Th3H4ck hacked hundreds of VB forums over the last two days.
 

Th3H4ck Has hacked hundreds of VB forums over the last few days, what is the exploit and are we working on a fix???

Just google Th3H4ck

Yeah I saw he joined today and used my Spam-O-Matic features to get rid of him but I would really like to know how he signed up as an Admin?

Did you get an IP or any information as to what he is doing once he's in.

Looks like a bot attack to me.

It relates to this article
http://www.vbulletin.com/forum/forum...-1-vbulletin-5

Apache Log below:
178.33.229.22 - - [05/Sep/2013:10:10:37 +0100] "GET /forum/core/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:38 +0100] "GET /forum/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:39 +0100] "GET /forums/core/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:39 +0100] "GET /forums/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:40 +0100] "GET /core/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:41 +0100] "GET /install/upgrade.php HTTP/1.1" 200 13394 "-" "-"
66.96.183.79 - - [05/Sep/2013:10:10:45 +0100] "POST /install/upgrade.php HTTP/1.1" 200 279 "-" "-"

Do we just delete the entire install folder?

That's what it says.

He signed up twice on my forum as admin. I have deleted the install folder. I dont know what else to do or what if anything he did to my forum.

If you want to see what he did on your site, go to Admincp > Statistics & Logs > Control Panel Log. You will see if he added a plugin or accessed the templates, etc.

DELETE YOUR INSTALL DIRECTORY!!!

I was a victim of this also. Check my thread. If you guys haven't already you need to check the database and your templates. On my forum they put iframes in the footer of all my templates.

I had 8 Administrators in the admin group with the same name. However, one admin account was just a "."

IP addy 180.216.122.253 and I checked my Control Panel and I don't see anything logged for the user so it looks like he just signed up and that was it. I am almost 100% certain I deleted my install folder after the initial install a year ago.

Yeah we went through this with another member yesterday, https://vborg.vbsupport.ru/showthread.php?t=301892

a lot of vb clients don't even know he is on there forum as administrator. it's kinda sad that people despite of the warnings to remove there install directory still have that on there server(s).

Well, it's kind of sad it took IB a week to send out security bulletins by mail. Not everyone checks their admincp or the announcement forum on vb.com every day (the latter can't even be subscribed, since that - surprise - does not work in vB5). It's probably not the fault of the support staff, but I imagine they need to get approval from the IB high command to send out such things.

Despite who reads things on the announcements, it shouldn't matter. People are urged to delete install folders on their server after a successful install, therefore it's their own fault if they've been hacked. It does state that leaving precious files and folders on the server can cause people to "hack" or "attack" the forum.

No, this is wrong. People were told to remove install.php from the server, not the install folder. Just the opposite: People who asked have explicitly been told to leave the install folder on the server, because it contains files like the style or language xml files that can be useful when troubleshooting. This is why you can't access AdminCP after install/upgrade when install.php is present, but you can access AdminCP perfectly when the install folder is present.

You should at least get your facts straight before you tell people it's their own fault.

Yuup because its no longer required after initial installation unless running tools.php.

*Please note: Renaming it to /..install../ OR /old_install/ OR anything honestly is not doing you any good, delete the entire directory to be 100% sure you're not able to be exploited by that ftard :p.

Any script kiddie can become famous, it only takes a tutorial on a supposed "hacker" site and someone without a life to spend time defacing your site or worse. Its your job as the site owner to stay up to par on vB announcements and current security issues. Before the exploit was "known" you had an excuse when hacked, now that we know one is present if leaving the /install/ folder up its silly to come online one morning to find your site defaced or worse when you could have prevented it by simply reading an announcement and taking action.

Shoot I emailed a few old clients just to remind them about this, be sure if your running email filters and folders that you still check the folder for the announcement emails and eBulletin's from vBulletin as its easy to overlook mail when its not right in front of you inside your inbox ;).

Edit: Also vBulletin did tell people to delete the entire /install/ folder, this was up letting everyone know of a possible exploit and what actions to take:
http://www.vbulletin.com/forum/forum...-1-vbulletin-5

This was a completely unrelated exploit found and the announcement clearly states that, furthermore it also states to delete the /install/ directory near the bottom:
http://www.vbulletin.com/forum/forum...d-all-versions

So I'm not sure who was telling people to delete just install.php but it was not vBulletin themselves unless I'm missing something entirely and my wife says I do that from time-to-time laugh at me not with me on that one ;).

For years people have been told by VB to NOT delete the install directory. I asked it several times myself. VB always wrote to just uninstall the file install.php.

This all changed last week, now we MUST DELETE THE INSTALL DIRECTORY !

Ahh now I see what you and others meant by that. Although for years this exploit may not have been present, it could be related to recent code changes/inclusions we still do not know the specifics however we do know that from here on out you delete the /install/ directory after installation.

Would it be enough to just rename it?

See above quote.

Yeah. Great. A post from yesterday. That only proves that NOW they tell you to remove that directory. They have done otherwise for years.

I've always deleted the install directory on live sites without any problems. It just seemed to make more sense to me.

I also rename the admincp and modcp folders to a secure name. In addition, whenever possible I protect them with htaccess so only IP addresses included in the htaccess file can use the ACP and ModCP.

Why would you take that rrisk ? VB recommends to delete it, why ignore that ?

It is not just your forum at risk, but also the privacy and online security of your users.

I have always deleted the whole install folder have been doing this for sometime. I have also a lot of other security things in place

I'm working on a adminCP file manager and am using it to delete this but I found a functional but very slow running block of code I would like to improve so I'm wondering if I need to do this in the next five minutes or the next five hours. But TheLastSuperman answered. Now I have to create a bunch of junk files to test my improved code on.

Clone the site, restore on localhost then tinker away ;).

Obviously, it is not smart for VB to post any real details of the vulnerability, but if any of you are in the know: Is it sufficient enough to just IP restrict the install directory?

Might be a short term solution @nerbert.

I do like @TheLastSuporman suggestion, but I am sure you are already developing on a local system, this is probably just for testing -- right?

Actually I have an old unusable vB3 clone I can beat to pieces. But it's a useful resource for developing something like this -- not to be consumed recklessly.

Renaming/htaccess protecting it still leaves you vulnerable the only way to be 100% safe is to delete the entire directory.

ok, I was warned by someone via email my site had been exploited. Boooo.
flat4lv.com

I should know more about this, but I don't.

Anyway,
1. deleted user
2. Deleted install folder
3. Deleted user again (it had made a name again instantly)
4. Saw this thread https://vborg.vbsupport.ru/showthrea...=301892&page=3 but I don't have a Iframe, but do have a link on the bottom of my page. "something you've never seen"
5. Installed check 4 hack. (https://vborg.vbsupport.ru/showthread.php?t=265866) > Setup e-mail, enabled demo, ran task, got email with the demo (pluginlist) corrupt.

Now I'm at a loss. Am I still vulnerable? Am I currently still exploited? Should I just remove the link at the bottom of my page?

Thanks in advance for any advice.

This is a great post at vb.com

http://www.vbulletin.com/forum/forum...35#post3993335

Hello,

I came to know of this exploit and looks like we too had this attack, we did the below:

1.Deleted install folder
2. Deleted suspicious admin user accounts
4. Refer thread - https://vborg.vbsupport.ru/showthread.php?t=301892 as mentioned there I didn't have any Iframe injection , but there was a line added in the "header" template of one of our custom style that reads as "Kindly delete "install" directory of your forums. Otherwise you will keep getting hacked" and the suspicious lines were removed.

Also we notice that few templates in the custom style has edit history that says "Edited by .." the suspicious admin accounts with time stamp in the past year 2010.

Is there any other precautions that need to be done. Am I currently still exploited? What are the other security measures that I need to do to protect my forums.

I have deleted my install directory and have been hit twice in 24 hours

Wait, the same user is still getting in after the install directory has been deleted?

I had the same thing, from the logs i saw that he created created a plugin then removed it and then created a user and removed that to,

what their doing is creating a backdoor to come back in later.

When i saw this i deleted the install folder as advised and restored my database to the 29th of august as this had been done on the 30th i figured that it would undo any database or template alterations,

Wrong, the next day the same user was back with admin access, i removed him again, and checked the admin logs and nothing had been done so i left it at that and just observed the site, the next day my templates had all been reverted to the originals so someone had access the admin cp again......

so then i figured it must be a file uploaded on the server because from what i've seen of the plugin being used gives them the ability to upload files to the server, so then i checked the file dates and found a suspicious "clock.php" file in the custom avatars folder that had been created the same day as the plugin above was installed so i removed that and restored another database backup from the 24th which is the day before the guy registered an account on my forums

I've changed admin, cpanel, & ftp passwords so i'll see where it goes from here, just removing the install folder is not enough,

here's an example of a file someone has uploaded as a backdoor back in to a forum http://www.paccin.org/deface.txt i guess their must be more files as well but this i all is could find on google

Did you try the following?

Run Suspect File Versions: > AdminCP > Maintenance > Diagnostics > Suspect File Versions > *Click Submit > Review the files listed, research and delete all files you suspect are malicious. *Also check your .htaccess file and config.php file for modified code, the suspect file versions script does not check config.php or .htaccess.

yes did both the first time round, also if it had been modified the file dates would be different

OK cool, here is a interesting article TheLastSuperman wrote, it way help, http://www.vbulletin.com/forum/blogs...vbulletin-site

If you look at the options they have once they have installed the plugin you can see how much they can do

http://s9.postimg.org/4v480fyhq/Untitled.jpg