Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > General > General Hosting/Server Discussions
Possible security hole Details »»
Possible security hole
Version: , by mrpotatohead mrpotatohead is offline
Developer Last Online: Mar 2009 Show Printable Version Email this Page

Version: Unknown Rating:
Released: 03-28-2007 Last Update: Never Installs: 0
 
No support by the author.

Hi guys,

I got a message through PM today with the following contained:

Quote:
"Dear admin, thank you for your interest.

As you have read at www.paradox-security.de.vu I checked your homepage and found critical security holes.


Proof:
Your SQL Data of the forum
$config['Database']['dbname'] = **removed for purposes of post**;
$config['MasterServer']['servername'] = **removed for purposes of post**
$config['MasterServer']['port'] =**removed for purposes of post**
$config['MasterServer']['username'] = **removed for purposes of post**
$config['MasterServer']['password'] = **removed for purposes of post**




And a part of your document root structure:


[barcrawl] DIR 05.03.2007 19:44:19 joemcd/joemcd drwxr-xr-x Info
[bbwebsite] DIR 03.01.2007 17:06:42 joemcd/joemcd drwxr-xr-x Info
[celebritybb] DIR 03.01.2007 17:06:42 joemcd/joemcd drwxr-xr-x Info
[cgi-bin] DIR 01.08.2006 19:23:42 joemcd/joemcd drwxr-xr-x Info
[contact] DIR 03.01.2007 17:06:32 joemcd/joemcd drwxr-xr-x Info
[dump] DIR 03.01.2007 17:06:36 joemcd/joemcd drwxr-xr-x Info
[faq] DIR 03.01.2007 17:09:17 joemcd/joemcd drwxr-xr-x Info
[forums] DIR 18.01.2007 09:27:29 joemcd/joemcd drwxr-xr-x Info
[frozen-illusion] DIR 03.01.2007 17:09:17 joemcd/joemcd drwxr-xr-x Info
[frozenillusion] DIR 06.02.2007 22:39:18 joemcd/joemcd drwxr-xr-x Info
[jmcdesig] DIR 20.08.2006 12:47:31 joemcd/joemcd drwxr-xr-x Info
[jmcdesigns] DIR 03.01.2007 17:06:42 joemcd/joemcd drwxr-xr-x Info
[newsfeed] DIR 03.01.2007 17:06:37 joemcd/joemcd drwxr-xr-x Info
[newsletter] DIR 03.01.2007 17:09:12 joemcd/joemcd drwxr-xr-x Info
[nutv] DIR 08.03.2007 17:23:58 joemcd/joemcd drwxr-xr-x Info
[portal] DIR 03.01.2007 17:06:42 joemcd/joemcd drwxr-xr-x Info
[research] DIR 27.01.2007 16:12:06 joemcd/joemcd drwxr-xr-x Info
[sifr] DIR 03.01.2007 17:09:17 joemcd/joemcd drwxr-xr-x Info





This security hole is very critical as you can see, because the attacker hase complete Server access.

If you want to know more I?ll give you my paypal address to transfer the money (100 EUR), otherwise I wish you good luck, and I hope that I could help you.

greez
paradoX


Please don`t reply to this PM. For contact write an email."
What can I do to improve the security? Any idea what this security hole is?!

I'm changing all my passwords now...


- Joe

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #2  
Old 03-28-2007, 04:50 PM
nexialys
Guest
 
Posts: n/a
Default

thru PM where?!

it is not a security hole, you have someone with ftp access to your server, and this is not related to vBulletin... ask your HOST to verify the accesses...

and how i read this, you hired a moron to check for your security, and he is proving his stupidity by telling you nothing about your security holes...

don't pay him the 100$ he requires....
Reply With Quote
  #3  
Old 03-28-2007, 04:58 PM
mrpotatohead mrpotatohead is offline
 
Join Date: Jul 2004
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It was through PM on my website - and that's the thing, never asked anyone for any security advice! But will look in to this - thanks!
Reply With Quote
  #4  
Old 03-29-2007, 03:47 PM
bashy bashy is offline
 
Join Date: Nov 2005
Posts: 2,544
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What you want to be asking yourself is, How did he get this info?

Quote:
Proof:
Your SQL Data of the forum
$config['Database']['dbname'] = **removed for purposes of post**;
$config['MasterServer']['servername'] = **removed for purposes of post**
$config['MasterServer']['port'] =**removed for purposes of post**
$config['MasterServer']['username'] = **removed for purposes of post**
$config['MasterServer']['password'] = **removed for purposes of post**
Reply With Quote
  #5  
Old 03-29-2007, 05:51 PM
Reeve of shinra's Avatar
Reeve of shinra Reeve of shinra is offline
 
Join Date: Oct 2001
Location: NYC
Posts: 1,896
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

He must have ftp or ssh access to your site...
Reply With Quote
  #6  
Old 03-29-2007, 07:15 PM
Calash's Avatar
Calash Calash is offline
 
Join Date: Jun 2006
Location: East Coast, USA
Posts: 297
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Could be done with a shell script, or if it is shared hosting there may be a permission issue allowing others on the same server/cluster read access to your files...hard to say.

Changing the passwords is the first step, next would be to review your log files from before you got that email. Look for odd requests that contain URL's or other data. It will take a bit but you may be able to locate how he got the info.
Reply With Quote
  #7  
Old 04-02-2007, 07:43 PM
moorediddy moorediddy is offline
 
Join Date: May 2006
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Anyone else getting this? I got the same exact message on mine... it's obviously from an FTP/SSH access to my config files.
Reply With Quote
  #8  
Old 04-03-2007, 06:53 PM
bashy bashy is offline
 
Join Date: Nov 2005
Posts: 2,544
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

you both aint on the same server are you?
Perhaps someone is accessing the information using ssh thats not secured?
Reply With Quote
  #9  
Old 08-13-2007, 05:59 PM
mlomenzo mlomenzo is offline
 
Join Date: May 2007
Posts: 17
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I agree that it seems like someone has ftp access to your site. Deifintely check with your hosting company. Post an update when you know whats going on.

Good Luck
Mike
Reply With Quote
  #10  
Old 08-13-2007, 07:38 PM
tipoboy's Avatar
tipoboy tipoboy is offline
 
Join Date: Dec 2005
Location: scotland
Posts: 693
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

this thread was started in april lol its now august
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:46 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.08690 seconds
  • Memory Usage 2,280KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (9)postbit
  • (9)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete