vb.org Archive - Hacked by Team Animus?

Page 6 of 8

« First

Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)

- - Hacked by Team Animus? (https://vborg.vbsupport.ru/showthread.php?t=263202)

fxwoody

05-14-2011 10:04 AM

Ok so they can hack the plugin to find a whole and get into the SQL or so....yes??
I was checking Valter's plugin and now it's quarantine, what happened now with it????

Should we disable it or is there a way that Valter will fix it ?!?!?

Can't post in the thread for news :(

Cheers

madshark

05-14-2011 12:13 PM

Yes essentially thats what I understood reading the posts.

It was quarantined yesterday because someone seems to have found another exploit (a few pages back on this thread I think) even with the latest update. I'd suggest disabling it in the least if you have a large/well known board. I just copied over my rules and uninstalled it completely for now. That dumps the SQL tables as well as I didn't want to risk it.

He will fix it no doubt. The first time around the fix came within a few hours. But there doesn't seem to be any Valter activity yet. He could just be busy elsewhere.

Yeah once its quarantined it gets locked. I ended up here for the same reason.

AusPhotography

05-14-2011 12:16 PM

[S]I'm not convinced Advanced Forum Rules is the attack vector for the latest round. Sites that have never used it have reportedly been attacked.[/S]

Retracted. :o

I found a hole in the cookie handling code due to the use of the PHP eval function.
I.e. the hacker pre-sets a cookie to contain malicious code, and the eval function runs it when it picks up the cookie content (that it was expecting to be something else).

Kym

kh99	05-14-2011 12:32 PM

Quote:

Originally Posted by madshark (Post 2195550)

He will fix it no doubt. The first time around the fix came within a few hours. But there doesn't seem to be any Valter activity yet. He could just be busy elsewhere.

Valter responded to my PM this morning, it's been fixed and it's awaiting reactivation (or whatever they call it). But yeah, if you have the latest installed it should be disabled now I would think. I don't think you'd actually have to uninstall it because when you disable it the plugins are inactive.

Quote:

Originally Posted by snoopytas (Post 2195551)

I'm not convinced Advanced Forum Rules is the attack vector for the latest round. Sites that have never used it have reportedly been attacked.

That's right, I haven't seen any evidence that this mod was actually used for any attack (not that I've looked that hard - maybe on vbulletin.com?).

As for the "uninstall all mods" person, if you want your server to be safe from hacking unplug it from the internet (and keep it in a locked room).

Zachery

05-14-2011 12:54 PM

Not a single site i have done repair work on was missing the specific mod in question. Not a single site i repaired had no modifications.

kh99	05-14-2011 12:58 PM

Well, fair enough - that's a pretty strong argument.

Disasterpiece

05-14-2011 02:30 PM

Quote:

Originally Posted by fxwoody (Post 2195519)

I reported the mod yesterday because I found the exploit.

And with the user table info on the 3rd page I even know how they got in there :D
interesting. It feels like solving a murder case ^^

borbole

05-14-2011 02:40 PM

Quote:

Originally Posted by Disasterpiece (Post 2195590)

It feels like solving a murder case ^^

Gut gemacht Inspector Derrick :D

Frosty

05-14-2011 04:15 PM

Quote:

Originally Posted by Nickbe (Post 2195495)

Would that allow them to upload outside of the forum directory? That is what they did to me. The forum directory resides withing my public_html (user/public_html/forums) they uploaded files to (user/public_html). I suspect this issue goes deeper than everybody thinks.

Hey Nickbe,
They could have firstly uploaded the shell to the forum dir, and then upload another one (because php shells allow browsing of the directories on a certain web hosting account) in another writeable directory.

So yeah, even if they manage to get into your admin panel, and if you have no writeable directories you're pretty much safe.

Zachery

05-14-2011 04:56 PM

That is not completely true, really depends on the servers setup and configuration.

All times are GMT. The time now is 03:00 PM.

Page 6 of 8

« First

Show 40 post(s) from this thread on one page

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01200 seconds Memory Usage 1,739KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (5)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (4)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: