vb.org Archive
Page 9 of 9 « First 78 9
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3.7 Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=228)
-   -   Miscellaneous Hacks - Cyb - Advanced Forum Rules (https://vborg.vbsupport.ru/showthread.php?t=177559)

haytham 05-05-2011 11:22 AM
Thank you Valter for your efforts.

Alfa1 05-05-2011 12:43 PM
Quote:
Originally Posted by Suiram (Post 2192013)
I've read this too. What's it mean exactly? How long after the update? Minutes? Hours?
And do they get hacked if they fix the breach and uninstall the mod?

Because this is the way I read their claims:
  1. their vb forum was using this mod @v4.0.2
  2. the forum was breached
  3. they read it may be the mod at fault
  4. they regain/clean their server/forums (one assumes!)
  5. they install the "fixed" 4.0.3 mod
  6. shortly after (minutes/hours?) they are hacked again
  7. they still blame the mod.
To them I say redo step 4 and then disable/uninstall the mod.
See if you get hacked again.
Yes? ==> Most likely not the mod.
No? ==> Hmmmmm.... ==> Enable/install the mod and now see.

(Unless their server is still compromised because it wasn't "cleaned" properly.)
Good point!

RCKSTR 05-05-2011 01:47 PM
Here is what I found. This may not be a complete list and I encourage others to chime in if I missed anything:

I have removed the following malicious files:

Quote:
[******@gator**** /home/**********/public_html]# stat forums/includes/xml/vba.php
File: `forums/includes/xml/vba.php'
Size: 257983 Blocks: 512 IO Block: 4096 regular file
Device: 807h/2055d Inode: 38740597 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 837/ *****) Gid: ( 837/ ******)
Access: 2011-05-04 17:44:26.000000000 -0500
Modify: 2011-05-04 18:39:39.000000000 -0500
Change: 2011-05-04 18:39:39.000000000 -0500
[*****@gator******* /home/******/public_html]# stat forums/includes/vba.php
File: `forums/includes/vba.php'
Size: 257983 Blocks: 512 IO Block: 4096 regular file
Device: 807h/2055d Inode: 33064053 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 837/ subaru) Gid: ( 837/ subaru)
Access: 2011-05-04 17:44:26.000000000 -0500
Modify: 2011-05-04 18:39:39.000000000 -0500
Change: 2011-05-04 18:39:39.000000000 -0500

Valter 05-05-2011 02:11 PM
Hacked by Team Animus?

Please read this thread:
https://vborg.vbsupport.ru/showthread.php?t=263202

haytham 05-05-2011 05:50 PM
Quote:
Originally Posted by Valter (Post 2192167)
v4.0.3 - May 04. 2011.
-Security bug fixed

To update:
-Import XML, allow overwrite


If your site has been hacked please check out this post:
http://www.vbulletin.com/forum/showt...15#post2154415
Unfortunately, I did just that and allowed over write. Lost all my rules and now if I click on the rules link, it takes me to FAQs about smileys!

Langaleer 05-05-2011 06:06 PM
Quote:
Originally Posted by TaBsiCore (Post 2192174)
Is the bug now definitely fixed? Or did the second hack happened over the installed backdoor? The current situation is a bit confusing.
Its definately not fixed. I had the email from vBulletin to say a plugin I had (this one) had an exploit and was in quarantine. I never had a hack before, and when I looked at the thread linked earlier, it was stated the vulnerability was resolved and to download the latest version.
This I did, and then my forum was hacked in a short while after (maybe 15ish minutes?).

Now considering I hadn't been hacked on the previous version, then I upgrade to the latest version, resulting in the issue that other people have posted - I'd definately point my finger to this!

Alfa1 05-06-2011 12:53 AM
Quote:
Originally Posted by Langaleer (Post 2192374)
Its definately not fixed. I had the email from vBulletin to say a plugin I had (this one) had an exploit and was in quarantine. I never had a hack before, and when I looked at the thread linked earlier, it was stated the vulnerability was resolved and to download the latest version.
This I did, and then my forum was hacked in a short while after (maybe 15ish minutes?).

Now considering I hadn't been hacked on the previous version, then I upgrade to the latest version, resulting in the issue that other people have posted - I'd definately point my finger to this!
You may be right, but it is also possible that the hack attempt was already in progress before you upgraded to the latest version. So the hacker was already in. And he continued the hacking after you upgraded, because your system was already infected. 15 minutes is quite a short time frame.

I would go through the procedure that Valter posted to get your site in order. After that you can always decide whether or not you want to activate this addon or not.

Valter 05-06-2011 07:49 AM
v4.0.4 - May 06. 2011.
-Fixed: vbseo users not able to switch rules

To update:
-Import XML, allow overwrite

TheKdd 05-07-2011 08:01 PM
Quote:
Originally Posted by haytham (Post 2192369)
Unfortunately, I did just that and allowed over write. Lost all my rules and now if I click on the rules link, it takes me to FAQs about smileys!
I have the same thing going on. I disabled the hack, and now new registered members are receiving their confirmation e-mail sending them to the smilies page. Did you figure out how to fix this?

haytham 05-08-2011 10:21 AM
No. I had to uninstall all plugins because my host was having issues and I was trying to find if my products were the reason..any way long story short..I had to uninstall it..but I am sure on my new host, I'll install it again.

LauraM 05-08-2011 03:28 PM
Valter, thank you for working so fast and putting out an updated version with the security patch. Your very quick attention to this is appreciated. :)

Suiram 05-09-2011 09:54 PM
i was just hacked. i have no doubt it was this mod. why? because it was the only mod i was using. plain vanilla vbulletin v3.8.6 pl1 and this mod - nothing else. i was not hacked with v4.0.2, i was not hacked when i updated to v4.0.3 but a few days after the initial hack reports by others and then i was on v4.0.4. and yes, i did tick the overwrite box. i almost deserve this for not uninstalling it right there and then, when people were reporting their sites hacked. like another guy said in the other forums, thank God it was a "friendly" hack. never again. i'll stick to vanilla forums from now - lesson learned.

i'm here to find out why i still have a link to http://forums.(mydomain).com/misc.php?do=cfrules which goes to the icons faq question. how do i get rid of this "portal to hacking" completely? i want any and all traces removed.

Daverball 05-10-2011 10:29 AM
Check out this thread: https://vborg.vbsupport.ru/showthread.php?t=263202

It's well possible that you have been hacked before you updated, Hackers tend to install a backdoor, so they can get back inside, even if the exploit they used to get in has been fixed already. It's not always super obvious that you have been hacked, it can happen very subtly, without you ever noticing.

I'm not quite sure what your question is though, do you mean, that you still have a link labeled "Rules" in your navbar? If so, I'm sure you can get rid of it by examining whether there are any active template modifications on the navbar template, if not, you may be able to remove the link by making a template modification of your own.

And if your question is why http://forums.(mydomain).com/misc.php?do=cfrules is still leading somewhere, that's because misc.php is a file which implements many many features, like your FAQ. The Smiley thing seems to just be the default and since cfrules doesn't exist anymore it displays the default.

Suiram 05-10-2011 02:52 PM
Quote:
Originally Posted by Daverball (Post 2193987)
It's well possible that you have been hacked before you updated, Hackers tend to install a backdoor, so they can get back inside, even if the exploit they used to get in has been fixed already. It's not always super obvious that you have been hacked, it can happen very subtly, without you ever noticing.

i don't think so. the file was uploaded on the 9th. i updated to to the "fixed" version 4.0.3 on the 5th. i don't know. i'm still unsure what exactly went down.

https://vborg.vbsupport.ru/external/2011/05/45.jpg

The Realist 05-10-2011 04:51 PM
I also was using this mod and updated to the latest files attached here and was hacked and locked out, I gained access, removed the fake admin, re-did the titles etc and since that my whole forums files (the lot) has been deleted by someone.

This was 3 years plus worth of work gone down the pan because the developer of this hack didnt check his work.

Now Im stuffed and hoping my host can restore the site or its gone for good.

Thanks.

The Realist 05-10-2011 07:12 PM
Per my above post. My host has carried out a check of the logs and says the following:

Quote:
I scoured your logs to find no indication of an account breach. However, I did pin-point when this occurred by the error logs and have reason to believe your scripts was exploited to allow your files to be deleted.

Here is the log entries (our helpdesk may strip these - see the raw email):


[Tue May 10 03:32:41 2011] [error] [client 94.143.240.103] malformed header from script. Bad header=Fxxxxxxx%2Fpublic_html%2Femail: vbseo.php, referer: http://www. xxxxxxx. co. uk/includes/vba.php?x=ls&d=%2Fhome2%2Fxxxxxxx%2Fpublic_html&so rt=0a
[Tue May 10 03:33:30 2011] [error] [client 94.143.240.103] malformed header from script. Bad header=Fxxxxxxx%2Fpublic_html%2Femail: vbseo.php, referer: http://www. xxxxxxx. co. uk/includes/vba.php?x=ls&d=%2Fhome2%2Fxxxxxxx%2Fpublic_html&so rt=0a
[Tue May 10 03:36:46 2011] [error] [client 94.143.240.103] File does not exist: /home2/xxxxxxx/public_html, referer: http://www. xxxxxxx. co. uk/includes/vba.php?

As you can see, there is a script that was either uploaded through an exploit or it is a script you are using that was exploited. The "hacker" was attempting to view your files and 3 minutes later the file was gone. These logs show the unsuccessful attempts and also show they were reworking the exploit to be successful. So whatever includes/vba.php was/is, it contains a nasty exploit or was a shell that was uploaded through an exploit of your scripts. You may want to ensure vbseo is updated.

While these do not give solid evidence of the exploit as these was logged in the error log, it's almost for certain due to the calls and time frames. Your raw access logs have already rotated, and would have gave us the solid evidence needed as it would have shown the successful attempt, but it's not needed after concluding the above. I'm 99% sure they was trying to list your files to test the exploit. Once they was able to list them, they carried out the intentions by removing all files.

As you already noticed, your database is intact. All you need to do is reupload your files and plug in the DB information. Just be sure to update all scripts and audit your files.
Make sure you have backups because this hack can delete your whole forum.

Regards

babynino 05-11-2011 06:36 AM
My forum was hacked again after a recent attack on my site a few days ago. We did a full restore, patched this mod to the current one which says that it was patched and yet a few minutes ago, my forum was hacked.

Add me to the list saying that this updated patch is not yet secure.

error10 05-12-2011 08:44 PM
I'm watching this closely.

It would be very helpful if someone can find in their server logs the original attack, or any accesses related to the attack. (The error log info above wasn't quite helpful enough for me to work with.)

Disasterpiece 05-13-2011 12:14 AM
I found a security hole in the script code which allowed me to execute php script code. (v4.0.4)

@Author/s/whoever is in charge: Plz contact me ASAP per PM

Cristi_XP 05-17-2011 08:44 PM
if we only disable the product will be safe ? or have to uninstall it till a good update ?

Valter 05-17-2011 09:42 PM
v4.0.5 - May 18. 2011.
-Fixed: Security bug
-Improved rule acceptance check

To upgrade:
Import XML, allow overwrite

z0diac 05-17-2011 11:44 PM
Quarantined, restored, re-quaratined, re-restored...

I uninstalled all my Cyb mods and will never use them again. Nothing against the coder. It was an honest mistake I'm sure that caused the problems. But regardless, I don't have the time to spend restoring entire forums from backups if they get hacked.

vijayninel 05-18-2011 12:02 AM
Quote:
Originally Posted by z0diac (Post 2196953)
Quarantined, restored, re-quaratined, re-restored...

I uninstalled all my Cyb mods and will never use them again. Nothing against the coder. It was an honest mistake I'm sure that caused the problems. But regardless, I don't have the time to spend restoring entire forums from backups if they get hacked.
Congratulations on your new thoughtful safety measures. The next time problems develop in PHP, Mysql or default vBulletin then make sure to uninstall those and never use them again as well.

Daverball 05-18-2011 12:10 AM
Quote:
Originally Posted by Cristi_XP (Post 2196884)
if we only disable the product will be safe ? or have to uninstall it till a good update ?
Disabeling it will be quite enough. Disabeling is basically uninstalling without deleting the database entries, so no user will be able to interact with the plugin while the data of your rules and who has already accepted the rules will be preserved.

viprtwo 11-09-2011 06:35 PM
Has anyone been hacked since installing 4.0.5?

CMFINC 12-30-2011 03:42 PM
been up going good since the fix.

b65ran 03-05-2012 10:57 PM
Do we have an update for 4.1 ?

Gadget_Guy 04-18-2013 02:22 AM
My users are telling me that this has started interfering with our TapaTalk integration.

Users are getting errors accessing the site telling them that access is being denied.

TapaTalk looked into this and they said:

When Tapatalk trying to access your forum, it is forced to a page to agree your forum rules page. You may need to investigate on how to remove that restriction.

Any ideas how I can fix this? I love this mod and really don't want to give it up.

D.


All times are GMT. The time now is 12:57 PM.
Page 9 of 9 « First 78 9
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01491 seconds
  • Memory Usage 1,820KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (10)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (28)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete