This is my first mod for vBulletin and I have tried to make it as better as I could.

Click Install If You Use it!! (https://vborg.vbsupport.ru/vborg_miscactions.php?do=installhack&threadid=196791)

What is vBFirewall?
Its a PHP script which blocks all kinds of attacks on your vBulletin Forum! Like: URL Poisoning, Remote File Inclusion, SQL Injection, XSS and other kinds of attacks.

I have tested each and every function of this mod before releasing it and have used it myself for 1 month

It has a attacker logger, which logs the IP and many details of the attacker so that you can reach him :)

This is still in beta version and I will add more features in it to make your vBulletin more secure :D Suggestions are always welcome.


How to install?

1) Go to Admin and Import the xml file product-firewall_vb_rs.xml using the plugin manager.
2) Keep an eye on the log file which can be found here: www.yourvbforumurl.com/logfile_worms.txt (This file will only be created when a attack occour)
3) Your website is now secure from hackers :)



Thanks

Reserved For Future! :)

Thanks for this mod ;)
I sent you a pm last week :'(

Thanks for this mod ;)
I sent you a pm last week :'(

Replied, Sorry for late reply..:cool:

does this really work?

Do you will phrase the mail for a next version?

does this really work?
Yea, test yourself :P

Do you will phrase the mail for a next version?
Yes, within a day or two I will add more features.

OK, so I wait ;)

Guys, Test it and lemme know if you have any suggestion for future version :)

Sounds very interesting, different and a real asset to have! I'll wait and see how this goes... :)

Great man.. I will test

I was hacked more or less 10 times this year... NOW LET MET TRY THIS.

Thank you so much in advanced.

Aprrciated Thankyou :up:

My path of the Forum www.7lanet.com/vb
Do I make file logfile_worms.txt in the folder of (vb)
Do give file logfile_worms.txt the license logfile_worms.txt 666

works for 3.7 too :confused: ?

Looks very interesting. Gonna keep an eye on this one :D

*tagged*

Looks nice, I´ll wait for the phrased version though.

sound very good ... does it work on 3.6.8?

does this work with 3.7?
will this slow down server or forum?

does this work with 3.7?
will this slow down server or forum?


X2 Im using 3.7.2 SP2

My path of the Forum www.7lanet.com/vb
Do I make file logfile_worms.txt in the folder of (vb)
Do give file logfile_worms.txt the license logfile_worms.txt 666
When a attack occours it will be created itself.

works for 3.7 too :confused: ?
All Versions

sound very good ... does it work on 3.6.8?
Yes, all versions

does this work with 3.7?
will this slow down server or forum?
Yes, and it doesnt slow down the forum

OK i get a error when click to check subscriptions:



1||1227227664||xx.xx.xxx.xx||do=find&subscriptionid=5&status=1||http://www.mydomain.com/forums/admincp/subscriptions.php?do=modify||Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)

OK i get a error when click to check subscriptions:



1||1227227664||xx.xx.xxx.xx||do=find&subscriptionid=5&status=1||http://www.mydomain.com/forums/admincp/subscriptions.php?do=modify||Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)
PM me the plugin you are using, I will check it out

Check subscriptions errors for me as well.

I do not understand what this log to say, please help me to understand it:

1||1227218866||189.110.83.180||do=viewsubscription ||http://www.xxxxxxxx.net/profile.php?do=editprofilepic||Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/2.0.0.14;MEGAUPLOAD 1.0

1||1227218871||189.110.83.180||do=viewsubscription&daysprune=-1&folderid=all||http://www.xxxxxxxx.net/profile.php?do=editprofilepic||Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/2.0.0.14;MEGAUPLOAD 1.0

i tried that hack and support it , in the past ,,,,,,,,,,

https://vborg.vbsupport.ru/showthread.php?t=110030


P.S Befor secureing your Vbulletin you need to know on What SErVer you are running your fourm or scripts ,

coz what ever your old vbulletin where haveing some security holes ,,,, the server security will prevent all the attempt what ever it was .,

So this hack just filters query input through an array of known hacker attacks phrases. How can you be sure your array is complete or that "attack" isn't a legitimate request? I don't see any checks, just a blanket replace ?

vbulletin might not need this but I need this in my other mods which may or might be attacked by hackers

Nominated for MOTM.

Thanks,
Do I need change CHMOD 777 of Root Directory?

I have also the mistake with the subscriptions... please correct it ! :(

Mark as installed :)

I also get an Error when I will open a Thread which I had looking for...

Sorry but I deinstall it ! unuseable !

In the next release these problems will be solved. :)

Thanks I will install on my test forum

looks good. nominated

Ownage! Thanks mate
This deserves a Exelent rating and a MOTM Nomination :)

I'm so scared of being hacked

Wow this is a great mod for vBulletin my defense manager will be very please with this addition. Will begin testing immediately with my defense manager.

Thanks and nominated for MOTM

In the next release these problems will be solved. :)

Any ETA on the next release invisiblea?

Good mod, fantastic idea, however the subscription issue is something of a show stopper. So I decided to look into it.

The reason the "firewall" kicks in on the subscription page is that one of the security rules is 'script', and quiet rightly so. However due to the checking method used, the firewall kicks in when it sees:

do=viewsubscription

Notice the bold/underlined part

The good news is that this can be resolved, but it is a hack to the mod. The following instructions explain what needs to be done, if you want to implement it then I strongly recommend first testing it on an test server. Hopefully this will help the mod dev makes this mod one of the best available here:

Right, you need to goto:

ACP -> Plugins & Products -> Plugin Manager

Once there look for the entries for "Product : vBFirewall", this should only have one plugin called 'vBFirewall' which uses the 'init_startup' plugin. Click edit

Copy all the text in 'Plugin PHP Code' into notepad.

Now follow these steps:


Find the line that reads:

'st=-', 'cat%20', 'include', '_path=');

On a new line immediately after this paste in:

$securityexclusions = array(
'do=viewsubscription'
);

Find the line that reads:

$cracker = strtolower($cracker);

On a new line immediately after this paste in:

$cracker= str_replace($securityexclusions, '', $cracker);


Once done, copy all the edited text in notepad back into the 'Plugin PHP Code' in ACP, then click save

What this is actually doing is creating an extendible security rule exclusion list, so if any other VB queries string invoke the vbFirewall you can add another exclusion.

IMPORTANT : I have only run this on a basic test server I have, do not try this unless you are absolutely comfortable with plugins/php etc.

A here are some suggestions for the next version:


Rather than add the logs to a flat file on the server store this in the DB and then create an ACP page to view/search/manage logs
Add option to send a PM or Email or both
If a specific IP invokes the firewall more than X times in Y seconds/minutes auto place this IP on the vBulletin ban list.
If a specific IP can be associated to an actual forum user account auto ban that user.


One other teeny weeny little thing, you need to mention that this is based on the GPL licensed code found here : http://www.cback.de/cback_software/standalonect.php ;)

EDIT: Later in this thread I have posted an additional fix for vbAnonymizer users

Those suggestions are great especially the auto ban and the view in the admin panel. Hope he adds them and checks those exceptions out.

I'll take a look on this mod for sure. Sounds pretty interesting.

another error i get is when send activation codes:

ried to send a member the activation codes got this
1||1227298680||72.xxxxx.xxx||do=requestemail&email=bigcoltguns%40yahoo.com&url=http%3A%2F%2Fwww.domain.com%2Fforums%2Fadmincp %2Fuser.php%3Fdo%3Dedit%26u%3D8531||http://www.domain.com/forums/admincp/user.php?do=edit&u=8531||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4Error Opening Logfile.

Im getting the subscription error too.

Im getting the subscription error too.

did you look above before posting????

Good mod, fantastic idea, however the subscription issue is something of a show stopper. So I decided to look into it.

The reason the "firewall" quick in on the subscription page is that one of the security rules is 'script', and quiet rightly so. However due to the checking method used the firewall kicks in when it sees:

do=viewsubscription

Notice the bold/underlined part

The good news is that this can be resolved, but it is a hack to the mod. The following instructions explain what needs to be done, if you want to implement it then I strongly recommend first testing it on an test server. Hopefully this will help the mod dev makes this mod one of the best available here:

Right, you need to goto:

ACP -> Plugins & Products -> Plugin Manager

Once there look for the entries for "Product : vBFirewall", this should only have one plugin called 'vBFirewall' which uses the 'init_startup' plugin. Click edit

Copy all the text in 'Plugin PHP Code' into notepad.

Now follow these steps:


Find the line that reads:

'st=-', 'cat%20', 'include', '_path=');

On a new line immediately after this paste in:

$securityexclusions = array(
'do=viewsubscription'
);

Find the line that reads:

$cracker = strtolower($cracker);

On a new line immediately after this paste in:

$cracker= str_replace($securityexclusions, '', $cracker);


Once done, copy all the edited text in notepad back into the 'Plugin PHP Code' in ACP, then click save

What this is actually doing is creating an extendible security rule exclusion list, so if any other VB queries string invoke the vbFirewall you can add another exclusion.

IMPORTANT : I have only run this on a basic test server I have, do not try this unless you are absolutely comfortable with plugins/php etc.

A here are some suggestions for the next version:


Rather than add the logs to a flat file on the server store this in the DB and then create an ACP page to view/search/manage logs
Add option to send a PM or Email or both
If a specific IP invokes the firewall more than X times in Y seconds/minutes auto place this IP on the vBulletin ban list.
If a specific IP can be associated to an actual forum user account auto ban that user.


One other teeny weeny little thing, you need to mention that this is based on the GPL licensed code found here : http://www.cback.de/cback_software/standalonect.php ;)

Sorry to be so blunt but up top lol ^

THANKS to Invisiblea and MrEyes ;)

did you look above before posting????



Sorry to be so blunt but up top lol ^

THANKS to Invisiblea and MrEyes ;)

I have to check my glasses.

This might have great potential. I will tag this for now.

I have to check my glasses.

lol... well we all do sometimes that's why I included the a-hole disclaimer notation in there rofl ;)

:D S-MAN

i try used this with Version 3.7
but hake vbAnonymizer

And also used vbAnonymizer
But at the entry of any link
1||1227332433||82.114.188.37||url=http%3A%2F%2Fmov ies.yahoo.com%2Fmovie%2F1809824029%2Fdetails||http ://www.7lanet.com/vb/t36059.html||Mozilla/5.0 (Windows; U; Windows NT 5.0; ar; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18Error Opening Logfile.

i try used this with Version 3.7
but hake vbAnonymizer

And also used vbAnonymizer
But at the entry of any link

wow that why lol that happen to me to

i try used this with Version 3.7
but hake vbAnonymizer

And also used vbAnonymizer
But at the entry of any link

Same here.

1||1227377861||XXX.XXX.XXX.XXX||url=http%3A%2F%2Fn ews.bbc.co.uk%2Fgo%2Frss%2F-%2F2%2Fhi%2Famericas%2F7743842.stm||http://www.blahblah.com/forum/showthread.php?p=blahblahh#post314405||Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; WWTClient2)Error Opening Logfile.

i try used this with Version 3.7
but hake vbAnonymizer

And also used vbAnonymizer
But at the entry of any link

Same here.

If you have applied the fix I mentioned earlier you can fix this by using the following exclusions:

$securityexclusions = array(
'do=viewsubscription',
'=http'
);

However this mean that you have switched off one of the actual checks and people will be able to pass urls as querystrings. This being said there are alot of mods out there that use this sort of thing and not many hacks that can abuse it. Your call.

There are better solutions, but this would need the entire mod to be reworked. For example the ability to set an exclusion at a page level. So you could exclude viewsubscription for misc.php but not payments.php, and http for redirector.php (vbAnonymizer mod)

another error i get is when send activation codes:

ried to send a member the activation codes got this

This could probably also be fixed by exclusions

If you have applied the fix I mentioned earlier you can fix this by using the following exclusions:

$securityexclusions = array(
'do=viewsubscription',
'=http'
);

However this mean that you have switched off one of the actual checks and people will be able to pass urls as querystrings. This being said there are alot of mods out there that use this sort of thing and not many hacks that can abuse it. Your call.

There are better solutions, but this would need the entire mod to be reworked.

any way to make it that user group 6 is ignore by firewall ?

any way to make it that user group 6 is ignore by firewall ?

Yes, but I think I have gone to far already with the mod hacks and I don't want to be accused of show stealing, so I will leave that as a suggestion for the mod author.

However if the author doesn't want to or isn't able to make these changes I am more than happy to take this mod on, it is a great idea and it would be a real shame to see it die.

I am working on the new version, Just give me a day or 2 more
I will update you guys once I am done with the new version :)

Excluding =http will make this mod useless :P

If you have applied the fix I mentioned earlier you can fix this by using the following exclusions:

$securityexclusions = array(
'do=viewsubscription',
'=http'
);

However this mean that you have switched off one of the actual checks and people will be able to pass urls as querystrings. This being said there are alot of mods out there that use this sort of thing and not many hacks that can abuse it. Your call.

There are better solutions, but this would need the entire mod to be reworked. For example the ability to set an exclusion at a page level. So you could exclude viewsubscription for misc.php but not payments.php, and http for redirector.php (vbAnonymizer mod)



This could probably also be fixed by exclusions

how uesd this
$securityexclusions = array(
'do=viewsubscription',
'=http'
);

Hi thanks for this hack, love it.

I have found one issue where I try to create a new page in vba cmps the "[PHP File Page]" process gets blocked and I am unable to create a php page. Just had to turn it off to get through ;)

Question I have thisinstalled on my test server at home and I wasnt able to change the cookie settinsg to my forum it shows access denied you`ve been logged! and whne I check the txt file it shows a log of me trying to access the cookies part of vbotions.

nominated! Waiting for next (stabil) version and a paypal link 4 donation. :)
thx!

is a nice mod, but i will wait for new updates.. since i get erros when i use vbanonymiser and "Search in Templates"

hi, hoping for new updates... :)

Hopefully today a stable version will be out!

we waiting ..

Sorry, had to un-install until I can work around the issue but this errors out on our Award and Ranks Mod when using the One-Click URL Self Thread Approval :(

Just a heads up for YAAS & YARS Users.

S-MAN

there is conflict between this hack and vbAnonymizer hack so i can't redirect my URL to Redirector page. please fix this to be able to use vbAnonymizer hack its very good and enhanced my page view also its give me a good back links for my forum so i can't stop working with it.

<a href="http://www.mydomain.com/forums/logfile_worms.txt" target="_blank">www.mydomain.com/forums/logfile_worms.txt</a>

Would be accessible by everyone? maybe change that, yeah?

Due to few setbacks I wasnt able to release new version, I am currently working on those setbacks and will get to your guys ASAP

This might have great potential. I will tag this for now.

Maybe you should have installed it..did you? Looks like you got hacked? :(

I's ok as long as it works in the end thats all that matters.

Uh-oh.

I just installed this. And I just receiveed the following email from the add-on:

Hello!

Hack Attempt has been successfully prevented for your vBulletin forums at:
Psychlinks Psychology Self-Help & Mental Health Support Forum

Report:
============================

1||1227840042||66.249.71.212||tag=prescription|||| Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

============================

Blocking Googlebot can't be good. I've disabled the add-on for now. Any suggestions?

do you think this would work for 3.7.4? too I know its for 3.8

Uh-oh.

I just installed this. And I just receiveed the following email from the add-on:



Blocking Googlebot can't be good. I've disabled the add-on for now. Any suggestions?
What Mod is it?

do you think this would work for 3.7.4? too I know its for 3.8

Yes, It works for all versions

mmmm
I always tought vbulletin was 100% secure :erm:

Uh-oh.

I just installed this. And I just receiveed the following email from the add-on:



Blocking Googlebot can't be good. I've disabled the add-on for now. Any suggestions?

What Mod is it?


This one. vBFirewall 1.0.

This one. vBFirewall 1.0.
can you tell me all steps you used to generate that error?

i try used this with Version 3.7
but hake vbAnonymizer

And also used vbAnonymizer
But at the entry of any link

1||1227332433||82.114.188.37||url=http%3A%2F%2Fmov ies.yahoo.com%2Fmovie%2F180982 4029%2Fdetails||http://www.7lanet.com/vb/t36059.html||Mozilla/5.0 (Windows; U; Windows NT 5.0; ar; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18Error Opening Logfile.

I think solution for this is just like the popular firewall for windows is to bypass the modification whom you think is safe and will not make harm to the site.

can you tell me all steps you used to generate that error?

There were no steps. I installed the add-on which completed successfully. A few minutes later, it generated the email I quoted above saying that it had blocked googlebot as a hack attempt.

OK. I re-enabled this add-on. This time I received the following two emails:

Hello!

Hack Attempt has been successfully prevented for your vBulletin forums at:
Psychlinks Psychology Self-Help & Mental Health Support Forum

Report:
============================

1||1227922526||74.6.8.105||id=13&forumid=40&script=showthread||||Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

============================

Hello!

Hack Attempt has been successfully prevented for your vBulletin forums at:
Psychlinks Psychology Self-Help & Mental Health Support Forum

Report:
============================

1||1227923147||74.6.8.105||id=2&forumid=44&script=showthread||||Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

============================

So it appears there's a problem with this add-on: It's blocking spiders, which isn't something most of us want to do.

Disabled again.

I tested this plugin on a very active forum for 1 month didnt made any problem, I would like to check this out for you..On it

OK. I re-enabled this add-on. This time I received the following two emails:





So it appears there's a problem with this add-on: It's blocking spiders, which isn't something most of us want to do.

Disabled again.

Thanks. :)

1||1227923147||74.6.8.105||id=2&forumid=44&script=showthread||||Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

I tested this plugin on a very active forum for 1 month didnt made any problem, I would like to check this out for you..On it

If the mod is the same as it was before the reason this trigger occurs is this part of the query string:

script=showthread

"script" is one of the trigger words as this can be used to pass javascript on a querystring. So this causes the "firewall" to block and create the email.

I am getting false positives as well

Report:
============================

1||1228080110||70.117.163.62||do=viewsubscription&folderid=all||http://forums.thephins.com/usercp.php||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4

I have had very little issue with this firewall so far, I may have to turn it off while in admin CP to access one or 2 things but nothing that has caused any issue.

Today I was looking at my logs and the firewall has blocked some very real attacks on my site from bots:

Report:
============================

1||1227884548||85.25.148.136||mod=http://www.mykr.net/bbs/id.txt?||||libwww-perl/5.805

============================


Info on this bot can be found here. (http://www.ivorde.ro/libwwwperl5805_User_agent_bot_visited_my_website-28.html)

Thanks again for the firewall keep up the good work ;)

I have had very little issue with this firewall so far, I may have to turn it off while in admin CP to access one or 2 things but nothing that has caused any issue.
I have it running without issues on 374pl1. What are those things you refere to need the firewall disabled?

Cheers. :)

Edit: I was mistaken, thread subscription fails, interpetted as a hack attempt.

Hello!

Hack Attempt has been successfully prevented for your vBulletin forums at:
SeriousCrunchers.Net

Report:
============================

||do=addsubscription&t=261||

This addon just base on the keywords list which define in the plugin, so it may lead to wrong detection too. Just look in the code you will the all the list, such as:
"c99shell.php', 'shell.php', 'cmd.php','r57.php?phpinfo', 'r57.php?phpini', 'r57.php?cpu', 'r57.php?'
So if you have your php code file name as these above list then you could not run :D . Any if a hacker read this, they 'll modified their backdoor to another filename such as "a.php" then this script is .. useless.

I'm on 3.7 but got two of these emails:
Hello!

Hack Attempt has been successfully prevented for your vBulletin forums at:
4x4 Mecca

Report:
============================

1||1228765395||83.233.30.77||flipped=http%3A%2F%2F sites.google.com%2Fsite%2Forileyautopartsrludohn%2 Fnys-ogs--restoration-nys-ogs+nys+ogs%0D%0Ahttp%3A%2F%2Fsites.google.com%2Fs ite%2Forileyautopartsrludohn%2Fnys-senate---senate-majority-leader---senate-reports-nys-senate+nys+senate%0D%0Ahttp%3A%2F%2Fsites.google.c om%2Fsite%2Forileyautopartsrludohn%2Fnysdoc-correctional-facilities-nysdoc+nysdoc%0D%0Ahttp%3A%2F%2Fsites.google.com%2 Fsite%2Forileyautopartsrludohn%2Fnyship----health-insurance-nyship+nyship%0D%0Ahttp%3A%2F%2Fsites.google.com%2 Fsite%2Forileyautopartsrludohn%2Fnyy-yankee-stadium-steiner-sports-nyy+nyy%0D%0Ahttp%3A%2F%2Fsites.google.com%2Fsite% 2Forileyautopartsrludohn%2Fnz-lotto-results--auckland--nz-lotto-results-nz-nz-lotto-results+nz+lotto+results%0D%0Ahttp%3A%2F%2Fsites.g oogle.com%2Fsite%2Forileyautopartsrludohn%2Fo-riley-auto-parts-after-market-auto-parts-o-riley-auto-parts+o+riley+auto+parts%0D%0Ahttp%3A%2F%2Fsites.g oogle.com%2Fsite%2Forileyautopartsrludohn%2Fo2-arena-london-ny-daily-news-o2-arena-london+o2+arena+london%0D%0Ahttp%3A%2F%2Fsites.goo gle.com%2Fsite%2Forileyautopartsrludohn%2Foahu-attractions--oahu-attractions-map--tours-oahu-attractions+oahu+attractions%0D%0Ahttp%3A%2F%2Fsit es.google.com%2Fsite%2Forileyautopartsrludohn%2Foa hu-car-rentals-car-rental-discounts-oahu-car-rentals-hertz-oahu-car-rentals+oahu+car+rentals%0D%0Ahttp%3A%2F%2Fsites.g oogle.com%2Fsite%2Forileyautopartsrludohn%2Foahu-tours-arizona-memorial-waikiki-oahu-tours+oahu+tours%0D%0Ahttp%3A%2F%2Fsites.google.co m%2Fsite%2Forileyautopartsrludohn%2Foak-bonsai-price-comparison-blue-oak-bonsai-oak-bonsai+oak+bonsai%0D%0Ahttp%3A%2F%2Fsites.google.c om%2Fsite%2Forileyautopartsrludohn%2Foak-dining-table-square-oak-dining-table-dining-furniture-oak-dining-table+oak+dining+table%0D%0Ahttp%3A%2F%2Fsites.goo gle.com%2Fsite%2Forileyautopartsrludohn%2Foak-ice-box--early-american--oak-ice-box-coffee-table-oak-ice-box+oak+ice+box%0D%0Ahttp%3A%2F%2Fsites.google.com %2Fsite%2Forileyautopartsrludohn%2Foak-island-treasure-dug-oak-island-treasure+oak+island+treasure%0D%0Ahttp%3A%2F%2Fsit es.google.com%2Fsite%2Forileyautopartsrludohn%2Foa k-ridger-oak-ridger-news-world-press-oak-ridger+oak+ridger%0D%0Ahttp%3A%2F%2Fsites.google.c om%2Fsite%2Forileyautopartsrludohn%2Foak-tables-traditional-styles-oak-tables+oak+tables%0D%0Ahttp%3A%2F%2Fsites.google.c om%2Fsite%2Forileyautopartsrludohn%2Foak-veneer---oak-veneered-mdf---white-oak-oak-veneer+oak+veneer%0D%0A||http://www.4x4mecca.com/forum/misc.php?do=bbcode||Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

my logfile reads this

1||1228766931||||||||
1||1228767166||||||||

what does that mean?

my logfile reads this

1||1228766931||||||||
1||1228767166||||||||

what does that mean?

Maybe IP Adresses :rolleyes:

Maybe IP Adresses :rolleyes:

Not likely... it's 10 digits, not 9.

hmm. It should tell you what the attacker tried to do

1||1228866074||MY.IP.ADD.RESS||url=http%3A%2F%2FXX XXX.XXX%2Ffiles%2F150219639%2FSOMETHING.rar||http://www.mysite.com/XXXXXXXXX/756-XXXXXXXXX.html||Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4Error Opening Logfile.

problem with vbAnonymizer

Hmm might have to install this.

While this is a great plugin, it prevents me checking logs through the admin panel, giving me errors. Possible you can fix this issue?

Let me bookmark this!

I was hacked more or less 10 times this year... NOW LET MET TRY THIS.

Thank you so much in advanced.

;)Heehehehe

Why Do U Not Use VB Security ;)


Contact me at pm or @ yahoo ....

my yahoo id : system.k1ll3r


:D

I just got 2 emails saying "Hack Attempt prevented by vBFirewall‏"

but when i goto http://www.yourvbforumurl.com/logfile_worms.txt (with my forum name)

it just says page not found

the 2 emails say

Hello!

Hack Attempt has been successfully prevented for your vBulletin forums at:


Report:
============================

1||1229255228||80.83.90.50||page=http://xaoss.com/id.txt??||||Netscape 4.78/U.S., 25-Jun-01; (c) 1995-2000

============================


and


Hello!

Hack Attempt has been successfully prevented for your vBulletin forums at:


Report:
============================

1||1229254995||80.83.90.50||page=http://www.geocities.com/axenses/id.txt???||||Netscape 4.78/U.S., 25-Jun-01; (c) 1995-2000

============================


what does all this mean and is it working correct ?

I tested this plugin on a very active forum for 1 month didn't made any problem, I would like to check this out for you..On it
I've tested this plugin on 374 & 380 now and get the same problem regarding, 'subscribe to thread' failing. Blocking all bots is fine with me but the subscription issue makes the firewall unusable.

Great idea and good luck with progress. :up:

verygood product I tried it on my forum and 100% working
I'm using Vbulletin Version 3.8.0 Release Candidate 1
thank you very much
:)

I've tested this plugin on 374 & 380 now and get the same problem regarding, 'subscribe to thread' failing. Blocking all bots is fine with me but the subscription issue makes the firewall unusable.

Great idea and good luck with progress. :up:

thank you Orakk
I got same problem
:confused:
waiting for

I installed this last night and had 14 emails this morning with basically no information. My log reads:

1||1229487186||||||||
1||1229487186||||||||
1||1229493626||||||||
1||1229493631||||||||
1||1229504466||||||||
1||1229504472||||||||
1||1229511852||||||||
1||1229511856||||||||
1||1229517334||||||||
1||1229517334||||||||

invisiblea, would be great if you'd reply to this thread as you haven't done so in a while.

my logfile reads this

1||1228766931||||||||
1||1228767166||||||||

what does that mean?

This is all I'm receiving as well.

Also, even though I have the option turned on I can't view logfile_worms.txt. It's not being created or is not in my forums directory. Suggestions?

it seems to be working
this is what i got in my mailbox

Hello!

Hack Attempt has been successfully prevented for your vBulletin forums at:
http://bullterrierforum.nl

Report:
============================

1||1229937338||116.122.158.46||systempath=http://www.elitewheels.ru/images/stories/.cnn?||||libwww-perl/5.79

============================

if i paste the url and i visit this page i got a warning from nod32 that there is some sort of trojan
really weird imho .

but it seems to be working

thank you Orakk
I got same problem
:confused:
waiting for
Your welcome AA.. :up:

invisiblea - Any updates on progress? If stumped, other coders may lend a hand if you ask ..

Sorry for late reply.. within 2-3 days new version will be out..

relax its holiday time
them few more hours wont be biggy

hi!

i try this mod, and i get this worm:
1||1230274881||210.105.132.249||t=http://204.2.183.2/babycaleb/picture.htm?||||Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)


how can i kill this?

How do you know its a worm? The IP address is from Korea. What do you see on your site?

The ip address that is hosting the badguy script is in the US/Colorado

They list abuse@ntt.net to report abuses. To get them to kill off the hacker script. If you tried to access that html, you likely have had The trojan is loaded on your PC, looks like the name of the trojan is Trojan Horse Downloader.Generic8.COX. You might want to do a few searches to see how to remove it from your local system.

HTH

my site is good, because i copy on my server root .htaccess file. if this file is missing, my site isnt good, my antivirus is lock my site

I use a third party product called ASL which does the same thing as this mod on a global scale (server wide) and much more (linux servers only). Cost of that is less then the vb license too.

While this is a great plugin, it prevents me checking logs through the admin panel, giving me errors. Possible you can fix this issue?

Ditto. This is a deal breaker for me.

Also users have having problems subscribing to threads (I applied the unsubscribe patch)

The command getting caught is do=addsubscription

Tried and installed this on vbulletin 3.8.0 rc 2 and 3.7.4 locks admin out of certain parts of the acp could you add to the script that if the user has a valid admin login they can gain access to the acp if not then reject them.

i have this...
i got 5 emails saying it blocked 5 attempts from hacking...
then it bypassed and now im hacked....
fixed it once, then they hacked again....
www.ripthemic.org

heres wut it showed when prevented...

1||1230677435||66.156.165.120||do=viewsubscription ||http://www.ripthemic.org/forums/usercp.php||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17
1||1230677439||66.156.165.120||do=viewsubscription ||http://www.ripthemic.org/forums/usercp.php||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17
1||1230677448||66.156.165.120||do=viewsubscription ||http://www.ripthemic.org/forums/usercp.php||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17
1||1230734502||124.187.20.43||do=removesubscriptio n&t=3||http://ripthemic.org/forums/showthread.php?t=3&nojs=1||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
1||1230765308||67.167.16.183||do=viewsubscription| |http://www.ripthemic.org/forums/usercp.php||Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.2)


is it possible that people are having problems with subscriptions because theres a security issue???

all the actions have to do with subscriptions and everyone is talking about having issues with subscriptions....

last email i got was at 6:16 PM today, right before the site went down...


Had Me Site Fixed AGAIN...
They Hacked AGAIN!!!
This Time It Shows Me...
1||1230777472||98.100.180.113||do=viewsubscription ||||Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
1||1230777561||98.100.180.113||do=viewsubscription ||||Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
1||1230816616||86.96.229.88||s=&do=add&dostyleid=10&title=headinclude&group=all&searchstring=&expandset=10||http://ripthemic.org/forums/admincp/||Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)
1||1230816628||86.96.229.88||s=&do=add&dostyleid=10&title=headinclude&group=all&searchstring=&expandset=10||http://ripthemic.org/forums/admincp/||Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)

This Doesnt Work Very Well...

<font face="Georgia">I installed this mod on my vB 3.6.7 forum yesterday. It significantly slowed my site down to a crawl. On top of that the so called attacks it said occurred since I installed it have been done by Googlebots and Yahoo Slurp bots.

Whatever! If anyone's vB forum has something to fear from Googlebots and Slurp bots then this mod is overly protective in my opinion.

Time of Uninstall - 7:49pm</font>

This is attempt for hacking or only one error on script?

Report:
============================

1||123108xxxx||90.145.22.71||cx=0085147425190053xx xx%3Astktp-0amaq&cof=FORID%3A9&q=java+script&do=process&showposts=0&s=&x=0&y=0||http://www.mysite.com/forumdisplay.php?f=41||Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

============================

Thanks

Check with your host to see if you have mod security installed. If yes, this script really shouldn't be needed. You also cannot edit templates without first disabling this.

The moment I enabled this I had 12 emails sent to me about hack attempts... safe to say that this app has some issues.

Indeed. I don't know if it does what one would want it to do but it clearly does a whole lot of things that nobody would want to have done on a forum.

Should be moved to the Graveyard, IMO.

This worked twice for me so far.....a big thanks!

djbaxter : Im not to smart on this subject can you please explain what you mean?

Installed, hope it works, i do not know how, but I'll try it.. here is what i did to improve against dos attacks, i change from apache to LiteSpeed and i am very happy and speed doubled !!!!

Indeed. I don't know if it does what one would want it to do but it clearly does a whole lot of things that nobody would want to have done on a forum.

Should be moved to the Graveyard, IMO.

This works well and has logged a few for me, i think you should be moved to the graveyard!

Installed. Thank You. :)

MOTM nominated ;)

Installed. Thank You. :)

MOTM nominated ;)
Are you saying subscribe to thread function still works on your forum and if so, which vB version are you using? :eek:

had a problem with vbadvanced links, the redirect was seen as a hacker

Are you saying subscribe to thread function still works on your forum and if so, which vB version are you using? :eek:


I'm uninstalled this product for subscription thread problem. :(

I'm not keen on installing because the log file is stored on a public directory. Can this be moved to a folder outside? Like maybe in ./home/private_html/ rather than ./home/public_html/ as I feel that is a bit of a joke to have that file viewable.

If you can change the location of it then I am interested in the mod for sure!!

Been loged when I try to unsubscribe from a post, not good

this project is dead already? :(

A lot of people seem to have trouble with this. I havent installed it my self, but I use crawltrack instead and is very easy to integrate with vb. Tracks hacks and spiders, uses its own database also.

http://www.crawltrack.net/

I'm uninstalled this product for subscription thread problem. :(
Cheers for reply Cionfs, :up:

Does this do anything to spiders?

Does this do anything to spiders?

Yes. Read the thread. It blocks spiders. That's one of the major problems with this add-on. Don't install it.

Yes. Read the thread. It blocks spiders. That's one of the major problems with this add-on. Don't install it.
Thanks. I didn't want to read 10 pages to find that out. It was the first thing that popped in my head when I saw the code...

;)

A lot of people seem to have trouble with this. I havent installed it my self, but I use crawltrack instead and is very easy to integrate with vb. Tracks hacks and spiders, uses its own database also.

http://www.crawltrack.net/
This looks promising. Open source and free. Does it add any copyrights to the footer, and if so does it have links?

Where do you add your tag for the correct results?

Loaded and working...

It does not add copyrights to the footer, and I found that adding the tag to global.php gave me full results...

;)

Tried this had to uninstall, its stopping notices being displayed. I will keep an eye out.

The error i get is if you add a new notice, all i get is the notice box shrunk and empty. the existing notices display fine so ive no idea what the cause is, also the subscription fix didnt work. been messing ages just thought i would turn off this and bingo displaying fine.

What about spiders? I don't want spiders blocked. That is a bad idea...

What about spiders? I don't want spiders blocked. That is a bad idea...
Spiders are blocked.

A lot of people seem to have trouble with this. I havent installed it my self, but I use crawltrack instead and is very easy to integrate with vb. Tracks hacks and spiders, uses its own database also.

http://www.crawltrack.net/

How to install this?

LoL i get an hack Attack today, The Plugin send me an email with his IP adress etc.. Many Thanks :D

thank you for this, sounds very interesting and must have

disables subscriptions...

can you please fix this so that it will work with vbAnonymizer 3.0? all vbAnonymizer link are stopped and logged as a hack. So until this is fixed i had to uninstall the firewall.

nice, but i dont think it protect's 100%

An unsubscribe action from a thread is for some reason picked up by vBfirewall and blocked...

Offending action: do=removesubscription&t=19531

sounds promising...i'll install once all the bugs are worked out.

got a long error message when I try to subscribe/unsubscribe to a thread..

LoL i get an hack Attack today, The Plugin send me an email with his IP adress etc.. Many Thanks :D

if u got many attacks, ask your webspace provider for the webserver logs (specially of the attackers ip!), goto http://www.db.ripe.net/whois type in the ip of the attacker and look for the abuse email! write the logs (vbfirewall + webserver logs if u can get them) to the abuse team, with the exact time and date + time zone, and voala - this was the last time, that the same attacker will attack u again ;)! i also started to do this, and the hacker are reduced to a minimum :D!

btw - its impossible to open new pm notifications in an extra window - the vbfirewall thinks, that this is some attack! how can i fix this?

Well I installed this the other night to see if it worked, it did send me some emails saying there were hack attempts, but all of them except for 1 were legitimate board request. How can I be so sure, well my i.p. created them.

Since then None of my members can log into the site and I keep getting error messages non stop literally for the past 14 hours. I had 24000 new error emails when I logged in to my gmail account.

So my question to you is could this be because the information in the config.php file does not correspond with the real password for the root directory. t.b.h. I am not sure if it is still correct or not as we do not own the server that we run the boards on and we do not have permission to access the root directory. We only have permission to access the forums directory and lower. I messaged the server owner, hopefully he will know if the passwords match up and maybe be able to fix them if this is the case. Here is the message maybe you can tell me for sure if it could even be created by your hack or if I should be looking into another problem.

Database error in vBulletin :

Cannot use database XXX_XXXXXX <--- where XXX = directory of forum location & XXXXXX = forum home directory

MySQL Error : Access denied for user 'XXX_XXXXXX'@'localhost' to database 'XXX_XXXXXX' ^
Error Number : 1044
Request Date : Friday, February 20th 2009 @ 11:26:12 PM
Error Date : Friday, February 20th 2009 @ 11:26:12 PM
Script : Varies Obviously with what the user is trying to do
Referrer :
IP Address : varies obviously by user
Username :
Classname : vb_database
MySQL Version :

Oh and to conclude, since the problem I've uninstalled the hack and am still getting the same problem...

first, i think this error msg hasnt todo anything with the firewall! this looks like u changed the /includes/config.php name and/or path! https://vborg.vbsupport.ru/showthread.php?t=198856 i think u didnt change the xxxxx to the new path/name of your config.php!

u shud post the script!
Script : Varies Obviously with what the user is trying to do

if u dont do that, noone can help u! vbfirewall is blocking some internous board things like pm in new pop up window - in that pop up window u get the vbfirewall hack attempt message, and thread subscriptions etc.. but u can fix this by configuring the firewall - its hard todo that if u duno anything about it, but its easy if u look over it - easy to understand!

^ Yeah, I am not even sure myself if it was caused by firewall... but we never had that problem until it was installed. Config.php is still /includes/config.php

the script has literally been everything... every time someone tries to do anything at all(post or view a thread or even log in they are getting an error)...
some examples
/index.php
/forums/icash.php?do=donate&to=xxx
/forums/search.php?do=finduser&userid=8427&searchthreadid=45331
/forums/showthread.php?p=241423
/forums/misc.php?do=whoposted&t=40409
/forums/showthread.php?goto=newpost&t=28640

and on and on and on

the server owner has fixed the password so they match and now I'm not getting the errors but now it's like I have two databases... :-X

the old database loads in ie (by old I mean the one that was current until the problem.)
and the new database loads in mozilla.... (by new I mean the database as it was save last on the server and all new posts that have happened since the server owner changed the information in config)

it's one of the weirdest problems I've encountered and I haven't figrued out what could have caused it. Nothing on the board has changed in the past week except installing vBFirewall :-X...

I'm hoping I don't have to dump the database and start from scratch.

nvm. I found the plugin that didn't remove itself.

which plugin was the prob???

i had an issue just now that is solved by disabling vbfirewall: with the mod enabled, when i attempt to go to admincp-> vb options -> cookies & http header options i get a white screen and this message: 1||1235333916||||||||Error Opening Logfile. (see post attachment)

On a v3.7.3 system i get this message:

1||1235334329||nnn.nnn.nnn.nnn||do=options&dogroup=http||http://www.blahblah.com/admincp/options.php?null=0||Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6Access Denied, you have been logged.

Disabling the mod fixes the issue. Tested on two separate v3.8.1 systems and one v3.7.3 system

1||1235352914||||||||
1||1235353109||||||||
1||1235353127||||||||

what is this means

trying to access the adminlogs I get this error


1||1235350146||72.171.0.145||do=view&script=&u=2||http://mastercatters2.com/admincp/adminpermissions.php?do=modify||Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)Access Denied, you have been logged.

other than that it does a great job of logging and emailing me with the hack attempt :rolleyes:

turned it off and the error goes away and I can access the logs

config.php was set up properly for me and the other two admins 1,2,3

and I retained my 2 as the superadmin

which plugin was the prob???

TBH I don't remember what the plugin was called :-X
sorry...

When I removed the entire mod it left a stray plugin on the board. I went to plugin manager and it was the only one left under the heading vBFirewall. Since I uninstalled it I haven't had any problems.

I still can't say for sure what caused the problem. I would venture to guess there must be a clash with another mod that we have installed or with the type of server we have. ? ? ?

It's strange that people are getting an error to view their admin logs, that is one error I didn't receive. I check them everytime that I log in so I would have noticed.

On my board it blocks some users from managing their subscriptions. Will have a look to the source of the mod to fix this. But maybe someone has already an idea?

sf

Hi,

is it better than using cback for such attacks ?

Thanks in advance for your efforts.

Would be Nice to Have an Option to Use a Silent Report But Not Blocking Action and another to have Silent Report and Action to Block the Intrussion.

I Hope the Bugs on this Mod can be Fixed, I think is Important to Identify Agressions and Block Intrusions with this Mod and also to Block IPs with a Mod like "Miserable Users" to Block those Users from even Accessing the Forum.

My Best Regards.

:)

Until this can differentiate a legitimate request from my users and an actual hostile attack, I'm going to have to refrain from installing again. Sorry, not quite ready for prime time.

Can there be Added an Option to Somehow Specify the Structures of Valid Requests so that the Firewall can Check that List and Not to Block any Valid Request Specified there? :confused:

This Way the Problem with the Subscriptions and other Requests can be Solved by Adding that Correct Structure to the List and the Firewall Not to Block it Again.

This Way Also Admins that Identify a Valid Structure that was Blocked by the Firewall by Mistake, can Post the Valid Structure here for other Admins to Use the Valid Code on their Boards.

Is Just an Idea, I Hope is Possible to Apply it. ;)

My Best Regards.

:)

Idea: I'd be Nice to Add the Date and Time of the Attack on the "logfile_worms.txt" File.

For it Not to Block the Pages but Work on Silent Mode, the Following 2 Lines Should be Commented (Adding the //):

// echo $ctr_logfile;

// die("Access Denied, you have been logged.");

Edit: I Think is Better to Keep at least the First Code Line Disabled, because It Displays Important Data of the Board to the Hacker. (Careful with That).

// echo $ctr_logfile;

Edit: Also Careful with the Second Line, because it'll Block Google Bots so your Board wont be Properly Indexed. (Many Log Results are from Google Bots "||||Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
").

// die("Access Denied, you have been logged.");

My Best Regards.

:)

Idea: I'd be Nice to be Able to See via Admin Control Panel the content of the File "logfile_worms.txt" File.

Recommendation: Change the Name of the File "logfile_worms.txt" on the following Code of the FireWall Plugin, so that No Sensible Information can be Viewed by Anyone. Careful with this, some AdminCP Addresses are Saved on that File).

$file = "./logfile_worms.txt";

Name it Anyway You'd Like, so that Only You Know About It.

Also, in the First Log there's an Error Code that Will Appear at the Top of the Page; make sure your Board is Disabled because on that Error Message appears the Name of the File; also on the second Log and later No Error Message will Appear, (only on the first one).

This Mod is Very Useful, Thank You For Sharing It, I Managed to Locate some IPs that I think were causing Problem and I Blocked Them with Miserable Users Hack with the IP and Setting the Options of that Mod to the Maximum (Completely Blocking those IPs). :up::up::up:

This Mod and the Miserable Users Hack, will make Miserable the Life of Board Hackers. ;)

My Best Regards.

:)

^ if you wanted to have it integrated into the admin cp I think that it would be more effecient to rewrite the mod to create a new table called worms or something and then just to write a code to display the contents of the file the way you see fit.

I Noticed Today that the File that Contains the Log Self Delete it's Content, I guess every time it reaches ??? Kb, so there is No way in the Current Stage of the Mod to Save the History of it, and as it Detects some Actios of the Google Bots as Hack Attempts the E-mail Notification Fills the E-mail with Junk. :(

I guess there's more Work to do in the Plugin to be More Accurate in the Hacking Detection and Not Activities that are Not Harmful to the Board. ;)

My Best Regards.

:)

Hey, I'm having a problem with vBFirewall.

If it's enabled and I go to Usergroups > Administrator Permissions > View Control Panel Log it gives me this error "1||1235699733||||||||Error Opening Logfile." (Semi-random numbers each time). If I disable vBFirewall this doesn't happen. It happens in other random places too, same error. It also emails me saying that vBFirewall has prevented an attack whenever I view the page.

Any ideas?

Hey, I'm having a problem with vBFirewall.

If it's enabled and I go to Usergroups > Administrator Permissions > View Control Panel Log it gives me this error "1||1235699733||||||||Error Opening Logfile." (Semi-random numbers each time). If I disable vBFirewall this doesn't happen. It happens in other random places too, same error. It also emails me saying that vBFirewall has prevented an attack whenever I view the page.

Any ideas?

I had the same thing. the logfile did not have the correct permissions set. 0666 is sufficient to make the file writable.

I had the same thing. the logfile did not have the correct permissions set. 0666 is sufficient to make the file writable.

Which logfile?

I had the same thing. the logfile did not have the correct permissions set. 0666 is sufficient to make the file writable.

Alright, I set the vBFirewall log file to 666 permissions (had to create it first). Now when I visit those areas I get "1||1235774558||||||||Access Denied, you have been logged.".

Any ideas?

is this protect from spam

It works, tryed to hack own page, thank you

Installed it and the logs were showing some things but no details, and it also blocked me from modifying my cookies and http header options.
So i disabled it for now.

I have a few recommedations for this

Firewall which automatically checks links against a blacklist database (Custom scripted database in the Admin CP) if its there, it blocks connection/linking to it.

Upload logs and details.
In the firewall when a member/user uploads a file it automatically Logs the IP, file name, description and what it contains.

--DOWNLOADED--

Doesnt work with vBAdvanced in the AdminCP. If you want to open vBAdvanced settings in AdminCP you get a security notice

thanks

i used it, but have some error.
examples: i click more..very fast into a link in forum...have a errors
Forbidden

You don't have permission to access /forum/showthread.php on this server.
---> it's protect from hackers?

and i use mysqldumper for backup, but also have errors this.

i try again by disable this hack mod, but still errors, i cant backup database...

remember history? when disable this hack mod?

plz..help me!

This sounds like a great idea, but the last few pages sound like there's too many bugs at the moment. Please keep up the good work though, I'm sure EVERYONE will want to use this if you can get it working smoothly without the problems people have mentioned here :)

Developer Last Online: Dec 2008

Looks like we're on our own with this one.

1||1235352914||||||||
1||1235353109||||||||
1||1235353127||||||||


what is this means

Its a unix time stamp. You need to convert it using this.

http://www.onlineconversion.com/unix_time.htm

Why can´t i do everything in the admincp anymore?

In the Vb options i can´t edit cookies for example...

Thanks For This Job
I Will Download And Tes :)

this hack mod...not good, plz help me.
i used it, but have some error.
examples: i click more..very fast into a link in forum...have a errors

Forbidden

You don't have permission to access /forum/showthread.php on this server.


i cant' uninstall this hack mod, i cant delete cookie's :((

I am also having problems with the subsriptions, any news about it?
Thanks

Hello!

Hack Attempt has been successfully prevented for your vBulletin forums at:
------

Report:
============================

1||1237575072||64.181.115.194||t=http://eatmyfood.hostinginfive.com/pizza.htm?||||Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)



What does that mean,


Does it impact on the search spiders or her?


and thanks


:confused:

Very nice, it caught someone hacking today.

Hello!

Hack Attempt has been successfully prevented for your vBulletin forums at:
FlightSimHD Live!

Report:
============================

1||1237776533||68.32.235.206||do=viewsubscription&folderid=all||http://www.fshdlive.com/usercp.php||Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7


Hopefully it was a real attack haha.

i think need update this.
plz update 2009

thnxxxx alot bro

www.2oman.net

Hey this is a great plugin, and it is working perfectly on my forum. Last weekend the firewall prevented 3 hack attemps. Så thanks m8

Are you sure?

The problem I see with this plugin is it does NOT differentiate between valid requests from the membership and real attempts to hijack the board. It reminds me a little bit of the early versions of Zone Alarm that popped an "Oh My Lord" message every time a packet hit the PC. The uninformed would then panic and scream bloody blue murder that someone was trying to attack their PC, when in fact, all it that happened was a query packet was received from the DNS.

Until this plugin can tell what's valid and what isn't, people should not put much faith in what it reports as an attack.

Thank you for the hard work
keep it up dude ;)

Are you sure?

The problem I see with this plugin is it does NOT differentiate between valid requests from the membership and real attempts to hijack the board. It reminds me a little bit of the early versions of Zone Alarm that popped an "Oh My Lord" message every time a packet hit the PC. The uninformed would then panic and scream bloody blue murder that someone was trying to attack their PC, when in fact, all it that happened was a query packet was received from the DNS.

Until this plugin can tell what's valid and what isn't, people should not put much faith in what it reports as an attack.

Hey m8, yes i am sure, so i am happy for this hack.

Too many holes.

Uninstalling.

Thank you very much

Good mod, fantastic idea, however the subscription issue is something of a show stopper. So I decided to look into it.

The reason the "firewall" kicks in on the subscription page is that one of the security rules is 'script', and quiet rightly so. However due to the checking method used, the firewall kicks in when it sees:

do=viewsubscription

Notice the bold/underlined part

The good news is that this can be resolved, but it is a hack to the mod. The following instructions explain what needs to be done, if you want to implement it then I strongly recommend first testing it on an test server. Hopefully this will help the mod dev makes this mod one of the best available here:

Right, you need to goto:

ACP -> Plugins & Products -> Plugin Manager

Once there look for the entries for "Product : vBFirewall", this should only have one plugin called 'vBFirewall' which uses the 'init_startup' plugin. Click edit

Copy all the text in 'Plugin PHP Code' into notepad.

Now follow these steps:


Find the line that reads:

'st=-', 'cat%20', 'include', '_path=');

On a new line immediately after this paste in:

$securityexclusions = array(
'do=viewsubscription'
);

Find the line that reads:

$cracker = strtolower($cracker);

On a new line immediately after this paste in:

$cracker= str_replace($securityexclusions, '', $cracker);


Once done, copy all the edited text in notepad back into the 'Plugin PHP Code' in ACP, then click save

What this is actually doing is creating an extendible security rule exclusion list, so if any other VB queries string invoke the vbFirewall you can add another exclusion.

IMPORTANT : I have only run this on a basic test server I have, do not try this unless you are absolutely comfortable with plugins/php etc.

A here are some suggestions for the next version:


Rather than add the logs to a flat file on the server store this in the DB and then create an ACP page to view/search/manage logs
Add option to send a PM or Email or both
If a specific IP invokes the firewall more than X times in Y seconds/minutes auto place this IP on the vBulletin ban list.
If a specific IP can be associated to an actual forum user account auto ban that user.


One other teeny weeny little thing, you need to mention that this is based on the GPL licensed code found here : http://www.cback.de/cback_software/standalonect.php ;)

EDIT: Later in this thread I have posted an additional fix for vbAnonymizer users

Thank you for that work around. Here's the list of everything in my array that got the subscription/unsubscribe features to work properly. It took all of them for it work properly:
$securityexclusions = array(
'do=viewsubscription','do=removesubscription', 'do=addsubscription', 'do=doaddsubscription'
);

Awesome mod!!!

Waiting till the Gold version still.

Sounds interesting. But what exactly does it prevent?

Does it also recognizes dos attacks?
If someone is hitting refresh button to fast and to often?

Are you sure?

The problem I see with this plugin is it does NOT differentiate between valid requests from the membership and real attempts to hijack the board. It reminds me a little bit of the early versions of Zone Alarm that popped an "Oh My Lord" message every time a packet hit the PC. The uninformed would then panic and scream bloody blue murder that someone was trying to attack their PC, when in fact, all it that happened was a query packet was received from the DNS.

Until this plugin can tell what's valid and what isn't, people should not put much faith in what it reports as an attack.

This guy knows what he is talking about.

+1

Created more harm than good, although a somewhat good idea nonetheless.

Once you figure out all the legitimate things that are getting blocked and add exceptions for them, it runs flawlessly in the background blocking anything that isn't legit or that's malformed. Whether it's an official hacking attempt or not, it blocks things that could possibly cause damage or waste your servers resources. That's enough reason right there to install this mod, get it set up properly and let it do its job while you focus on other things. Don't listen to the nay-sayers. Yes, it takes a little time getting it set up but once it's set up it's good to go and well worth the install/configuration. Excellent mod... nominated :)

Thank you for that work around. Here's the list of everything in my array that got the subscription/unsubscribe features to work properly. It took all of them for it work properly:
$securityexclusions = array(
'do=viewsubscription','do=removesubscription', 'do=addsubscription', 'do=doaddsubscription'
);

Awesome mod!!!
Plus MrEyes additions this is working on 383 with no issues.

Thankyou. :up:

This mod keeps bumping heads with a googlebot on my site. Is this googlebot really trying to hack? Or is this mod just overly sensitive.

I wish it had more options.

This plugin stopped thread subscription working

I think if you all work together and help each other with the arrays for the exceptions, then this mod would very easily be a nice use.
I am interested in this modification, and I will download and read through the code before installing.

thanks Installed

VbGarage 3.5
Let Your Members Show Off Their Rides !!!

https://vborg.vbsupport.ru/showthread.php?p=1109494

Firewalls blocking pop-up image on this mod

Anybody know any fixes around this it blocks a pop-up on the image..

i always have this message from this product
Hack Attempt has been successfully prevented for your vBulletin forums at:
Petroleum Community Forum

Report:
============================

1||1246236841||66.249.68.13|

but when i search for this ip i found that
66.249.68.13 US UNITED STATES CALIFORNIA MOUNTAIN VIEW GOOGLE INC

which mean that it prevent Google from index my site

Sounds like something that would come in handy for forums that are targeted a lot ;) tagged

IS this really working??

Not really. There are a lot of holes, problems, etc.

Had to dissable this mod because of:

Hello. I have a problem and I know that is not with your mod - I used also some other similar mod and get same problem. Maybe someone know how to help me.

When I’m using redirecting mod i.e. link:
http://www.forum.simple-nlp.pl/redirector.php?url=http%3A%2F%2Fwww.wp.pl

As result I get white page with error:
1||1246804929||88.199.62.36||url=http%3A%2F%2Fwww. wp.pl||http://www.forum.simple-nlp.pl/informacje/890-wiadomosc-testowa.html#post4529||Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)Access Denied, you have been logged.

As i wrote mod is ok. Works when used without url param:
http://www.forum.simple-nlp.pl/redirector.php

And I have this behavior in other similar mod. Someone knows what to do to make it works?...

This happend when I was using this mod: https://vborg.vbsupport.ru/showthread.php?p=1843302
and this mod: https://vborg.vbsupport.ru/showthread.php?p=1843303

I will gladly enable it again when some solution appears :)

It's .. shit -> turn off subscribe thread/topic.. and many options in ACP..

Uninstall

I need it badly.
Can i use it on my vb 3.7.1?

awesome mod. still considering if it's effective and safe to use.

awesome mod. still considering if it's effective and safe to use.

Makes conflicts with some other mods... :(

For people facing problems with subscriptions, check page 3 of this mod ...

Apparently, the mod creator was supposed to release a new version with fixes in December 08.

When have a update ^^ ???

well i installed and since i did a look like that have no effect to spiders they just keep coming on page on the forum that just admin should be able to see

any idea ??

Why not this code to add also



unset($config['Database'],
$config['MasterServer'], $config['SlaveServer'],
$vbulletin->config['Database'],
$vbulletin->config['MasterServer'],
$vbulletin->config['SlaveServer']);

Why not this code to add also



unset($config['Database'],
$config['MasterServer'], $config['SlaveServer'],
$vbulletin->config['Database'],
$vbulletin->config['MasterServer'],
$vbulletin->config['SlaveServer']);

where should i put this code ??

is there any update ??

installed and I guess its working for me. All addons are working for me, as of right now. I do not have those two addons that are specified in a couple posts above, though

still dosen't work i mean a dose not his job , bots users keep registering , and on the log (logfile_worms.txt) the only log it is my ip , probably when i made a mistake with my password.
any idea to make this mod work right ?

it just prevented me from viewing the control panel log in the admincp. When I click on:

ADMINCP > USERGROUPS > ADMINISTRATOR PERMISSIONS > VIEW CONTROL PANEL LOG

it displays an error and emails me that a hack attempt was just made.

it just prevented me from viewing the control panel log in the admincp. When I click on:

ADMINCP > USERGROUPS > ADMINISTRATOR PERMISSIONS > VIEW CONTROL PANEL LOG

it displays an error and emails me that a hack attempt was just made.

Same problem...

Oh, well, since no one specialized offers any help, I will offer myself. This is - or should be embarrassing - to let a lawyer who knows nothing about coding to solve the technical problems caused to other ppl by your own hack.
After 30 minutes of testing the most weird things on the test forum, I did as follows:

1. I created the logfile_worms.txt and uploaded it in forum root.

2. CHMOD-ed it to 0666.

3. Disabled the addon and noticed that the error was gone.

4. Uninstalled the addon - the error still gone

5. Deleted the damned .txt file from the root and felt very proud of myself :))

Hope this will work for everyone.

Extremely disappointed of this type of lack of responsibility.

just an update for others thinking about installing this:
vb3.8.3 - users cannot access their subscriptions page. this mod blocks their attempt and thinks its a hack attempt

disabled for now

just an update for others thinking about installing this:
vb3.8.3 - users cannot access their subscriptions page. this mod blocks their attempt and thinks its a hack attempt

disabled for now

a solution is given on previous pages.

thanks. i wasnt aware of that

it just prevented me from viewing the control panel log in the admincp. When I click on:

ADMINCP > USERGROUPS > ADMINISTRATOR PERMISSIONS > VIEW CONTROL PANEL LOG

it displays an error and emails me that a hack attempt was just made.

find:

'st=-', 'cat%20', 'include', '_path=');

add below:

$securityexclusions = array(
'do=viewsubscription','do=removesubscription', 'do=addsubscription', 'do=doaddsubscription', 'do=view&script'
);

in addition to the fix for subscription.

How do I know what kind of attack I am getting? Here is an attack I received a couple times today.

1||1252094560||192.138.214.106||do=viewsubscriptio n||http://www.loansafe.org/forum/usercp.php||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080219 Firefox/2.0.0.12 Navigator/9.0.0.6

How can I remove it? I removed it via Product page, it still gives me hack attempts sent to my email. I wanna remove it completely, because it conflicts with other plugins, and gives me errors.

Hello!

Hack Attempt has been successfully prevented for your vBulletin forums at:
KMA? Warez Forums

Report:
============================

1||1252849941||115.84.147.15||do=viewsubscription&folderid=all||http://www.kma-forum.com/usercp.php||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.43 Safari/530.5

============================

but no report logs created

sweet thanks.

I've installed it, but it had no effect in my forum what so ever.
What parameters does it work on?

I only see a Menu that tuns log & notifications on or off.

There is an big bug. Users can´t unsubscribe from thread without getting blocked from the firewall.
Need to be fixed.

This failed.
It was working fine, and yet today someone from voide injected and stuffed my forum...
I recommend you fix this script thankyou!

Thankyou

Also received an error when a user tries to subscribe to a thread.. uninstalled.

Yes, should be fixed.

Many Thanks for you

Installed I will be glad to test it out for a while. It sounds like a real nice thing to have. Thanks man.

Polish version


http://img188.imageshack.us/img188/1238/vbfirewall.jpg

is it safe?what vbulletin team thinking about this add-on ?

This failed.
It was working fine, and yet today someone from voide injected and stuffed my forum...
I recommend you fix this script thankyou!

Strange, I also got hacked via someone at voide dot com last year after installing this hack. hmmmm:down:

Strange, I also got hacked via someone at voide dot com last year after installing this hack. hmmmm:down:

Same thing happened to me roughly a week after installing this hack. Seems like this hack might open up a hole.