vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Hacked - Database Deleted - Via Downloads II ?? (https://vborg.vbsupport.ru/showthread.php?t=202360)

jimjam 01-19-2009 03:09 PM
Hacked - Database Deleted - Via Downloads II ??
 
1 Attachment(s)
Lunch time today I got a general VB database error. When I checked the site through my server control panel, the site database was not there.:confused::confused: I am currently installing a backup.

After nosing around the file structure on the site, I noticed in the Downloads folder, (this is a folder created by the Downloads II mod) a bunch of files that should not have been there, most modified at the time of the crash just after 1pm

Can anyone enlighten me what these files might be and how they got in this folder and are they responsible for my database disappearing.

Thanks in advance

snakes1100 01-19-2009 03:16 PM
You have a security hole on the server, check the apache logs for c99 and see if you can find out how they uploaded it, there are numerous ways to stop c99 uploads, but i would suggest you find the security issue first and close that hole.

jimjam 01-19-2009 03:22 PM
What is a c99 upload?

snakes1100 01-19-2009 03:23 PM
c99 is the bash script they used to nuke your db.

you posted a picture of the files they uploaded, please read the names of the files and note the c99 name in them.

jimjam 01-19-2009 03:29 PM
Yes, the thing is I think i saw him do it.

On the front page we have vbadvanced and there is a VBA module that lists the latest upload, i noticed an upload called aaaaaaaaaaa But when I went to it, it was gone, The upload was atributed to someone who joined today. I watched him, via whos online and he spent a bit of time in the Downloads section and then i thought no more of it. A lot of members do just that they join to get access to the downloads section, shortly after the DB was no more.

That is why I checked the Downloads folder, looking for that aaaaaaaaa file and found all that other c99crap

snakes1100 01-19-2009 03:33 PM
Well as i stated you can block c99 uploading, thats not really a issue, you need to close the security hole you have open on your server.

Without going over your server to see its setup, i cant really suggest anything more.

1. secure server.
2. check perms.
3. make sure programs are running latest version.

jimjam 01-19-2009 03:48 PM
Thanks for your help.:up:

I am a newbie to all things "server-side" so it looks like I need to get out and find some help.

snakes1100 01-19-2009 03:52 PM
Your welcome.

Dismounted 01-20-2009 05:23 AM
Quote:
Originally Posted by jimjam (Post 1717976)
Yes, the thing is I think i saw him do it.

On the front page we have vbadvanced and there is a VBA module that lists the latest upload, i noticed an upload called aaaaaaaaaaa But when I went to it, it was gone, The upload was atributed to someone who joined today. I watched him, via whos online and he spent a bit of time in the Downloads section and then i thought no more of it. A lot of members do just that they join to get access to the downloads section, shortly after the DB was no more.

That is why I checked the Downloads folder, looking for that aaaaaaaaa file and found all that other c99crap
It looks like you've found your hole. :) Check for updates with that modification.


All times are GMT. The time now is 07:49 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01220 seconds
  • Memory Usage 1,725KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (9)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete