The Arcive of Official vBulletin Modifications Site.

creative-friend · #11 09-09-2013, 12:22 PM

Hi Guys

Thanks everyone for your help.....i had problem in my forumhome template......i reverted that template now its working fine....

xenite · #12 09-09-2013, 02:54 PM

If it's the Syrian Army whatchamacallit, they apparently found a way to add themselves as administrators even getting past user moderation/approval (unless someone on my team approved an odd account without telling me).

They hacked NOTICE.PHP and embedded a meta-refresh in the PHRASE table. I don't that it will stop them but I have added the following to my .htaccess

# Block Syrian Army IP Addresses
deny from 5.0.0.0/16
deny from 31.9.0.0/16
deny from 82.137.192.0/20
deny from 91.144.0.0/20
deny from 178.253.64.0/20

These IP addresses are all assigned to a Syrian government ISP (and sharing this list here may tip them off that I have identified which network they came in from).

I am using VB 4.something (still uploading a backup of the actual VBulletin files so my forum is offline at the moment). ADDED ON EDIT: Vbulletin 4.1.5 Patch 1

I don't think changing passwords is going to help with this. They found a flaw in the VBulletin script. I show three actions by the hacker's user account in the ADMINLOG. They are:

ADD action with "notice.php"
UPDATE action with "notice.php"
MODIFY action with "notice.php"

He used a HOTMAIL.IT email address (according to the user account).

He apparently deleted his IP address from the USER record (or when he injected it the IP address wasn't recorded). The ADMINLOG shows the IP address, though.

I'll post more info when I find it.

If anyone knows how they managed to create an admin user account without being approved, I'll be glad to hear about that. Please spare me the "they cracked your password" explanation as that dog won't hunt.

ForceHSS · #13 09-09-2013, 03:10 PM

Al souweqah street, Damascus seems to be there going by their ip but I am sure none of the ips are even his real ones. I did see a plugin here that blocks citys or something like that. If anyone has a link plz post it

xenite · #14 09-09-2013, 03:38 PM

The IP address is real. The hack started at 19 minutes after the hour and was finished within 9 minutes.

He hit an old thread from 2006 that looks pretty innocuous to me.

It looks like he then hit the upgrade script in the install directory (I know -- I should not have left that there, but I get busy with a lot of tasks on this server).

After hitting the upgrade.php a couple of times and firing off some Javascript he got into the AdminCp.

Once in he executed the newsproxy.php script.

Then he hit the notice.php script.

And then he was done.

--------------- Added [DATE]1378745307[/DATE] at [TIME]1378745307[/TIME] ---------------

I doubt I can shed any more light on this. He got in through an UPGRADE hack and that is all my fault.

BarelyHangingOn · #15 09-09-2013, 03:49 PM

I have reverted my forum home template, deleted the install directory and removed the two admin accounts that were created.

Should I be okay after this?

xenite · #16 09-09-2013, 04:13 PM

There are no guarantees in life but deleting the accounts and the scripts they used to hack in will certainly make it harder for them to do any more damage.

I also pruned all users awaiting email confirmation, only out of spite, because they were also all obvious forum spammers.

--------------- Added [DATE]1378747182[/DATE] at [TIME]1378747182[/TIME] ---------------

For what it's worth, I had my admins change their passwords but I don't think that was necessary on this one occasion.

That said, the main admin account's password cannot be changed because I blocked that in the INCLUDES/CONFIG.PHP script. That is a prudent measure to take because when they do get in and create an admin account, they can change passwords all over the place. This is the section to update:

Code:

	//	****** UNDELETABLE / UNALTERABLE USERS ******
	//	The users specified here will not be deletable or alterable from the control panel by any users.
	//	To specify more than one user, separate userids with commas.
$config['SpecialUsers']['undeletableusers'] = '';

Of course, if they could hack into the server account itself they could try to change this script so it's not a perfect protection but it at least serves as a firewall between your legitimate admin passwords and anyone who wants to block you from getting back in.

fmckinnon · #17 09-09-2013, 04:59 PM

OK, I'm hacked the same way.
I upgraded all files to 4.2.2.
I deleted the /install directory.
I've searched, and the ONLY two Admin accounts are those of myself and our Editor ...

Still hacked - not sure what else to do? It redirects to the Syrian army thing as soon as you login to the forums or click a thread.

xenite · #18 09-09-2013, 05:41 PM

In my case the hacker embedded an HTTP meta refresh directive in new NOTICE.

fmckinnon · #19 09-09-2013, 05:51 PM

xenite - can you explain a little more detail - where is that located, and how can I clear it out? I've replaced ALL the forum files on the server, so assume this must be injected into the mySQL?

xenite · #20 09-09-2013, 06:03 PM

Login to ADMINCP.

Scroll down to NOTICES (FAQ should be just above it, ANNOUNCEMENTS should be just below it).

Click into NOTICES MANAGER.

If they loaded a notice, you will see it there.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.06017 seconds Memory Usage 2,254KB Queries Executed 12 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)bbcode_code (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (2)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!