Cracker Tracker
 

CrackerTracker

this is a port from the standalone system of the Cback.de CrackerTracker (was original made for phpBB) to an Product for vB

• Description
  this hack search in the requeststring for definied codeparts, is found any hit the skript was die and send a little massage
  in addition of security this simply skript discharged the server by automatic attacks from botskripts if the definations have a hit in the requests
• Instructions
  Install
  • upload the /elog/ directory and set the CHMOD of counter.txt and logfile_injects.txt to 666, this is only to log blocked requests
    if you not want to have writeable files on youre server this hack works without logging too and you can leave this part
  • at last install the CrackerTracker100-product.xml
  Update
  • uninstall product of v100
  • reinstall new product of v101
  Uninstall
  • uninstall the CrackerTracker100-product.xml
  • upload thedelete /elog/ directory
• Credits & Information
  i have only port this hack to a Plugin
  Authorof the Hack is Cback from www.cback.de
  only restraint of Cback is the Copyright in the footer
  
  (i hope my english was understandable :o )
  
  
  
• History
  • 10/03/06 Release 1.0.0
  • 15/05/06 Release 1.0.1
    • new searchpattern and handfull old replaced
    • little codemodifications
  • 15/05/06 Release 1.0.2
    • one typo in list (missing ",")

What does this do? Sorry didnt quite understand.

This hack protecs your board against people who wants to '(cr)hack your forum. Original coded by CBack for phpBB and now ported to vb. One of the best hacks ever...;)

phpBB have any problems with automated hacking attacks by botskripts was found her victim over google and send many requets to the board

this skript search for a lot of requets how '<skript>' and died the request, so the server has a littel less of load and an bad request can block befor he does work

is an similar way like the $_global handling of vb in begin of ini.php

The best Hack from cBack in the whole phpBB World. Thx Onur - absolut excellent work ! :)

If anyone does not know cBack : http://www.community.cback.de/viewforum.php?f=52

@Onur - please edit a Link to cBack and the Title of this Hack to cBack CrackerTracker. And do not forget a link to vbhacks-germany etc. ;)

And sorry - but no one can understand your english description here. ;)

http://sourceforge.net/project/showf...roup_id=154972

ok trying to understand, what this hack do is if someone or something tried to hack your board it will keep a log and then what slow server respond or what?????:confused: :confused: :confused:

i mean, comes a automated hackingskript (santy-webworm) who sending many requets to youre board, this skript end the bulid and delivery of the requestet site and save so cputime and traffic
some hackingrequests have no chance to do there work on patched boards, but you have a lot of traffic

What this guys trying to say is that his "addition" to your forum will kill the script if it notices any potential "bad request" are being sent to the forum.

1. Most of these request differ in "what they can do", showing phpinfo() is not going to help anyone own your server.
2. Vbulletin is not phpbb, and does not suffer from any of these problems to date.
3. If the request is being sent through a vbulletin php file they are not going to get executed anyway, this hack is Worthless on a Vbulletin Forum.

Acording to our phpbb specialist (on "my" board) :

Will this hack have any negative effects on vB through the "automatic update-system" or was this problem fixed when you ported it?

oops, I didnt see the edit note, but I'd still like to know it that "automatic update-system will cause any trouble...

Just 2 advices:
- If you don't know what this does: Don't Install
- If you think vBulletin will be vulnerable to the same sort of attacks a phpBB do install, otherwise don't.

i dont know is any need of this hack in an vB, but the one thing you can profit of this hack is you can see any attempts of hack in the log
ok phpinfo() is blocked, but i dont think it is a good idea to share this info, only if you have always the latest Version of php installed

and its true thats the problems of another boardsystem is not the same problem of vB, but i have found that vb 3.0.4+3.0.5 hase release because some problems with the santy an other holes

only in an nice and wonderfull world everbody update her system and there boards just in time, this skript can block the one try of hack how hacked youre site in the time between release the new version and you have time to do the update ;)

and if you have any blocked funktions on youre board, look at the log and found the part in the string how collided with the definations of the hack and replace it

and whether you was attact whitout success in the last time you only can see in the logs of youre server or after an testtime in the log of this CT :)

I thnk anyone that has alot of hacks, mods, and extensions in should install this just to patch up any unnecessary holes in the mods they used.

If you have your own server and want to spend a little time learning about how to configure mod_security for Apache, you can obtain peace of mind for all of the sites, forums and scripts you host.

That can be found over here:
http://www.modsecurity.org/

Nice, used to use this back in the day..

This is a Great Addition For Security on my Board.
Thank You Very Much, Works Perfectly.

this is fcking EXCELLENT, since mod-security is a handful and still not simple.

however, please make a version that skins the next time, so in other words make the error message on a normal vb page so its still in the forum theme colors etc. at least use the css.. thanku

can you PLEASE have it log a few things

1. whatever the vb variable for the currently logged in username is, LOG THE USERNAME PLEASE :) :)

2. log the date better, like YYYY-MM-DD, so it sorts chronologically. this has nothing to do with country format it is common sense for computer sorting purpose, left to right. 2006-04-03 .. and have that be the first column

... see number 1 actually thats the main thing
so you know if someone was logged, then know who they were

I have added this to my forum all seems to be working ok or atleast I think so were exactly do I find the logs of attacks?

Thanks

@sandalwood
1. no, on this hook are no userinfo avalible
2. this is possible at next release

@devil Woman
*youre forum*/elog/logfile_injects.txt (last 100 logs)
*youre forum*/elog/counter.txt (count of all attacks)

Thankyou :)

Have a Security Alert if i use vBadvanced CMPS and try to add a Module.

The Link is following:
http://www.domain.com/admincp/vba_cm...&type=php_file

What should i change, to let the System add Modules ?

th@nks

ok i understand, thats too bad. though the ip address is known, and only one user will have been logged in using that ip address at that time, so perhaps you can somehow set another hook later so WHEN we do know the username, you can have a little check in there that will record it to file.

i know this would only matter for attacks from users, and that many attacks are not even from users, or from people who never log in. but some are :)

when the incident happens, record what we know, perhaps with ip address, and the set a variable like "intrusion_detected = 1" sort of thing. then in a separate hook at some point where we know the user logged in and we have username, check that variable, and if intrusion_detected is set, then record their username/ip to the file, so that way we can cross-reference it or something.

isn't there some kind of global variable that can be used? how does that work.

also, even if you can't do the second part, why not record the IP address at least. that way we can manually cross reference it, just search for the ip in the admin console and that will show us what user(s) have used that ip.

thanks :)

ps. this has never tripped for me except in testing. i guess most attacks are not in the URL part but in post string.

Hi
onur hocam bu eklenti hakkında saldırıları engelliyor gibisinden duyumlar aldık
Bu hack forum hacklama icin kullanilan bircok tehliklei scriptleri önlüyor hemde daha database ulasmadan önlüyor.
Böylece hem sunucunun gereksiz yere mesgul edilmesini hemde bircok tehlikle scriptlerin databaseinizi cökertmesii önleyen cok iyi bir korunma yöntemi.

bu şekilde bir arkadaş konu açtı vb turkiye'de yardımclı olup ne işe yaradığı hakkında türkçe açıklamasını yaparsan sevinirim..
kolay gelsin

<a href="https://vborg.vbsupport.ru/showthread.php?threadid=115351" target="_blank">https://vborg.vbsupport.ru/showt...hreadid=115351</a>

CrackerTracker is blocking this plugin... how do I allow the linked plugin?

what blockstring was displayed, or look into /elog/logfile_injects.txt and post the list of strings, so i can search the request was blocked

1147567050,130506,24.182.112.118,u=17&admin_log_in _as_user=17,Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322)

Version 1.0.1 added

some little changes and the searchpattern was now compatible to some hacks (i hope *g*)

I did install that and i got this, when entering the ACP:

:cross-eyed:

There is NOW no possibility to uninstall that, because i cant enter the acp.

Kannste mir da mal helfen bitte ?

?ber dem Forum und Portal steht nun auch :

I'm gettin same error as Lover1.. now I can't get into ACP.. wtf..

EDIT:25min later - I fixed my.. but involved of full resore and dumping whole database and restoring from .sql backup dump file.. Not a pleasent experience

same thing here and have no access to my Admin CP. What do we do now???

I'm guessing you will have to manually edit the sql database table to disable the plugin.. hmn.. now just gotta find out how or where is it the setting.. cause only site restore didin't fix it for me.. it give me more errors.. so the settings are in sql tables..

Run below sql query to disable the product (if your prefix is other than vbulletin) change to prefix_product in the code below

UPDATE `vbulletin_product` SET `active` = '0' WHERE `productid` = 'c_ct_v1' LIMIT 1 ;

then u should be able to remove/uninstall it

let me know if it works.......

I ended up doing an empty and restore on my database. Everything worked fine but lost everything from midnight last. Have gone in and uninstalled product.

Thanks for the help though and hope it helps some out there.

Works now - but :

It is unable to overwrite the old Version - means that it is going to installed double !!!

Please deinstall V1.0 and then (!) install the new one.

no doubleinstall,
first do uninstall the v1.00 product and install the 1.0.2 new, but you have not to upload the elog folders by an update

nicht doppelt installieren, wegen der ?nderung der product-id wird die alte version nicht ?berschrieben, ist aber eine einmalige sache

I did uninstall the v1.0.0 and got that error. is that fixed with 1.0.2? I solved that error with restoring from a sql backup.

vbulletin flood guard

After uninstalling it the footer remains changed..
How do I remove

from the footer safely ?

uninstall the product of the ct in the productmanager and the plugin is replaced with the copyright, if you have installed the plugincache(another hack here in the board) you have to regenerate the cache of the plugins too

to try if the product real uninstalled(only the 1 hook with code) open
youre-board.tld/index.php?fopen
if not come a message, the CT is uninstalled