes , but this product prevent me to do that and its working on 3.0.6 well.

Well you wouldn't be able to exploit anything if you just kept up to date ;)

@Onur - so why not move this Thread to 3.6 Section ? ;)

Thanks Onur
____________

Teşekkürler Onur

I am using this when I am using phpbb. This is really helpful and making more sucure site.

Anyone have used this on 3.7.x? :)

tested working with 3.7.x

thanks! :)

Again, as explained, this is a fairly useless hack for vBulletin.

anyone having problem using this and other hacks?

is this working with 3.7.2?

Again, as explained, this is a fairly useless hack for vBulletin.

I agree. ;)

I agree. ;)

is good to get a warning by you guys.

but question i got is other if any one have a answer for this please let me know .

https://vborg.vbsupport.ru/showpost.php?p=1562897&postcount=58
thanks

vbulletin might be safe but how if you have other mods which is vulnerable. this could help.

and yeah it works with 3.8

is there any update or new Product of this

coz this is the most Product proved it's self

can i know if there is any news about it ????

nice thanks

Hi
onur hocam bu eklenti hakkında saldırıları engelliyor gibisinden duyumlar aldık
Bu hack forum hacklama icin kullanilan bircok tehliklei scriptleri ?nl?yor hemde daha database ulasmadan ?nl?yor.
B?ylece hem sunucunun gereksiz yere mesgul edilmesini hemde bircok tehlikle scriptlerin databaseinizi c?kertmesii ?nleyen cok iyi bir korunma y?ntemi.

bu şekilde bir arkadaş konu a?tı vb turkiye'de yardımclı olup ne işe yaradığı hakkında t?rk?e a?ıklamasını yaparsan sevinirim..
kolay gelsin

hi
merhaba bende konu a?arken hata alıyorum database error napmam gerelki yardım
edebilecek varmı help ?
şimdiden teşekk?rler thanks

Please be aware this forum is English only. Please do not make posts in any other language.

Thank You.