vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Random account set to Administrator? (https://vborg.vbsupport.ru/showthread.php?t=303111)

ThatGreenAlien 10-08-2013 01:59 PM

Random account set to Administrator?
 
Today I woke up to see the newest member, some random account named qaz001 was in the administrator group? We banned them before anything was done, but what is this and what can we do to stop it? Is this like a hack or something? :eek:

I did a google search on the name, and a lot of other random boards have the same account set as an administrator... what's up with this?

ForceHSS 10-08-2013 02:13 PM

Yes its a hacker u would be best to do a full check and plug the hole were they got in

ThatGreenAlien 10-08-2013 03:33 PM

Okay, I'm pretty new to server stuff, what should I do exactly? And I looked in their log and saw something with plugin.php, what should I be looking for?

Paul M 10-08-2013 03:44 PM

Have you folowed the recent security advice and removed your install folder ? Thats almost certainly how they created the account.

ThatGreenAlien 10-08-2013 04:50 PM

I'll check that when I get home. Thanks!!

Edit: All install folders have been deleted. Anything else?

ozzy47 10-08-2013 10:10 PM

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

afonseca 10-09-2013 09:40 PM

Hi, I'm having the exact same issue, down to the username that was used. I banned those accounts and the hacker started creating other named accounts also in the Administrators group. The links on vbulletin.com are throwing this error:
"An internal error has occurred and the module cannot be displayed."

Did vbulletin.com get hacked? Any help appreciated.

ForceHSS 10-09-2013 09:58 PM

Quote:

Originally Posted by afonseca (Post 2451430)
Hi, I'm having the exact same issue, down to the username that was used. I banned those accounts and the hacker started creating other named accounts also in the Administrators group. The links on vbulletin.com are throwing this error:
"An internal error has occurred and the module cannot be displayed."

Did vbulletin.com get hacked? Any help appreciated.

Sorry are we talking about ur forum being hacked or are u asking that vbulletin has also been hacked

afonseca 10-09-2013 10:03 PM

I was referring to vbulletin.com there as none of the links shared were working for me, they were throwing that error message. They seem to be working fine now.

Grimes 10-09-2013 10:17 PM

Quote:

Originally Posted by ThatGreenAlien (Post 2450890)
Today I woke up to see the newest member, some random account named qaz001 was in the administrator group? We banned them before anything was done, but what is this and what can we do to stop it? Is this like a hack or something? :eek:

I did a google search on the name, and a lot of other random boards have the same account set as an administrator... what's up with this?

I have the same exact thing happening. Same user, same situation. The email is qwe@qwe.com and the ip is the same each time out of the Ukraine. It comes up in spam ip searches online. They were able to set the usergroup to admin and registration ip is blank. I believe I caught it in time, but I noticed that that same user account was created multiple times, and their location under 'who's online' was plugin.php?do=doimport&do=doimport.

Check your plugins for strange plugins. I had multiple entries (one for each account) of a plugin titled 'ech' that uses the hook init_startup. I deleted them all. This just happened moments ago. I had registration turned off, but it was still creating that same account. Banning the username and ip + email seems to have stopped it. Bizarre. I'm in the process of a security check right now to see if there's a hole somewhere.


All times are GMT. The time now is 12:53 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01147 seconds
  • Memory Usage 1,738KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete