Thread: Home Page Hacked
View Single Post
  #12  
Old 09-09-2013, 02:54 PM
xenite xenite is offline
 
Join Date: Oct 2005
Posts: 33
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
If it's the Syrian Army whatchamacallit, they apparently found a way to add themselves as administrators even getting past user moderation/approval (unless someone on my team approved an odd account without telling me).

They hacked NOTICE.PHP and embedded a meta-refresh in the PHRASE table. I don't that it will stop them but I have added the following to my .htaccess

# Block Syrian Army IP Addresses
deny from 5.0.0.0/16
deny from 31.9.0.0/16
deny from 82.137.192.0/20
deny from 91.144.0.0/20
deny from 178.253.64.0/20

These IP addresses are all assigned to a Syrian government ISP (and sharing this list here may tip them off that I have identified which network they came in from).

I am using VB 4.something (still uploading a backup of the actual VBulletin files so my forum is offline at the moment). ADDED ON EDIT: Vbulletin 4.1.5 Patch 1

I don't think changing passwords is going to help with this. They found a flaw in the VBulletin script. I show three actions by the hacker's user account in the ADMINLOG. They are:

ADD action with "notice.php"
UPDATE action with "notice.php"
MODIFY action with "notice.php"

He used a HOTMAIL.IT email address (according to the user account).

He apparently deleted his IP address from the USER record (or when he injected it the IP address wasn't recorded). The ADMINLOG shows the IP address, though.

I'll post more info when I find it.

If anyone knows how they managed to create an admin user account without being approved, I'll be glad to hear about that. Please spare me the "they cracked your password" explanation as that dog won't hunt.
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01086 seconds
  • Memory Usage 1,762KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete