vb.org Archive
Page 1 of 3 1 23
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   :) HaCkEd aGaIn :) (https://vborg.vbsupport.ru/showthread.php?t=191383)

iogames 09-20-2008 02:45 AM
:) HaCkEd aGaIn :)
 
I was reading in the morning that someone was hacked and I thought: I'm gonna find the time to write a good 'Guide for the Hacked' for users not to get hysterical about the problem and ZAZ! my site was hacked :P but I don't get all scare, good thing that I know by memory the structure of my server/files... but must be interesting analyze/dissect the attacks for future references...

I don't know if it's improper to post this, please advise me if so... but here the main file who steals you cP's Password: CONFIGSCAN.PHP

*** Script removed, no need to post a script to hack a site ***
p.s. I fixed very calmly my problem :)

SEOvB 09-20-2008 02:58 AM
wouldn't they still need a way to get that file on your server?

Lynne 09-20-2008 03:21 AM
Quote:
Originally Posted by FRDS (Post 1626038)
wouldn't they still need a way to get that file on your server?
This was gonna be my question. That is what I would be freaking out over!

iogames 09-20-2008 03:45 AM
In fact I said: I always take it with calm... not that I'm a expert :D
I just check head-over-heels, and although I said to my Hosting Service that might my a Shell thing they say is script-related thing... so I don't discuss and go to the logs and clean everything and change passwords...

It came with many 'strange foreign files'

Any idea what that script compromise?

p.s. I consider a tootache more important that a vBulletin's board hacked

--------------- Added [DATE]1221886742[/DATE] at [TIME]1221886742[/TIME] ---------------

and everything start here:
Quote:
212.100.250.218 - - [11/Sep/2008:11:03:48 -0600] "GET /cpanel HTTP/1.0" 301 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 2.0.1)"
212.100.250.218 - - [11/Sep/2008:11:07:34 -0600] "GET /version.php HTTP/1.0" 200 63599 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 2.0.1)"
212.100.250.218 - - [11/Sep/2008:11:07:29 -0600] "GET /configscan.php HTTP/1.0" 200 1773 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 2.0.1)"
41.219.229.144 - - [11/Sep/2008:11:09:54 -0600] "GET /configscan.php HTTP/1.1" 200 1813 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; FDM)"
41.219.229.144 - - [11/Sep/2008:11:26:00 -0600] "GET /yomistarz/yomistarz.php HTTP/1.1" 200 3698 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; FDM)"
212.100.250.218 - - [12/Sep/2008:03:24:41 -0600] "POST /GuXnnQshoT.php HTTP/1.0" 200 25610 "http://iogames.com/GuXnnQshoT.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.16)
England & Nigeria :rolleyes:

Lynne 09-20-2008 04:02 AM
Quote:
Originally Posted by iogames (Post 1626072)
p.s. I consider a tootache more important that a vBulletin's board hacked
But do your users agree with that! ;)

iogames 09-20-2008 04:47 AM
'Naija Bois Too Much '

https://vborg.vbsupport.ru/external/2008/09/2.gif

Info in the files, I called my Nigerian friend OSUJI, and he told me is a bragging gang term...

Ziki 09-20-2008 08:43 AM
To avoid that this file finds out your password,change the config.php file so that it is not a one-liner,but more lines.Especially the password parts.

iogames 09-21-2008 04:26 AM
The only thing I regret is to lose my SuperSecure password: it was a word I created with Latin & Greek roots, combined with numbers and must be entered sitting over your head singing Jingle bells in Zulu :D

The only FTP connection I see is on 9/14/2008

Quote:
14 40 7.86% 40 files 153kb
Over .png files :p

puertoblack2003 09-21-2008 05:11 AM
i remember reading something on how to protect the config.php there's info here to protect your file using htaccess http://www.sitebuddy.com/php/VBullet...with_.htaccess hope that help :)

Ziki 09-21-2008 06:35 AM
Or CHMOD it to 600 ;),this allows the script to be access via your vBulletin/server files,but not via users :),I use this for my products.


All times are GMT. The time now is 03:18 PM.
Page 1 of 3 1 23
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01689 seconds
  • Memory Usage 1,738KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete