Go Back   vb.org Archive > Community Central > Community Lounge
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 09-25-2007, 06:10 AM
Knightmane's Avatar
Knightmane Knightmane is offline
 
Join Date: Dec 2005
Location: USA
Posts: 40
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default ATTN: Impex Users

I think this is a good place to mention something I have been seeing on my own web site's Currently Active Users page.

Apparently there are some data thieves out there using script programs to activate and run your own forum's Impex programs and the script will save your forum's data to any server they designate in the script itself, which allows these thieves to look through your data at their own leisure.

The first time I saw these people doing this, my first thought wasn't piracy; it was, "Hey, I don't have Impex installed. What's going on?"

The next time it happened, I reported the incident to the server provider where the script was trying to aim data to, and they closed that thief's server account permanently (they thanked me in an email for bringing it to their attention.)

The following times I have seen this, I have simply IP banned their ISPs. I know that is a bit extreme, but I got tired of seeing the attempts being made.

So if you have Impex installed on your web server where your forum is located, please keep in mind that you are inviting these people to hit your forum site to back up your web forum data to read through later. And yes, this will also mean that they can get your passwords, too.

Impex, while a good program, I am to understand, is a major security risk in this case. If you are not using the program, disable it and that will prevent these people from being able to use it on your own web site.

Thank you for your time. I just thought vbulletin should know what was happening with this situation. Please look into this!


(I posted this information on vbulletin.com, but I wanted to make sure everyone knew about this so they could take protective measures.)
Reply With Quote
  #2  
Old 09-25-2007, 06:32 AM
Dean C's Avatar
Dean C Dean C is offline
 
Join Date: Jan 2002
Location: England
Posts: 9,071
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well it's your own fault if you left a security risk on your server. I believe it does say to remove impex files once you're done.
Reply With Quote
  #3  
Old 09-25-2007, 06:41 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Knightmane View Post
Apparently there are some data thieves out there using script programs to activate and run your own forum's Impex programs and the script will save your forum's data to any server they designate in the script itself, which allows these thieves to look through your data at their own leisure.

The first time I saw these people doing this, my first thought wasn't piracy; it was, "Hey, I don't have Impex installed. What's going on?"
You are contradicting yourself.

Also the part where you say "will save your forum's data to any server they designate" does not make much sense as the target database (and MySQL server) for ImpEx is in the config file that resides on the same server as the ImpEx script, so without FTP access they can not change the target.

If they are hosting ImpEx on their own server, all of the following requirements would still need to be true in order to read your data:
- Your server must allow external connections to the database
- Your databasename must be known
- Your MySQL username & password must be known

Finally passwords are stored hashed in the database and can by no way be retrieved.

If you have any evidence that ImpEx (might) be insecure, please open a Support Ticket providing as much details as possible. At this time there are however no known security issues.
Reply With Quote
  #4  
Old 09-25-2007, 09:13 AM
Knightmane's Avatar
Knightmane Knightmane is offline
 
Join Date: Dec 2005
Location: USA
Posts: 40
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Actually, I never meant to imply that I ever had impex installed.

However.... in the currently active users list, what else could an Unknown Location with something like... "/index.php/impex/ with the script url here" ...mean?

But in the case where these other people have found their own posts and accounts duplicated on a forum they never joined... this IS how it could be done. As for password in the database, and I know this from experience from working on my own board... any Admin with the proper access can back up a database to their computer and view the file in notepad and see the so-called encrypted password. No offence. It's not encrypted.

At any rate, I am not going to say anything more about it, except...

Bottom Line: as Dean C said, "Well it's your own fault if you left a security risk on your server. I believe it does say to remove impex files once you're done."

Those people who leave that up are getting what they deserve and have no right to complain.

Thank you for listening. (PS: I don't type in British English, so typed words have different meanings. And I am about zonked with needing sleep. And yes, WinXP can crash. It happened to me 2 weeks ago; that's why I'm on Linux now. )
Reply With Quote
  #5  
Old 09-25-2007, 09:22 AM
Lizard King Lizard King is offline
 
Join Date: Jan 2005
Location: Mersin
Posts: 907
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

In order to run Impex you need the following informations :
1. Customer Number
2. Impex Config file variables such as database name & password
Without these information noone can run and gather your data.

And whats with the I dont type British English bla bla... That is the funniest sentence i've ever read on vbulletin.org for a long time.

You just think you find something important but hey you dont cause your posts mean nothing.
Reply With Quote
  #6  
Old 09-25-2007, 09:23 AM
Dean C's Avatar
Dean C Dean C is offline
 
Join Date: Jan 2002
Location: England
Posts: 9,071
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Knightmane View Post
No offence. It's not encrypted.
Nonsense. I'll happily give you a dump of my user table from my dev forums, for you to try and get my password.
Reply With Quote
  #7  
Old 09-25-2007, 09:39 AM
nexialys
Guest
 
Posts: n/a
Default

Quote:
However.... in the currently active users list, what else could an Unknown Location with something like... "/index.php/impex/ with the script url here" ...mean?
when we do not know something, instead of attacking with presumptions, we have to ask...

the unknown location like you say is just something that is unknown... logically... and if in the WOL you see such location, it means that someone TRY to access that path.. .doesn't mean it does access it with success... most of the web crawlers have that url in their path because it is a known url,... most people trying to make you fear will also use that path... jut to see if you are fool enough to let it on your site.

anyway, you have to consider suggesting this problem to vbulletin.com if you really think it's a risk, because you're actually not on the official website now...
Reply With Quote
  #8  
Old 09-25-2007, 11:20 AM
dyna88 dyna88 is offline
 
Join Date: Dec 2006
Location: Wisconsin
Posts: 164
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

More then likely the reason they are looking for impex is because an older version used in conjunction with 3.5.1-3.5.4 I think it was had a few RFI exploits....this is why it is so important to keep updated.
Reply With Quote
  #9  
Old 09-25-2007, 12:43 PM
Brad Brad is offline
 
Join Date: Nov 2001
Posts: 4,765
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dean C View Post
Nonsense. I'll happily give you a dump of my user table from my dev forums, for you to try and get my password.
With the salt in hand a brute force is just as likely as a "pure" md5 hash (md5($password). I'm not going to take you up on your offer but given enough time I could get your password if I had a copy of your user table.
Reply With Quote
  #10  
Old 09-25-2007, 12:59 PM
Dean C's Avatar
Dean C Dean C is offline
 
Join Date: Jan 2002
Location: England
Posts: 9,071
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Brad View Post
With the salt in hand a brute force is just as likely as a "pure" md5 hash (md5($password). I'm not going to take you up on your offer but given enough time I could get your password if I had a copy of your user table.
I still challenge you, or anyone to do it.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:20 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04591 seconds
  • Memory Usage 2,265KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (9)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete