vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Hacked Sites, How Many Recently? (https://vborg.vbsupport.ru/showthread.php?t=302821)

seriousrat 09-30-2013 09:30 AM
Hacked Sites, How Many Recently?
 
Seems like everyone is getting hacked. Some threads say over 200 in the past month. Ours, http://www.seriousoffshore.com/forums/ , and one of our main members, http://www.donzi.org/ were both hacked the end of last week/over the weekend.

Has anyone been able to find out why so many recently?

Ours seems to have the hack code inserted the first part of September, then activated later. So, our recent backups are also infected which has created a major pain.

I hope this is the right place to ask the question.

ozzy47 09-30-2013 09:53 AM
I have not seen a list or a count on the number of sites, but they almost all have to due with the install directory not being deleted.

To recover, please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

seriousrat 09-30-2013 12:08 PM
Have you seen the redirect worm that is in the seriousoffshore.com/forums before (if you've looked)? They did get in through the install as you said, but then they created admin users, modified files in the admincp folder, the style templates, and the plugins. The admincp and database hacks are pretty severe. Plus, because of the delay for when it went active, our backups are infected. As our webmaster says, Every time he thinks he has everything, something else pops up.

Anyway, if anyone is familiar with the pain of this one, helpful hints are certainly appreciated.

Thanks for the input so far.

ozzy47 09-30-2013 07:16 PM
If you follow the two blog posts, thoroughly, and not skip any details at all, you should be ok.

tbroush 09-30-2013 07:21 PM
Quote:
Originally Posted by ozzy47 (Post 2449070)
If you follow the two blog posts, thoroughly, and not skip any details at all, you should be ok.
I wish that was as easy as that.

ozzy47 09-30-2013 07:38 PM
No one said it was easy, but there have been many successful sites to recover following the info provided in there.

tbroush 09-30-2013 07:47 PM
Well I guess mine has been one of the few that continues to have issues even after doing everything and more in all of those blogs.

tbworld 09-30-2013 07:51 PM
Quote:
Originally Posted by tbroush (Post 2449084)
Well I guess mine has been one of the few that continues to have issues even after doing everything and more in all of those blogs.
It is not easy and it is time consuming, and I am sorry you were hacked. Keep at it and ask questions here, if you do not understand something.

ozzy47 09-30-2013 07:52 PM
What is the things that keep popping up, always different, same thing, and what is the things?

tbroush 09-30-2013 08:18 PM
well all he does now is when you go to the forum.php page it take you to an html page but not necessarily redirecting you anywhere. So I usually just run the upgrade script and is back to normal. So today I deleted all of the custom templates and uploaded new ones just in case the code was in there, but I have done everything else possible.

ozzy47 09-30-2013 08:21 PM
Hopefully that will work, if not report back, and let us know.

Zachery 09-30-2013 09:14 PM
Revert the forumhome template, chances are they modified that. The blog posts over on vBulletin.com cover fixing this stuff. Very well too.

seriousrat 10-01-2013 11:33 AM
I don't know if this helps you guys in anyway, but here are a few of the comments from the two webmasters. Any comments about future protection? We believe we are clean at serious now. I hid their email addresses.

This is 'one' of the hacks we were infected with and the one that's caused the most trouble. They had access to all of our files AND databases and injected code throughout the databases.


http://www.derekfountain.org/security_c99madshell.php

On Mon, Sep 30, 2013 at 8:50 PM, *****wrote:

hmmm... we were told today the server house carried the infection to us,,, and thousands more

we locked our front door until the server is clean


In a message dated 9/30/2013 8:31:08 P.M. Eastern Daylight Time, *****writes:
It's not coming through the site files, I've cleaned all those...it's being injected from the database.



On Mon, Sep 30, 2013 at 8:21 PM, ******* wrote:

go to your .exe file and find this entry >>

1E161D6D.exe

see if you can delete it if it's there

In a message dated 9/30/2013 8:16:56 P.M. Eastern Daylight Time, *****writes:
Yeah....there's a redirect javascript buried in there somewhere. I'm chasing it now. Got rid of everything else though. I'd like to pummel the nerd that put this one together.


On Mon, Sep 30, 2013 at 8:09 PM, ********* wrote:

I just logged on SO and entered my password to look around
my MS virus blocker went apeshit as soon as I clicked on the forum header
8 pings in 3 minutes... quarantined every ping

wow, bad bad bad

btw, this same virus crashed the U of Colorado website and countless others

Cygnusstudios 10-02-2013 12:07 PM
Mine got hacked on Monday. Everything was corrupted and the only option was pulling the site down completely.

However, I did manage to log the IP:

176.45.4.205

cellarius 10-02-2013 01:15 PM
Cool. Now you only have to get SaudiNet to cooperate.

tbworld 10-02-2013 08:54 PM
Quote:
Originally Posted by Cygnusstudios (Post 2449472)
Mine got hacked on Monday.
Sorry to hear that.

hhumas 10-03-2013 12:10 AM
my site was also hacked ... they put this page ..

Quote:
HTML Code:
<html>
<head>

<style>
.shakeimage{
position:relative
}
</style>

<script language="JavaScript1.2">

/*
Shake image script (onMouseover)-
? Dynamic Drive (www.dynamicdrive.com)
For full source code, usage terms, and 100's more DHTML scripts, visit http://dynamicdrive.com
*/

//configure shake degree (where larger # equals greater shake)
var rector=3

///////DONE EDITTING///////////
var stopit=0
var a=1

function init(which){
stopit=0
shake=which
shake.style.left=0
shake.style.top=0
}

function rattleimage(){
if ((!document.all&&!document.getElementById)||stopit==1)
return
if (a==1){
shake.style.top=parseInt(shake.style.top)+rector+"px"
}
else if (a==2){
shake.style.left=parseInt(shake.style.left)+rector+"px"
}
else if (a==3){
shake.style.top=parseInt(shake.style.top)-rector+"px"
}
else{
shake.style.left=parseInt(shake.style.left)-rector+"px"
}
if (a<4)
a++
else
a=1
setTimeout("rattleimage()",50)
}

function stoprattle(which){
stopit=1
which.style.left=0
which.style.top=0
}

</script>


<script>
<!--Seized!
alert ("F1zch3 Was Here!")
//-->

<!--
//Disable right click script
var message="Sorry, right-click has been disabled";
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if
(document.layers||(document.getElementById&&!document.all))
{
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
// -->
</script>



<link rel="SHORTCUT ICON" href="http://s12.postimg.org/y202kmsst/16ae35f.png">
<title>[+] Strawhat~Fizche Was Here [+]</title>

<center>
<img src="http://img585.imageshack.us/img585/9264/6o6.gif" height="280" width="380" align="middle">

<style type="text/css">
body
{
font-family: "courier new";
background-color: black ;
font-size:150%;
color: #28FE14;
background-image: url("http://p1.pichost.me/i/14/1366106.jpg");
}
.xBody
{
width:1600px;
height:1600px;
position:absolute;
z-index: 12;
}
.ssh
{
display:none;
z-index: 14;
}
.sshBox
{
height:350px;
border: 7px solid white;
        -moz-border-radius: 10px;
        -webkit-border-radius: 10px;
        -o-border-radius: 10x;
        -khtml-border-radius: 10px;
        border-radius: 10px;
        z-index: 15;
}
.sshHead
{
margin-bottom: 8px;
color:black;
font-weight: bold;
background-color: black;
height:25px;
z-index: 12;
}
.greenBox
{
padding-left: 5px;
position: absolute;
height:30px;
border: 2px solid #28FE14;
z-index: 10;
}
.picz
{
position: absolute;
width:600px;
height:200%;
display:none;
right:2px;
top:2px;
}
</style>
</head>
</font>
</center>
</body>

<br>

<center>
<font style="tahoma" color="yellow" size="5">
We Are Str4wHat Pirates!<br>
</font>
<br>

<center>
<font style="tahoma" color="yellow" size="2">
Security Breach!<br><br><font color="yellow">
Hello Admin,are you surprised?<font color="red"> <br><font color="blue">
We hack this site to <font color="yellow">inform you about the vulnerab<font color="red">ility of your site.<br><font color="blue">
Your site <font color="yellow">is vulnerable and easy to<font color="red"> pentest. <br><br><font color="blue">
<font color="yellow">Strawhat~Fizch<font color="yellow">e!<br><font color="blue">
PLEASE <font color="yellow">PATCH YOUR SECU<font color="red">RITY!
</font>
</center>


<br>
<center>
<font style="tahoma" color="blue" size="2">
Strawhat <font color="yellow">Pirates <font color="red">Crew:<br><br><font color="blue">
|| Strawhat Luffy || Strawhat 4ce ||<font color="red"> Strawhat Chopp3r || Strawhat Zyber ||<br><font color="blue">
|| Strawhat bro0k || Strawhat Fizche || Silen<font color="red">t_Haxor || Strawhat Red || Strawhat Zorro ||

</font>
</center>
<br>

<center>
<font style="tahoma" color="blue" size="2">
Gre<font color="red">ets: <br><br><font color="blue">
|| Bisayan Hackers || COD3x Cyber Army || Pak Cyber Ea<font color="red">glez || Phantom Hackers.Ph || Philippine Cyber Crew ||<br><font color="blue">
|| #pR.is0n3r || Hitman || pv.Dr3inuS || pv-eld3put@ || pv~d3Sp |<font color="red">| ThinkTwic3 || RedX || Pr3-H4ck3r || kh4lifax || Silent Haxor || <br><font color="blue">
|| Nefarious  || Sizzling Soul || An0nK@p |<font color="red">| An0n3m00$ || and To all Pinoy Hackers || <br>
</font>
</center>
<br>


<center>
<font style="tahoma" color="blue" size="2">
Like Us On<font color="red"> Facebook:<br><font color="blue">
https://www.facebook.com/Str4w<font color="red">hatPiratesRecruitmentZone.gov/<br><br><font color="blue">
Join<font color="red"> Us:<br><font color="blue">
https://www.facebook.com/groups/St<font color="red">r4whatPiratesRecruitmentZone.gov/<br>
</center>

<br>
<center>
<font style="tahoma" color="grey" size="1">
Copyright 2013 by Str4what Pirates Crew. All Rights Reserved.
</center>


<center>
<iframe width="1" height="1" src="http://www.youtube.com/embed/IbAy8wZxMoc?rel=0&amp;autoplay=1&amp;loop=1&amp;playlist=Ls9cU_2Mr44" frameborder="0" allowfullscreen="">
</iframe>
</center>


</html>

tbworld 10-03-2013 02:06 AM
Thank you, I have added this to my collection of variances for this exploit. The good news is this is just using the same initial exploit so after you cleaned your site "carefully" and follow the latest guidelines you should be okay. Normally, I don't like exploits posted, but at this point it is all over the web, and education is the best policy now -- in my opinion, I am only a volunteer and I am not directly affiliated with vbulletin.

If I can help with information, please feel free to ask.

Do you have your board up and running again?

findingpeace 10-03-2013 09:27 AM
Everyone should report the page:
https://www.facebook.com/Str4whatPir...itmentZone.gov

And group:
https://www.facebook.com/groups/Str4...itmentZone.gov

Both listed in your malicious code, hhumas. With enough reports, these will be taken down for promoting hacking / cyber attacks. I just reported too, for violence/threat of attack.

SupportAM 10-04-2013 01:15 PM
Okay I need help badly.
1. I have restored my older version of Web files.
2. Upgraded to newer version of VB ....now vb 4.2.1.
3. Cleaned suspect files.
4. Looked at the plugin.
Still nothing ..... My forum is showing forum.php that is not the physical forum.php on the webserver. There must be an entry somewhere that is displaying the page.
Here is the link to my page.

What else do i ahve to do ????

http://forum.automationmedia.com/

findingpeace 10-04-2013 02:24 PM
SupportAM, look in Styles -> Templates -> FORUM HOME.

Use this to check for other templates:
https://vborg.vbsupport.ru/showthread.php?t=281080

SupportAM 10-04-2013 03:54 PM
it goes to forum.php
and using that tool didn't help either. :(

Tigatoday 10-04-2013 06:30 PM
Hi,

Our forum was also hacked.

Our provider found out that this was probably the problem. Maybe it helps other forum owners.

We removed the bad code from your site's template header.
It was a malicious js code that was creating a hidden iframe to infelobarc1979.tk.
Please remember to change all your passwords and keep vBulletin up-to-date

seriousrat 10-04-2013 09:37 PM
What a mess, but we believe both sites are now clean. We also had every mod and admin change passwords. We are watching as closely as we can, but what a giant pain.

Am I wrong, or did vbulletin only put a notice up warning everyone about the problem found in early September, like the 4th or so? They did not send out emails to those using their software with current licenses? Unless I completely missed something, that is what I see. If that is the case, is that why so many sites are currently under siege? The hackers read the notices but we certainly don't go to .com or .org anywhere close to every day.

The hack in ours was inserted almost two full weeks before activation. That way our backups were also corrupted for use.

CharlieDelta 10-05-2013 11:47 AM
The notices were pushed out in the ACP. That is how I found out and made the appropriate fixes right away. I log in everyday to my ACP.
BOP made a wonderful mod however that will send you these notices if you do not log on into your ACP. https://vborg.vbsupport.ru/showthread.php?t=301841

eva2000 10-06-2013 06:43 AM
Folks who are getting hacked and have SSH/root user access that comes along with VPS or dedicated server hosting may have more tools available for them to properly clean up hacked forums and the left over infections. I just posted a summary guide here http://www.vbulletin.com/forum/blogs...ting-ssh-users which basically is a small excerpt of the much larger 10 page guide ?http://vbtechsupport.com/2355/.


All times are GMT. The time now is 09:30 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02149 seconds
  • Memory Usage 1,827KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_html_printable
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (26)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete