vb.org Archive - Possible security hole

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- General Hosting/Server Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=197)

- - Possible security hole (https://vborg.vbsupport.ru/showthread.php?t=143420)

Possible security hole

Hi guys,

I got a message through PM today with the following contained:

Quote:

"Dear admin, thank you for your interest.

As you have read at www.paradox-security.de.vu I checked your homepage and found critical security holes.

Proof:
Your SQL Data of the forum
$config['Database']['dbname'] = **removed for purposes of post**;
$config['MasterServer']['servername'] = **removed for purposes of post**
$config['MasterServer']['port'] =**removed for purposes of post**
$config['MasterServer']['username'] = **removed for purposes of post**
$config['MasterServer']['password'] = **removed for purposes of post**

And a part of your document root structure:

[barcrawl] DIR 05.03.2007 19:44:19 joemcd/joemcd drwxr-xr-x Info
[bbwebsite] DIR 03.01.2007 17:06:42 joemcd/joemcd drwxr-xr-x Info
[celebritybb] DIR 03.01.2007 17:06:42 joemcd/joemcd drwxr-xr-x Info
[cgi-bin] DIR 01.08.2006 19:23:42 joemcd/joemcd drwxr-xr-x Info
[contact] DIR 03.01.2007 17:06:32 joemcd/joemcd drwxr-xr-x Info
[dump] DIR 03.01.2007 17:06:36 joemcd/joemcd drwxr-xr-x Info
[faq] DIR 03.01.2007 17:09:17 joemcd/joemcd drwxr-xr-x Info
[forums] DIR 18.01.2007 09:27:29 joemcd/joemcd drwxr-xr-x Info
[frozen-illusion] DIR 03.01.2007 17:09:17 joemcd/joemcd drwxr-xr-x Info
[frozenillusion] DIR 06.02.2007 22:39:18 joemcd/joemcd drwxr-xr-x Info
[jmcdesig] DIR 20.08.2006 12:47:31 joemcd/joemcd drwxr-xr-x Info
[jmcdesigns] DIR 03.01.2007 17:06:42 joemcd/joemcd drwxr-xr-x Info
[newsfeed] DIR 03.01.2007 17:06:37 joemcd/joemcd drwxr-xr-x Info
[newsletter] DIR 03.01.2007 17:09:12 joemcd/joemcd drwxr-xr-x Info
[nutv] DIR 08.03.2007 17:23:58 joemcd/joemcd drwxr-xr-x Info
[portal] DIR 03.01.2007 17:06:42 joemcd/joemcd drwxr-xr-x Info
[research] DIR 27.01.2007 16:12:06 joemcd/joemcd drwxr-xr-x Info
[sifr] DIR 03.01.2007 17:09:17 joemcd/joemcd drwxr-xr-x Info

This security hole is very critical as you can see, because the attacker hase complete Server access.

If you want to know more I?ll give you my paypal address to transfer the money (100 EUR), otherwise I wish you good luck, and I hope that I could help you.

greez
paradoX

Please don`t reply to this PM. For contact write an email."

What can I do to improve the security? Any idea what this security hole is?!

I'm changing all my passwords now...

- Joe

thru PM where?!

it is not a security hole, you have someone with ftp access to your server, and this is not related to vBulletin... ask your HOST to verify the accesses...

and how i read this, you hired a moron to check for your security, and he is proving his stupidity by telling you nothing about your security holes...

don't pay him the 100$ he requires....

It was through PM on my website - and that's the thing, never asked anyone for any security advice! But will look in to this - thanks! :)

What you want to be asking yourself is, How did he get this info?

Quote:

Proof:
Your SQL Data of the forum
$config['Database']['dbname'] = **removed for purposes of post**;
$config['MasterServer']['servername'] = **removed for purposes of post**
$config['MasterServer']['port'] =**removed for purposes of post**
$config['MasterServer']['username'] = **removed for purposes of post**
$config['MasterServer']['password'] = **removed for purposes of post**

He must have ftp or ssh access to your site...

Could be done with a shell script, or if it is shared hosting there may be a permission issue allowing others on the same server/cluster read access to your files...hard to say.

Changing the passwords is the first step, next would be to review your log files from before you got that email. Look for odd requests that contain URL's or other data. It will take a bit but you may be able to locate how he got the info.

Anyone else getting this? I got the same exact message on mine... it's obviously from an FTP/SSH access to my config files.

you both aint on the same server are you?
Perhaps someone is accessing the information using ssh thats not secured?

I agree that it seems like someone has ftp access to your site. Deifintely check with your hosting company. Post an update when you know whats going on.

Good Luck
Mike

this thread was started in april lol:) its now august:confused:

X vBulletin 3.8.12 by vBS Debug Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages:

Phrase Groups Available:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.02493 seconds Memory Usage 1,730KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: