vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Version 3.6.6. | Exploit is out? (https://vborg.vbsupport.ru/showthread.php?t=147303)

dadu911 05-15-2007 11:27 AM
Version 3.6.6. | Exploit is out?
 
I just recently updated to 3.6.6 and I got exploited.

All my threads got renamed to tom and the first post has a picture of tom and a subtitled saying: "owned by tom"

Is there any additional security hacks I can install. It is really getting on my nerves.

Please Help

Dismounted 05-15-2007 11:29 AM
This probably isn't vBulletin. Maybe one of your hacks.

Oblivion Knight 05-15-2007 11:30 AM
Make sure that you and your admins use strong passwords.. Also, check that any other software being run on the server is up-to-date.

It's highly unlikely that it's a security issue with vBulletin 3.6.6

dadu911 05-15-2007 11:43 AM
Hmm I have two hacks installed. HideHack + The Statistic hack. That is all.

I did a login history in Direct Admin, nothing it is just me.

I believe this is a VB Exploit that is currently out.

Dismounted 05-15-2007 11:44 AM
If it is, report it on vB.com? If it's just you, maybe someone logged in under you. Check the Admin Logs.

Oblivion Knight 05-15-2007 03:55 PM
Quote:
Originally Posted by Oblivion Knight (Post 1247993)
It's highly unlikely that it's a security issue with vBulletin 3.6.6
Ha, I retract that statement..

An XSS calendar exploit was just discovered.

dadu911 05-15-2007 11:23 PM
Well everyone I HATE TO SAY I TOLD YOU SO!!:

vBulletin 3.6.7

As much as we hate to spring another upgrade on you all so soon after the release of vBulletin 3.6.6, an XSS flaw was identified today and in order to maintain our commitment to fix security problems as soon as we become aware of them, we have to release 3.6.7 and a patch for older versions.

Shazz 05-15-2007 11:57 PM
Err, Do you have any backups?

dadu911 05-16-2007 02:43 AM
Yep one from 2 weeks ago. We hit 103,000 users but nope now we are back to 97,000 because we got exploited and thats that.

Hopefully VB will test out their software fully before releasing to the public. Any who thanks for the updated version.

ALWAYS BACK UP - Lesson well learned.

DieselMinded 05-16-2007 03:44 AM
Wow !

Shazz 05-16-2007 04:00 AM
Quote:
Originally Posted by dadu911 (Post 1248472)
Yep one from 2 weeks ago. We hit 103,000 users but nope now we are back to 97,000 because we got exploited and thats that.

Hopefully VB will test out their software fully before releasing to the public. Any who thanks for the updated version.

ALWAYS BACK UP - Lesson well learned.
Thats a ton of users lost :erm:
Sorry for the loss

dadu911 05-20-2007 11:26 AM
THERE IS A HOLE IN Latest Version: 3.6.7 PL1 ALSO!!! THEY CAN LOGIN AS ADMIN!!! MAN VBULLETIN HELP

someone logged in as admin, has changed the password and turned the forum off. He placed his url so he gets the hits.

This is SAD! Yet again another hole in VBULLETIN!

Dismounted 05-20-2007 11:51 AM
I would say not. Disable all your hacks and change FTP, cPanel, and MySQL passwords.

Paul M 05-20-2007 12:20 PM
Quote:
Originally Posted by dadu911 (Post 1251354)
THERE IS A HOLE IN Latest Version: 3.6.7 PL1 ALSO!!! THEY CAN LOGIN AS ADMIN!!! MAN VBULLETIN HELP

someone logged in as admin, has changed the password and turned the forum off. He placed his url so he gets the hits.

This is SAD! Yet again another hole in VBULLETIN!
What hole would that be then ?

You have not offered any proof that any of the exploits of your server were via vbulletin, you've just conviently decided that a previously unknown XSS in in the events area was used, which is actually highly unlikely. It helps to actually have evidence before making wild accusations. :)

dadu911 05-20-2007 08:51 PM
Lol Man I was right before and I am right again. Give it another 24 hours, VB will announce a new version cause another security issue!

This time this exploit works like this:

They can login as admin, turn off forum and redirect to another site.

This is a brand new exploit and hasn't been a security fix for it yet!

Shazz 05-20-2007 08:56 PM
Quote:
Originally Posted by dadu911 (Post 1251687)
Lol Man I was right before and I am right again. Give it another 24 hours, VB will announce a new version cause another security issue!

This time this exploit works like this:

They can login as admin, turn off forum and redirect to another site.

This is a brand new exploit and hasn't been a security fix for it yet!
:o
[high]* Shazz looks into vbulletin.com[/high]

sonichero 05-20-2007 09:03 PM
*sees patch for 3.6.7...

...oh bugger...

dadu911 05-21-2007 12:35 AM
I already have: vb 3.6.7 PL 1 and I got exploited L.O.L

I did a full upgrade. :( the guy keeps doing it.

Shazz 05-21-2007 12:54 AM
Quote:
Originally Posted by dadu911 (Post 1251777)
I already have: vb 3.6.7 PL 1 and I got exploited L.O.L

I did a full upgrade. :( the guy keeps doing it.
Did you read what Paul M posted a few posts ago?

Quote:
Originally Posted by Paul M
What hole would that be then ?

You have not offered any proof that any of the exploits of your server were via vbulletin, you've just conviently decided that a previously unknown XSS in in the events area was used, which is actually highly unlikely. It helps to actually have evidence before making wild accusations.

El_Muerte 05-21-2007 07:37 AM
once you've been compromised you need to change all your admin and system (e.g. database, shell, etc) passwords.
there's a fair chance that your forum got compromised because of a weak admin password, otherwise there would be much more reported compromises.
all versions prior to 3.6.7 were exploitable, not just 3.6.6

dadu911 05-21-2007 02:53 PM
Yea Shazz What proof you want? Screenshots of another person logged in as me, the admin?

Site being exploited 3,4 times. It is not a system issue, it is vb, the hacker is even playing games with me, he has many sites databases. He exploits them, logs in as admin, he gains acess to admincp and creates his back up, he has many ways.

I fully upgraded to 3.6.7 pl1, changed all my passwords. Poof, he does it again.

I was right about 3.6.6. also check the first post here, I discovered the hole in calendar. Cause he hacked that too.

Dem3ntedSn1per 05-21-2007 03:33 PM
Quote:
Originally Posted by dadu911 (Post 1252110)
Yea Shazz What proof you want? Screenshots of another person logged in as me, the admin?

Site being exploited 3,4 times. It is not a system issue, it is vb, the hacker is even playing games with me, he has many sites databases. He exploits them, logs in as admin, he gains acess to admincp and creates his back up, he has many ways.

I fully upgraded to 3.6.7 pl1, changed all my passwords. Poof, he does it again.

I was right about 3.6.6. also check the first post here, I discovered the hole in calendar. Cause he hacked that too.
Not to seem rude, as I am new to vB. But...I've been running sites for a while now and work for a software developer that produces web based applications, so I'm not a complete novice when it comes to things like site security. There is no forum software that is 100% hacker proof, but you seem to care more about trashing vB than you do about actually helping the community protect itself from a potential exploit.

vB has a nice sticky post in their quick tips and customization section called "How To Make My Forums More Secure". If he's continuing to get in to your admin cp, there's something going on. Maybe you haven't taken proper steps to secure it or maybe you have a key logger on your own computer and keep inadvertently giving your passwords to him.

Since you single handedly identified the calendar exploit before anyone else, maybe you can present evidence of the hole in 3.6.7 PL1 that is causing your site to get hacked instead of just ranting that there's a new, unidentified exploit. :confused:

JamieLee2k 05-21-2007 09:21 PM
why not change where the admincp folder lies and then just edit the config.php
If you have issues and know how they are getting in the get the log files from the FTP and let vbulletin know

theFAILURE 05-21-2007 09:51 PM
Sounds more like you got keylogged than exploited.

DaReD3ViL 05-21-2007 10:58 PM
this was most likely an XSS exploit .

SCRIPT3R 05-22-2007 01:41 AM
smells like B.S. to me.

smacklan 05-22-2007 01:51 AM
ever heard of .htaccess protection on your directories? ;)


All times are GMT. The time now is 08:03 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01427 seconds
  • Memory Usage 1,772KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (7)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (27)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete