Warning to FlashChat users - security hole
 

GET /chat/inc/cmses/aedatingCMS.php?<exploit data>

Warning to users who use FlashChat - this script was just used to add an exploit script to my server.

Please don't post full exploits where everyone can see them (and then go try them ....).

Anyone with Flashchat integrated with their VB should remove all the files from /chat/inc/cmses/ except the vbulletin##CMS.php file they are using (where ## is either 30, 35 or 36) as they are not used.

If you have already been 'hacked' into via this hole. Then do you need to do anything addtionally to resolve it ?

thank you for information MPDev :)

Thanks Paul for this! I removed all files but the 30, 35, and 36 because I just wasn't sure which one I needed :surprised:

FLMom

which version of vBulletin do you use?

I'd assume 30 is for the 3.0.x series, 35 is for 3.5.x and 36 is for vBulletin 3.6

Hope that helps, and glad i dont have this anymore :D

Thanks for the heads up. I'm a nut about space, so these already didn't exist, but it's still great to know.

Cheers peeps...issues pre-resolved :)

Look in your chat directory /inc/config.php

Line 55 in my file

Thanks for posting the fix, Paul. :)

Rebecca

I am running 3.5.4, so now I know which ones to remove...didn't even think about those numbers meaning that..oops!

Thanks for the help everyone!

The little buggers used the hole to install a shell script and an IRC relay service; they then went through my web directory and replaced all my index files with "you've been hacked" files. It took me a few hours to get everything off the server; but then they struck again via a security flaw in SiteBuilder - fortunately I caught that one live and stopped them before they could do anything.

You are only as secure as your weakest script; if you are like me and like to offer your users a variety of add-ons to your websites, then it makes sense you would want to keep up on any updates to those pieces. I was a version or two behind on FlashChat (update a mere few months ago).

is not only thru flashchat i don't even have that installed a new user subscribed to my forum and pluged this in the post look at this post here https://vborg.vbsupport.ru/showthread.php?t=125628 and look at the picture of what that user did but i beat him to the punch i was down for like 3 mins and back online

That's why I built www.flasherize.com, the chat can't be hacked.

Don't jinx yourself.:surprised:

So let me get this right. I just deleted EVERY file inside the directory you specified EXCEPT vbulletin36cms.php due to I run vBulletin 3.6. So this will fix the hole in Flashchat so I don't get hacked? Thanks!

deleted this piece of crap after my site was hacked and all index pages replaced.

Im gonna remove flashchat anyways now...

-b6

if you have high traffic, use IRC server. its much better and stable for high high high traffic forums.

i went from holding 100+ users in the flash chat and laggy as hell to 600+ users in the irc server smooth sailing.

hey guys it 's not only flash it's the topXstat hack too i was hacked as well and i was able to recover from it i was told by steve at .com that the topXstat also has a hole so i uninstalled it and i should be ok i don't know if it had an effect of the newer for 3.6 for i still using .4.

Hello,

I am using Top X Stats 1.6.1a on vb 3.5.4., is there a way to keep this mod and fix the security issue?


Thank You,

Nuguru :)

Yes, this will take care of both problems

These little script kiddies are using some really lame (actually calling them "script kiddies" is being overly generous for these lamers) tricks (more like an annoyance), but here is a very simple fix.

Go into you AdminCP and under vB Options choose Censorship Options.

In the Censored Words window add this.

That will put an end this nonsense.

I got hit aswell, removed Flashchat now as it's not worth having for the risks involved...

Hello Everyone,

I gotta say, it's times like this when we are all under the pressure of getting matters quickly dealt with that you can really see how users at vbulletin.org come together and help one another. Great job to all for the excellent exchange in communication and support. We'll beat those little shits!

Regards,

Nuguru :)

I got hit as well last night.

The little nobs overwrote files all accross my site, they killed off virtuanews, photopost and vbulletin for a time and left just this message...

"by Thehacker own3d **** israel n0 war"

I was running flashchat, which I have now removed. The scarry thing is once they were in, it seems they had the freedom to roam right accross my domain. They replaced every index.html file in virtuanews with a hacked version and there are dozens in all the sub directory's.

Therer were several other people also hit from my host last night, with the same message.

thanx for the heads up and fixes people,really appreciate it

I've removed FC for good because of this... i know it's not their fault...but still... don't want the hassle... anyways...another thing you can do to stop these kiddy-fiddlers is remove the version number from your vBulletin... it's legal and can stop these ++++nuts googling your forum for the right version or whatever... just incase

-b6

An update. The hackers came back tonight and somehow gained access again, even after uninstalling the flashchat plugin and all associated plugins, and totally removing all the flashchat files and deleting the chat dir. It seems they must have left some script behind to keep the door open. The first thing that happened was that my chat dir re-appeared and a new set of flashchat files dropped in from the ether.

If we can pin down this backdoor, script, pl file or whatever it is, I'll let you know.

Please keep us updated, I've been hacked through flashchat too.

One of the other issues to deal with is new installs after the cleanups occur. For now we have new cronjobs looking for flashchat installs and removing the unneeded files.

If you're looking for a very secure chat, check out www.flasherize.com... try the demo. :)

Have any of you tried running chkrootkit or rkhunter to see if it finds the back door?

Look for files with a creation or modified date of the day of the hack (or later). I found an IRC relay setup posted in an obsecure directory that I had to remove - they had also placed an entry in the apache crontab to restart itself every 10 minutes that I had to remove.

Check your cron files; check your site directories for new files/directories; try something like:

find . -name "*" -exec grep c99 {} \;

to see if you get any files which have the c99 tag in them (the shell script that are installing).

I was running flash chat and was not as lucky as most people when I was hit yesterday. The message board was the only thing left, the index file for that had been replaced with something to the effect HACKEYD BY STOUNE!!! and a link to http://stounee.ifrance.com/

I went to replace the index file and found every single other directory and file was gone! for some reason they left the board though.
The web host did have a recent backup for me thankfuly, but at a price of course. :(
I ended up dumping my whole vB directory and upgrading to 3.6 and changed passwords on everything.

That's horrible.

We at RonaldReagan.com use VPS hosting from KnownHost.com and they back up all our sites and subdomains daily with no extra charge for it or restore. I would have a serious problem with any web host trying to profit off a client's hour of need.

Nice domain! Great man too...I may just have to join up and fellowship with other RR admirers :)

We would be glad to have you! http://www.ronaldreagan.com/forums/i...lies/hello.gif

Heh I wish my host was as friendly in a time of need like you are.
Since cleaning up, I have been checking the web site error logs and in the last six hours there been 20 hits looking for aedatingCMS.php, all different IP addresses.
I wonder how long before they realize it is gone give up trying to find it.

FYI -

Your host needs to check the contents of /tmp. Any of the following rogue files/directories needs to be removed from there. (Reference: RSTbackdoor technical details from Symantec) Probably how they got back in a second time.

/tmp/bdpl
/tmp/back
/tmp/bd
/tmp/bd.c
/tmp/dp
/tmp/dpc
/tmp/dpc.c

Also - make sure you reinstalled your flashchat with completely clean files. I thought replacing the index page would fix it - it didn't - when I downloaded the entire chat directory down to my drive for scanning it also found another trojan within those files called hacktool.flooder (Symantec related page)

And of course, after uploading all clean files - remove the cmses files that are not related to your current installation as Paul stated.

Was hacked last Friday (thank you, FlachChat). Program removed and will never be reinstalled again. Still trying to do serious damage control after what the hackers put on my home page on emailed to my members. :(