vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   forum hacked! (https://vborg.vbsupport.ru/showthread.php?t=93068)

tm21 07-28-2005 02:33 PM
forum hacked!
 
Some damn newb got ahold of an admin password and proceeded to make numerous changes to my forum. I have everything listed in the logs, but it does not say exactly WHAT he did, only the script and action are listed. For example he changed around several user profiles, but it lists the users as numbers, not by name, but the member search does not have an option to search by number! How can I find out who these members are?

He changed forum permissions, altered usergroups, did something with options.php, he modified templates, he also screwed with css.php and cronadmin.php. What the hell feature of the board is cronadmin?

I eliminated all admins except myself, I installed 3.5 RC1 and reverted all the templetes to stock. I think he added some redirect code to snag peoples passwords in the templates. Some of my members were complaining of being sent to another website with IE exploits. I would not have caught him today if he hadn't gotten greedy and given himself an avatar (a privelage for staff only). The templates and css changes I can fix, what worries me is that entry for cronadmin.php and the action was modify. How can I find out what was modified, or where such modifications can be done?

Biker_GA 07-28-2005 02:40 PM
To see who the member is via the number designation use:

http://your forums url/forum/member.php?u=x where x is the number you want to look up.

Cronadmin allows you to administrate the cron jobs within VB.

I'd double check to ensure he also didn't load any custom scripts/templates that may be unaffected by the upgrade to RC1.

Marco van Herwaarden 07-28-2005 02:51 PM
Remove all your files from ./includes/cron and upload fresh copies.

tm21 07-29-2005 10:11 AM
He tried it again while I was looking over the control panel log, I noticed his IP, but this time on MY username. He made numberous changes to css.php and some templates. Unfortunatly I can't seem to revert the original template, all of the custom code remains untouched. I also can't delete the default template. Is there a way to upload the original default templates from RC1 so I can overwrite what I have?

I blocked his IP from the entire domain, randomized the names of the admin control panel, changed my password several times, and banned all the users he tried to promote to admins. So far so good. Now I just need to make sure the templates are purified of his perversions.

I don't suppose the recent update to 3.0.8 had anything to do with an exploit floating around does it? He got into my system on the 23rd when I was still using 3.0.6. How he got access to all the admin accounts remains a mystery to me. He made a regular post saying he knows alot about hacking and security. I hope he has not found some major hole in vbulletin. I hope he is just a script kiddie.

Marco van Herwaarden 07-29-2005 10:50 AM
I would ask advice over at vbulletin.com, but if i where you i would do the following:
- Contact your host, and ask them to check log files if someone from his ip had access to the server (doubt they will find)
- Make sure you got correct backup of your 306 database (yes i know you will be loosing data)
- Backup anything else you have on that server as long as you can 100% verify that it is unmodified.
- Ask your host to do a fresh reinstall of your server (you will loose everything!!) using the latest versions of all software (PHP4, MySQL3 (if you want MySQL4.0/4.1)). Make sure they also give you new passwords to your server.
- Reinstall a FRESH copy of vB 3.0.8
- Install your backup in a temporary database
- Perform the upgrade tasks to 308
- Create a new forum database
- Use Impex to transfer forum info from test to the new database.
- Change all admin.mod passwords. Make sure that your admins don't use easy passwords, and that they all have clean PC's (no keyloggers, trojans, etc..)
- Remove the old test database.
- Open your board again, if you want you can upgrade to 3.5Rc1 again.

The reason that you must go back to 3.0.6 backup is that there is no ImpEx for 3.5 yet.

tm21 07-29-2005 12:03 PM
That is all doable, a tall order, but necessary under the circumstances.

I tried to upload the default style xml file to overwrite the existing one but it did not work. I also could not create a new style by uploading. Is this a bug in 3.5 or a symptom of what the hacker may have done?

Marco van Herwaarden 07-29-2005 12:09 PM
The reason i am suggesting this is that you have no knowledge on what he did or if he had access to filesystem. In the last case he could have changed any file (not only vB) or have left scripts on locations that you didn't even notice that could give hime access again.

I doubt that he got access through vB in the first place, unless it was by a weak login or a keylogger at the PC of one of your admins.

Marco van Herwaarden 07-29-2005 12:10 PM
Quote:
Originally Posted by tm21
I tried to upload the default style xml file to overwrite the existing one but it did not work. I also could not create a new style by uploading. Is this a bug in 3.5 or a symptom of what the hacker may have done?
That is very hard to tell without knowing the reason uploading fails. I didn't hear of a bug like that, but you could check the bugtracker.

tm21 08-04-2005 03:08 AM
Hrm, I found out how he was able to siphon my password. He changed an admin's custom username and added a java script file using vb code tags. Since this admin has a post in just about every thread, nothing was left untouched. I have not gone to drastic measures in restoring my site yet since I am working with my provider to lure him in for more hacking...

I still don't know how he got in for sure, but I now suspect he obtained the password of a moderator that had gone inactive. Once in he inserted his little java trick in the signature he waited until he got an admin password. Once he got that he would have gone unnoticed for quite some time, but he got greedy and gave himself an avatar. Well, out of my 12,000 members only I have an avatar, so I knew immediatly something was wrong.

This is why I ban all AOL users :) I had just moved to a new host last month, so I have not gotten around to restoring my htaccess stuff yet. This hacker was using an AOL account

Kirk Y 08-04-2005 05:38 AM
You ban them all because... proxies or what? I really hate getting hacked... most of the time when it happens to my site they somehow manage to get a hold of the cPanel password. And believe you me, it's not a weak password... alphanumeric, both cases, the works. Our host sucks... but we have to live with it, any ideas on this end of how someone could be getting the password?

Marco van Herwaarden 08-04-2005 06:11 AM
Quote:
Originally Posted by tm21
and added a java script file using vb code tags.
Now that is why it is so dangerous to allow using html.

mholtum 08-04-2005 07:38 AM
Have you thought about restoring a complete backup including database then changing the passords?

Lea Verou 08-06-2005 08:06 AM
OMG!! This is terrible!! I had no idea this kind of hackings are that common! Thanks god it hasn't happened to us yet... :/

Marco van Herwaarden 08-06-2005 08:38 AM
This is probably not done through hacking but by getting access to a password.

Brad 08-06-2005 08:58 AM
Quote:
Originally Posted by acidburn0520
You ban them all because... proxies or what? I really hate getting hacked... most of the time when it happens to my site they somehow manage to get a hold of the cPanel password. And believe you me, it's not a weak password... alphanumeric, both cases, the works. Our host sucks... but we have to live with it, any ideas on this end of how someone could be getting the password?
Many ways, keyloggers brute forcing or just coming it without the password at all. Cpanel is known to be the source of many cracks just because it's so widly used and allows you so much access to the system.

Most of the guys that are serouis about their servers don't even run a control panel script :).


All times are GMT. The time now is 06:06 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01391 seconds
  • Memory Usage 1,754KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (15)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete