|
4.2.1 PL1 hacked, what to look for in logs
Recently I started finding new admin users that appear to be injected into my database. They don't have any associated IP addresses. So far they have not been able to do anything in admincp, presumably because I have the directory password protected. I did an extensive file check and nothing seems to be out of the ordinary.
What can I search for in raw access logs to determine how this is happening? |
Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked http://www.vbulletin.com/forum/blogs...vbulletin-site Also please see these recent security announcements: vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5 vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions |
Thanks ozzy. I'm familiar with those (and also this) but didn't find (or maybe I missed) what to search for in the access logs.
I have already taken all steps in the guide "Fixing your site after you have been hacked" several times, but continue to get admin users injected in my database. Any help with searching raw access logs to determine how it's being done would be appreciated. |
It sounds like there is still a backdoor somewhere. Remember that they probably can't access the admincp, but they can still insert data via whatever method they are using to get in. It could be something appended to a plugin or template. I would install the plugin search mod and search plugins and templates for things like base64 and display:none (which is actually used in some templates)
Make sure you look carefully at Maintenance > Diagnostics > Suspect file versions for unexpected contents. You should update to 4.2.2 pl1. Also, if you have wordpress installed - I recently restored a hacked vbulletin and found that their WP install even had things inserted into the files/templates. Make sure to take a close look at WP or any other software packages if you have them. I'm assuming you already removed the install directory... |
Thanks tpearl5. Yes, install dir was already removed.
I also suspect there is a backdoor somewhere, or a file that is vulnerable to sql injection. I'm wondering if there are some strings I can search my apache raw access logs for to identify the culprit. I thoroughly checked all files identified in Maintenance > Diagnostics > Suspect file versions. I found and removed a number of files that were left over from previous versions of VB and old/uninstalled mods. All the files left (current mods I am using) seem to be ok, I didn't see anything unusual in them. I replaced all VB core files with freshly downloaded copies. VB 4.2.1 PL1 is not known to have security vulnerabilities as far as I am aware. I'll probably upgrade to 4.2.2 anyway, but I'm not sure it will fix this. |
If you have a backdoor somewhere, upgrading will not fix it.
Did you happen to check for any unknown plugins? |
I've been keeping an eye on plugins and don't see anything unusual.
|
Then it has to be a file in the folders, a vulnerability in a mod, or a security issue on the server.
Do you happen to have vBSEO installed? |
I did have VBSEO installed the first time this happened. I suspected it might be the culprit so I switched to DBSEO and removed VBSEO and all it's files. Unfortunately it continued after removing VBSEO.
|
Then there might be something lurking around from when you had vBSEO installed.
What other modifications have you got installed? And are all the modifications from official vB sites? |
Check admincp/Plugins & Products/Plugin Manager many people don't look in there so its always over loooked
|
Hmmm, none of those mods have any issues that I have ever heard of. :confused:
|
Try installing this mod, and see if it turns up anything, https://vborg.vbsupport.ru/showthread.php?t=304190
|
Quote:
It seems to check for anything modified within the past 3 months, which happens to be a lot because I have been doing updates recently. |
Correct, so if you see something that has been modified, and you don't remember modifying it, best to check into it.
|
Checking them all now, nothing amiss so far.
|
When is the last time you updated TapaTalk, I remember there was a vulneribility in it back in May or so.
|
Also have you checked your notices to see if there is anything in there?
|
Under 'Forums' that mod tells me "4 forums contain potentially malicious code" - but I have no idea why or how to check them. All the other warnings seem to be false positives.
I have scanned all files with ClamAV and Sucuri server side scanner, nothing turned up. --------------- Added [DATE]1407699424[/DATE] at [TIME]1407699424[/TIME] --------------- Tapatalk is currently the latest version. I upgraded it a few weeks before any of the problems started. Before that I was running an older version of it for a while. Nothing unusual in notices, only the ones that I made. |
Does it happen to list the forums?
|
Yea it does list the forums. Checking them, it seems to flag the forums that have an HTML link in the forum description. Nothing harmful, just internal links pointing to rules etc.
|
If you allow any group to use even the admin group you should never allow html to be used
|
Hmmm, I am at a loss then. Sounds like you might just have to pay someone to clean up your site.
If you decide to go that route, I would suggest, TheLastSuperman, he has done quite a few cleanup's after a hack on boards. |
Quote:
|
He is talking about, ACP --> Forums & Moderators --> Forum Manager, in each forum you have a option, Allow HTML that should always be NO
Which I know is not what you were talking about. |
Quote:
If it were a vulnerability in VB core, I would expect to find more people posting similar stories. How it's happening on my site is eluding me though. I think searching the Apache raw access logs may reveal the exploit being used, but I don't know what to search for. |
There is also a option in each user group that it needs disabled
|
Yeah I would not be sure what to look for either. :(
|
Quote:
|
And I assume the same thing for each usergroup?
|
Yes, HTML is disabled in all usergroups as well.
|
And you have went through all the php files in your forum root, and there is nothing there that should not be?
|
Have you changed all passwords for all admins, FTP and capnel if not it needs done. The next step is to hire someone to find out how you have been hacked
|
How about any erroneous cron jobs? ACP --> Scheduled Tasks --> Scheduled Task Manager
|
I ran Maintenance > Diagnostics > Suspect file versions and checked every file that had a notice. Aside from some older files from previous versions of VB and old plugins, nothing was out of place.
I replaced all VB core files with fresh downloads, and replaced most plugin files as well. Sucuri and ClamAV didn't find anything either. --------------- Added [DATE]1407701446[/DATE] at [TIME]1407701446[/TIME] --------------- Quote:
|
Quote:
|
Why are you on 4.2.1 and not 4.2.2
|
It was due to incompatibility with a mod I was using. I'm no longer using it and will be upgrading, but I don't think 4.2.1 PL1 -> 4.2.2 PL1 fixes any security issues.
|
Looks like you may have to resort to paying to have it sorted. :(
|
| All times are GMT. The time now is 04:42 AM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|