Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > General > General Hosting/Server Discussions

Reply
 
Thread Tools
Server hacked and redirecting Details »»
Server hacked and redirecting
Version: , by Bernd Bernd is offline
Developer Last Online: Apr 2014 Show Printable Version Email this Page

Version: Unknown Rating:
Released: 09-03-2006 Last Update: Never Installs: 0
 
No support by the author.

Our server has recently been hacked, and when loading the forum index page it redirects to some silly page. i've checked for any code in the forum files that could redirect the forum, but there is none there. I've searched the vbulletin database and I couldn't find anything there either.

How do most hackers redirect pages once hacked? Do they edit the apache config files or something? How bad could the security breach be? Most important, what exploit might they have used?

Running fedora core 4
Plesk 8.01
Vbulletin 3.54

thanks for any kind of hints or answers.

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #12  
Old 09-04-2006, 09:03 AM
Lizard King Lizard King is offline
 
Join Date: Jan 2005
Location: Mersin
Posts: 907
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by DementedMindz
well paul posted a fix didnt it work for you?

Unfortunately a good amount of the hackers seem to come from Turkey. When I ran a php site we always blocked Turkey ips cause there known for tryin this stuff. It is up to you if you want to use it or not.

just add the following to your .htaccess file:

Code:
deny from 62.29.0.0/17
deny from 62.56.128.0/22
deny from 62.85.128.0/19
deny from 62.108.64.0/19
deny from 62.113.0.0/19
deny from 62.184.58.0/27
deny from 62.185.166.64/26
deny from 62.184.178.96/29
deny from 62.186.77.0/26
deny from 62.201.192.0/18
deny from 62.229.128.0/24
deny from 62.229.130.0/24
deny from 62.244.192.0/18
deny from 62.248.0.0/17
deny from 64.18.138.0/24
deny from 64.28.128.0/20
deny from 65.182.7.0/24
deny from 66.178.5.0/24
deny from 66.178.52.0/24
deny from 66.205.36.0/22
deny from 69.30.204.0/23
deny from 80.71.128.0/20
deny from 80.88.138.224/27
deny from 80.88.141.160/27
deny from 80.251.0.0/20
deny from 80.251.32.0/20
deny from 81.6.64.0/18
deny from 81.8.0.0/17
deny from 81.21.160.0/20
deny from 81.22.97.0/24
deny from 81.31.193.224/29
deny from 81.31.195.112/29
deny from 81.31.195.136/29
deny from 81.31.195.216/30
deny from 81.31.196.172/30
deny from 81.31.197.16/29
deny from 81.31.197.64/30
deny from 81.31.197.128/30
deny from 81.31.198.152/29
deny from 81.31.198.216/29
deny from 81.31.199.72/29
deny from 81.31.199.140/30
deny from 81.31.199.160/29
deny from 81.31.200.64/29
deny from 81.31.200.76/30
deny from 81.212.0.0/14
deny from 82.145.224.0/19
deny from 82.151.128.0/19
deny from 82.222.0.0/16
deny from 83.66.0.0/16
deny from 83.166.48.0/28
deny from 84.11.37.192/26
deny from 84.17.64.0/19
deny from 84.44.0.0/17
deny from 84.51.0.0/18
deny from 85.96.0.0/12
deny from 85.153.0.0/16
deny from 85.158.96.0/21
deny from 85.159.64.0/21
deny from 85.235.64.0/24
deny from 86.108.128.0/17
Deny from 88.240.0.0/16
deny from 139.179.0.0/16
deny from 144.122.0.0/16
deny from 155.223.0.0/16
deny from 160.75.0.0/16
deny from 161.9.0.0/16
deny from 168.139.0.0/16
deny from 192.70.133.0/23
deny from 192.129.87.0/24
deny from 192.160.21.0/24
deny from 193.23.156.0/24
deny from 193.25.124.0/23
deny from 193.41.2.0/23
deny from 193.42.216.0/24
deny from 193.95.0.0/17
deny from 193.108.213.0/24
deny from 193.109.134.0/23
deny from 193.110.170.0/23
deny from 193.110.208.0/21
deny from 193.140.0.0/16
deny from 193.178.218.0/24
deny from 193.188.198.0/23
deny from 193.192.96.0/19
deny from 193.201.149.192/26
deny from 193.201.157.0/25
deny from 193.218.113.0/24
deny from 193.218.200.0/24
deny from 193.219.208.0/30
deny from 193.220.68.0/24
deny from 193.243.192.0/19
deny from 193.254.228.0/23
deny from 193.254.252.0/23
deny from 193.255.0.0/16
deny from 194.9.174.0/24
deny from 194.24.224.0/23
deny from 194.27.0.0/16
deny from 194.29.208.0/21
deny from 194.54.32.0/19
deny from 194.67.205.0/23
deny from 194.69.206.0/24
deny from 194.117.97.172/30
deny from 194.117.110.80/28
deny from 194.117.113.72/30
deny from 194.117.114.4/30
deny from 194.117.118.40/30
deny from 194.117.119.4/32
deny from 194.117.119.18/32
deny from 194.117.119.20/32
deny from 194.117.119.22/32
deny from 194.117.119.24/32
deny from 194.117.119.27/32
deny from 194.117.119.34/32
deny from 194.117.119.53/32
deny from 194.117.119.55/32
deny from 194.117.119.58/32
deny from 194.117.119.61/32
deny from 194.117.119.73/32
deny from 194.117.119.76/32
deny from 194.117.119.80/32
deny from 194.117.119.86/32
deny from 194.117.119.93/31
deny from 194.117.119.96/32
deny from 194.117.119.99/31
deny from 194.117.119.108/32
deny from 194.117.120.15/32
deny from 194.117.120.114/32
deny from 194.117.120.233/32
deny from 194.117.121.30/32
deny from 194.117.121.70/32
deny from 194.117.121.96/32
deny from 194.117.121.101/32
deny from 194.117.121.168/32
deny from 194.117.121.192/31
deny from 194.117.121.217/32
deny from 194.125.232.0/22
deny from 194.126.230.0/24
deny from 194.133.65.0/24
deny from 194.133.160.0/20
deny from 194.133.240.0/23
deny from 194.133.251.0/24
deny from 194.133.253.0/28
deny from 194.133.255.0/24
deny from 194.242.32.0/24
deny from 195.8.109.0/24
deny from 195.33.192.0/18
deny from 195.39.224.0/23
deny from 195.46.128.0/19
deny from 195.49.216.0/21
deny from 195.64.128.0/18
deny from 195.74.32.0/19
deny from 195.75.202.0/26
deny from 195.75.202.128/25
deny from 195.75.222.0/28
deny from 195.75.222.24/29
deny from 195.75.222.160/27
deny from 195.75.236.0/28
deny from 195.75.236.96/29
deny from 195.75.236.112/28
deny from 195.75.238.0/25
deny from 195.79.199.192/29
deny from 195.79.204.192/27
deny from 195.85.242.0/24
deny from 195.85.255.0/24
deny from 195.87.0.0/16
deny from 195.112.128.0/19
deny from 195.112.160.16/30
deny from 195.112.166.12/30
deny from 195.112.166.52/30
deny from 195.112.166.60/30
deny from 195.112.166.68/29
deny from 195.112.166.80/30
deny from 195.128.32.0/21
deny from 195.128.254.0/23
deny from 195.137.222.0/23
deny from 195.140.196.0/22
deny from 195.142.0.0/16
deny from 195.149.85.0/24
deny from 195.149.116.0/24
deny from 195.155.0.0/16
deny from 195.174.0.0/15
deny from 195.177.206.0/23
deny from 195.177.230.0/23
deny from 195.183.236.192/26
deny from 195.212.230.0/24
deny from 195.212.244.8/29
deny from 195.213.69.144/28
deny from 195.214.128.0/18
deny from 195.234.165.0/24
deny from 195.242.122.0/23
deny from 195.244.32.0/19
deny from 195.245.227.0/24
deny from 195.254.128.0/19
deny from 196.3.132.0/20
deny from 196.29.64.0/19
deny from 196.32.32.0/19
deny from 196.203.0.0/16
deny from 199.89.210.0/24
deny from 200.3.176.0/21
deny from 200.9.216.0/24
deny from 200.108.0.0/19
deny from 201.238.64.0/18
deny from 209.94.192.0/19
deny from 212.2.192.0/19
deny from 212.12.128.0/19
deny from 212.15.0.0/19
deny from 212.21.197.240/29
deny from 212.29.64.0/18
deny from 212.31.0.0/19
deny from 212.33.0.0/19
deny from 212.45.64.0/19
deny from 212.48.224.0/19
deny from 212.50.32.0/19
deny from 212.57.0.0/19
deny from 212.58.0.0/19
deny from 212.63.170.168/30
deny from 212.63.172.212/30
deny from 212.63.172.224/30
deny from 212.63.180.0/30
deny from 212.63.180.8/30
deny from 212.63.180.16/30
deny from 212.63.180.28/30
deny from 212.63.180.40/29
deny from 212.63.180.56/30
deny from 212.63.180.68/30
deny from 212.63.180.84/30
deny from 212.63.180.92/30
deny from 212.63.180.108/29
deny from 212.63.180.120/29
deny from 212.63.180.200/30
deny from 212.64.192.0/19
deny from 212.65.128.0/19
deny from 212.79.96.0/22
deny from 212.79.122.0/23
deny from 212.98.0.0/19
deny from 212.98.192.0/18
deny from 212.101.96.0/19
deny from 212.108.128.0/19
deny from 212.109.96.0/19
deny from 212.109.224.0/19
deny from 212.115.0.0/19
deny from 212.125.0.0/19
deny from 212.127.96.0/19
deny from 212.133.128.0/17
deny from 212.146.128.0/17
deny from 212.154.0.0/17
deny from 212.156.0.0/16
deny from 212.174.0.0/15
deny from 212.252.0.0/15
deny from 213.14.0.0/16
deny from 213.31.190.48/28
deny from 213.31.223.144/28
deny from 213.43.0.0/16
deny from 213.62.14.64/26
deny from 213.62.40.192/26
deny from 213.74.0.0/16
deny from 213.138.0.0/19
deny from 213.139.192.0/18
deny from 213.143.224.0/19
deny from 213.144.96.0/19
deny from 213.148.64.0/19
deny from 213.150.160.0/19
deny from 213.153.128.0/17
deny from 213.155.96.0/19
deny from 213.159.32.0/19
deny from 213.161.128.0/19
deny from 213.181.38.192/26
deny from 213.186.128.0/19
deny from 213.194.64.0/18
deny from 213.202.0.0/19
deny from 213.204.64.0/18
deny from 213.208.3.192/29
deny from 213.208.39.0/24
deny from 213.209.169.144/29
deny from 213.232.0.0/18
deny from 213.236.32.0/19
deny from 213.238.128.0/18
deny from 213.243.0.0/18
deny from 213.248.128.0/18
deny from 213.254.128.0/19
deny from 216.139.188.192/27
deny from 217.17.144.0/20
deny from 217.21.68.0/22
deny from 217.23.110.96/27
deny from 217.31.224.0/19
deny from 217.64.144.0/20
deny from 217.64.208.0/20
deny from 217.68.208.0/20
deny from 217.77.241.113/32
deny from 217.77.241.218/32
deny from 217.77.242.169/32
deny from 217.77.246.192/30
deny from 217.131.0.0/16
deny from 217.138.38.248/29
deny from 217.169.192.0/20
deny from 217.173.157.128/28
deny from 217.173.157.192/27
deny from 217.173.158.64/27
deny from 217.174.32.0/20
deny from 217.174.224.0/20
deny from 217.194.135.160/28
deny from 217.195.192.0/20
This is NOT going to stop a hacker, even from turkey. It will slow them down a bit.
Why do you do that ? There are hackers all around the world and you only belame Turkish people. That is nonsense. Anyway it is your choice not to let Turkish people to your board.
Reply With Quote
  #13  
Old 09-04-2006, 04:41 PM
DementedMindz DementedMindz is offline
 
Join Date: Jan 2006
Posts: 1,474
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

cause like it said..
Unfortunately a good amount of the hackers seem to come from Turkey
Reply With Quote
  #14  
Old 09-05-2006, 03:39 PM
WhyDoesItMatter WhyDoesItMatter is offline
 
Join Date: Mar 2006
Posts: 39
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I've some people try to do this to my site as well, all were from Turkey.. thanks for those ips, they were close to the ones that tried it on mine.
Reply With Quote
  #15  
Old 09-05-2006, 03:41 PM
DementedMindz DementedMindz is offline
 
Join Date: Jan 2006
Posts: 1,474
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

no problem there not all of the ips from turkey but alot of them ill update it as I grab more.
Reply With Quote
  #16  
Old 09-05-2006, 04:32 PM
TorGa3iGhT TorGa3iGhT is offline
 
Join Date: Jun 2005
Posts: 26
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

did u fix the problem? I recently had the SAME problem on my site...THREE times...i had one on friday, once on saturday morning, and now today, this morning. Luckily for me my mods call me once it happens, so I just fix it...

but basically for me, someone signed up on my forum and posted a thread with a title similar to this: >"">>>><meta http-equiv......

and it would basically take your homepage and redirect it to some other site. I would just delete the thread and it would fix the problem, however, that is just a short-term fix.

I censored some of the words for the redirect as well...try censoring "meta" or "http-equiv" and see if it fixes the problem so you can find the thread.

Also, try disabling your plugins/hacks one by one and see if it removes the redirecting. If u disable a hack and it doens't redirect, then u know that plugin/hack has a vulnerability and shoudlnt' be used unless u find the problem.

let me know if u find any other fixes...both u and I sound like we are getting the same problem...oh, and for the record, usually topxstats AND cyb avanced forumhome statistics BOTH have this problem
Reply With Quote
  #17  
Old 09-05-2006, 08:34 PM
Ascor's Avatar
Ascor Ascor is offline
 
Join Date: Jul 2006
Posts: 101
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Wild-Wing
ok this has happend twice on the forum i admin on and its a stupid exploit in the thread titles that allows meta reditection. im not going to say how its done but ill pm you what to look for.

heres a fix for it
find in newthread.php:
if ($_POST['do'] == 'postthread')

then find:
'subject' => TYPE_STR,
change the TYPE_STR to TYPE_NOHTML
Thank you Wild-Wing your tips is very helpful
Reply With Quote
  #18  
Old 09-06-2006, 04:49 AM
stan111 stan111 is offline
 
Join Date: Aug 2005
Location: CA
Posts: 146
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Wild-Wing
ok this has happend twice on the forum i admin on and its a stupid exploit in the thread titles that allows meta reditection. im not going to say how its done but ill pm you what to look for.

heres a fix for it
find in newthread.php:
if ($_POST['do'] == 'postthread')

then find:
'subject' => TYPE_STR,
change the TYPE_STR to TYPE_NOHTML
i am using 3.0.7
i do have this if ($_POST['do'] == 'postthread')

but the rest r like this

Code:
globalize($_POST, array('posthash' => STR_NOHTML, 'poststarttime' => STR_NOHTML));

	if (isset($_POST['WYSIWYG_HTML']))
nothing like 'subject'

please show me a way to fix this

i have the top 5x stat on my forum
Reply With Quote
  #19  
Old 09-06-2006, 05:26 AM
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Location: Nottingham, UK
Posts: 23,748
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Remove the topXstats mod - there is currently no fixed version of that for vb 3.0.x boards.
Reply With Quote
  #20  
Old 09-17-2006, 01:21 PM
zooki zooki is offline
 
Join Date: May 2006
Location: uk
Posts: 111
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Gosh, im glad i have some Pro Turkish stuff on my site..... and Turkish members. lol.

its sad people do this sort of stuff .

What are good sites to learn about protecting servers?
Reply With Quote
  #21  
Old 09-18-2006, 04:58 AM
DementedMindz DementedMindz is offline
 
Join Date: Jan 2006
Posts: 1,474
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Personaly I use this site alot for tips and tweaks for servers. http://www.eth0.us/
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:10 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04895 seconds
  • Memory Usage 2,314KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (2)bbcode_code
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (11)post_thanks_box
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete