vb.org Archive
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Home Page Hacked (https://vborg.vbsupport.ru/showthread.php?t=302033)

creative-friend 09-09-2013 12:22 PM
Hi Guys

Thanks everyone for your help.....i had problem in my forumhome template......i reverted that template now its working fine....

xenite 09-09-2013 02:54 PM
If it's the Syrian Army whatchamacallit, they apparently found a way to add themselves as administrators even getting past user moderation/approval (unless someone on my team approved an odd account without telling me).

They hacked NOTICE.PHP and embedded a meta-refresh in the PHRASE table. I don't that it will stop them but I have added the following to my .htaccess

# Block Syrian Army IP Addresses
deny from 5.0.0.0/16
deny from 31.9.0.0/16
deny from 82.137.192.0/20
deny from 91.144.0.0/20
deny from 178.253.64.0/20

These IP addresses are all assigned to a Syrian government ISP (and sharing this list here may tip them off that I have identified which network they came in from).

I am using VB 4.something (still uploading a backup of the actual VBulletin files so my forum is offline at the moment). ADDED ON EDIT: Vbulletin 4.1.5 Patch 1

I don't think changing passwords is going to help with this. They found a flaw in the VBulletin script. I show three actions by the hacker's user account in the ADMINLOG. They are:

ADD action with "notice.php"
UPDATE action with "notice.php"
MODIFY action with "notice.php"

He used a HOTMAIL.IT email address (according to the user account).

He apparently deleted his IP address from the USER record (or when he injected it the IP address wasn't recorded). The ADMINLOG shows the IP address, though.

I'll post more info when I find it.

If anyone knows how they managed to create an admin user account without being approved, I'll be glad to hear about that. Please spare me the "they cracked your password" explanation as that dog won't hunt.

ForceHSS 09-09-2013 03:10 PM
Al souweqah street, Damascus seems to be there going by their ip but I am sure none of the ips are even his real ones. I did see a plugin here that blocks citys or something like that. If anyone has a link plz post it

xenite 09-09-2013 03:38 PM
The IP address is real. The hack started at 19 minutes after the hour and was finished within 9 minutes.

He hit an old thread from 2006 that looks pretty innocuous to me.

It looks like he then hit the upgrade script in the install directory (I know -- I should not have left that there, but I get busy with a lot of tasks on this server).

After hitting the upgrade.php a couple of times and firing off some Javascript he got into the AdminCp.

Once in he executed the newsproxy.php script.

Then he hit the notice.php script.

And then he was done.

--------------- Added [DATE]1378745307[/DATE] at [TIME]1378745307[/TIME] ---------------

I doubt I can shed any more light on this. He got in through an UPGRADE hack and that is all my fault.

BarelyHangingOn 09-09-2013 03:49 PM
I have reverted my forum home template, deleted the install directory and removed the two admin accounts that were created.

Should I be okay after this?

xenite 09-09-2013 04:13 PM
There are no guarantees in life but deleting the accounts and the scripts they used to hack in will certainly make it harder for them to do any more damage.

I also pruned all users awaiting email confirmation, only out of spite, because they were also all obvious forum spammers.

--------------- Added [DATE]1378747182[/DATE] at [TIME]1378747182[/TIME] ---------------

For what it's worth, I had my admins change their passwords but I don't think that was necessary on this one occasion.

That said, the main admin account's password cannot be changed because I blocked that in the INCLUDES/CONFIG.PHP script. That is a prudent measure to take because when they do get in and create an admin account, they can change passwords all over the place. This is the section to update:
Code:
        //        ****** UNDELETABLE / UNALTERABLE USERS ******
        //        The users specified here will not be deletable or alterable from the control panel by any users.
        //        To specify more than one user, separate userids with commas.
$config['SpecialUsers']['undeletableusers'] = '';
Of course, if they could hack into the server account itself they could try to change this script so it's not a perfect protection but it at least serves as a firewall between your legitimate admin passwords and anyone who wants to block you from getting back in.

fmckinnon 09-09-2013 04:59 PM
OK, I'm hacked the same way.
I upgraded all files to 4.2.2.
I deleted the /install directory.
I've searched, and the ONLY two Admin accounts are those of myself and our Editor ...

Still hacked - not sure what else to do? It redirects to the Syrian army thing as soon as you login to the forums or click a thread.

xenite 09-09-2013 05:41 PM
In my case the hacker embedded an HTTP meta refresh directive in new NOTICE.

fmckinnon 09-09-2013 05:51 PM
xenite - can you explain a little more detail - where is that located, and how can I clear it out? I've replaced ALL the forum files on the server, so assume this must be injected into the mySQL?

xenite 09-09-2013 06:03 PM
Login to ADMINCP.

Scroll down to NOTICES (FAQ should be just above it, ANNOUNCEMENTS should be just below it).

Click into NOTICES MANAGER.

If they loaded a notice, you will see it there.


All times are GMT. The time now is 03:00 AM.
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01257 seconds
  • Memory Usage 1,739KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete