I am running vB 3.5.2 on Linux (with a patch from 3.5.3 I believe). Yes, I need to upgrade.

Was hacked: -removed-

Can you make suggestions to start? Thanks. No new users listed in the administrator with admin rights, but there is a suspicious high-ID entry in table VBADMINISTRATOR.




blakespot

Look at source for page now - last line:


<table cellpadding="0" cellspacing="0" border="0">
<tr valign="bottom">
<td><a href="#" onclick="history.back(1); return false;"><img src="iSkin/misc/navbits_start.gif" alt="Go Back" border="0" /></a></td>
<td>&nbsp;</td>
<td width="100%"><span class="navbar"><a href="index.php?" accesskey="1">iPod Hacks Forums</a></span>
<span class="navbar">&gt; <a href="forumdisplay.php?f=1"><meta http-equiv='refresh' content='0; url=http://www.enyenimix.com/hacked.html'></a></span>


Where is that loaded from?



blakespot

someone edited your forum title and replaced the text with a redirect...

that's the one thing you have to edit.. the forumid #10.. change its title.

someone edited your forum title and replaced the text with a redirect...

that's the one thing you have to edit.. the forumid #10.. change its title.
Ya I found that a few mins ago. But how did they do it? Did someone feed a URL to the system that exploited a hole? I have 2 moderators but I don't think they have forum name change rights. No other admins. No way someone just guessed my password.

Thoughts? Thanks.




blakespot

this is what we call an exploit... ;)

Also, I changed them back in the VBFORUM table, but the page still renders with the redirrects as the forum titles?! Is there some cache mechanism I must flush? Thanks.

blakespot

you have to edit it from the admincp, not the database... and to be sure, post a new thread in that forum so the cache is updated there too.. :)

I can't edit it from the adminCP - the frame redirects to the hack site, as it renders the title as HTML, forcing a redirect... Can I not flush the cache another way? I've changed the names in the DB. Thanks.

Will but and upgrade to latest tonight... If I can get this clean first.

blakespot

I would be more worried about how they edited the forum title in the first place...

Go into your database and remove the redirect, and then go into ACP > Maintenance > Update Counters > Rebuild Forum Information.

Thanks - I'll update tonight.

blakespot

Upgraded to 3.6.5. Hopefully that exploit was addressed. I see reports of a Calendar vulnerability of that sort, but can't find reference to a forum-title vulnerability...

blakespot

....Hopefully that exploit was addressed. I see reports of a Calendar vulnerability of that sort, but can't find reference to a forum-title vulnerability...


Did you ever find out what the exploit actually is? And if you found that, did you find out if it actually has or has not been addressed with a patch or otherwise?

Thanks.

Posted details about the hacker here...

http://www.vbulletin.com/forum/showthread.php?t=224204

I was unable to determine the nature of the exploit other than the fact that somehow the user was able to edit data in the FORUMS table. I did a search in my Apache logs for a URL that contained part of the forum title he changed them to, but found nothing. Nothing odd in the vB admin logs either.




blakespot