Thread: Forum hacked because of /install/upgrade.php delete it
View Single Post
  #1  
Old 10-16-2013, 10:45 PM
NeDra NeDra is offline
 
Join Date: Dec 2008
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Forum hacked because of /install/upgrade.php delete it
v4.21 forum got hacked 3 times from raw forum no modification, no addon, fresh, clean DB...

I than look at the log it and pointed toward
/install/upgrade.php

I got curious and went to check how they could manage such a thing...
and to my surprise...

The page ask for the customer number... that fine...
View source code on that page

Code:
            <!--
                var IMGDIR_MISC = "../cpstyles/vBulletin_3_Silver";
                var CLEARGIFURL = "./clear.gif";
                var CUSTNUMBER = "XXXXXXXXXXXXXXXXXXXXX";
                var VERSION = "";
                var SCRIPTINFO = {
                    version: "",
                    startat: "",
                    step   : "",
                    only   : ""
                };
                var ADMINDIR = "../cp_admin";
The CUSTNUMBER is the MD5(customerNumber)
And guess what, It can be reversed in 5 minutes from what I've seen.
Customer number are what, 12 symbols A-Z0-9
I guess there even DB that contain all possible MD5 with those values.

So they get my customer number and execute the upgrade script and create a new account from the upgrade script...

Why did you even bothered giving them the MD5 of the answer and the link to the admin control pannel?

So yes, delete your install folder entirely or move it outside of your forum asap.
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01621 seconds
  • Memory Usage 1,765KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete