Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
  #1  
Old 10-16-2013, 10:45 PM
NeDra NeDra is offline
 
Join Date: Dec 2008
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Forum hacked because of /install/upgrade.php delete it

v4.21 forum got hacked 3 times from raw forum no modification, no addon, fresh, clean DB...

I than look at the log it and pointed toward
/install/upgrade.php

I got curious and went to check how they could manage such a thing...
and to my surprise...

The page ask for the customer number... that fine...
View source code on that page

Code:
            <!--
                var IMGDIR_MISC = "../cpstyles/vBulletin_3_Silver";
                var CLEARGIFURL = "./clear.gif";
                var CUSTNUMBER = "XXXXXXXXXXXXXXXXXXXXX";
                var VERSION = "";
                var SCRIPTINFO = {
                    version: "",
                    startat: "",
                    step   : "",
                    only   : ""
                };
                var ADMINDIR = "../cp_admin";
The CUSTNUMBER is the MD5(customerNumber)
And guess what, It can be reversed in 5 minutes from what I've seen.
Customer number are what, 12 symbols A-Z0-9
I guess there even DB that contain all possible MD5 with those values.

So they get my customer number and execute the upgrade script and create a new account from the upgrade script...

Why did you even bothered giving them the MD5 of the answer and the link to the admin control pannel?

So yes, delete your install folder entirely or move it outside of your forum asap.
Reply With Quote
  #2  
Old 10-16-2013, 10:47 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

That was announced on the 27th of August.

Please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
Reply With Quote
  #3  
Old 10-16-2013, 11:03 PM
NeDra NeDra is offline
 
Join Date: Dec 2008
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Why weren't we contacted by mail for such thing...

The only thing I've received was v4.22 recently which claim some exploit related to forumrunner xss or something which I've ignored and deleted forumrunner entirely.

The only one reading the exploit announcement are those after they get hacked or those that want to hack forum... Guess it only those that upgraded to v5 that got the email and everyone else was left in the dark.
Reply With Quote
  #4  
Old 10-16-2013, 11:12 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It was in your ACP in the News section. I would also subscribe to this forum, http://www.vbulletin.com/forum/forum...nouncements_aa

That way you will get a email every time there is a announcement.

You could also install this mod, AdminCP News as Posts or PMs by BOP5 (Get your Admin CP News PMed to you!)

--------------- Added [DATE]1381969364[/DATE] at [TIME]1381969364[/TIME] ---------------

Also there was a email sent, September third:

Code:
vBulletin Security eBulletin
http://www.vbulletin.com/
September 3rd, 2013

* vBulletin 4.1.x & 5.0.x Security Issue
* Your License Information
* Contact Us

------ vBulletin 4.1.x & 5.0.x Security Issue ------

A potential exploit vector has been found in the vBulletin 4.1+ and 5.0+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, you should delete the install directory for your installation. This folder is not required for normal operation of vBulletin.

The directories that should be deleted are:

4.x - /install/

5.x - /core/install

On vB5, make sure you delete only the install folder, not the core folder.
After deleting these directories your sites can not be affected by the issues we?re currently investigating.

vBulletin 3.x would not be affected by these issues. However if you want the best security precautions, you should delete your install directory as well.

The Support forum thread on this topic can be found here - http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5


---------------- YOUR LICENSE INFORMATION ----------------

You can use this information to log into the customers area to download vBulletin, ImpEx and other vBulletin-related support materials:

Your Customer Email: XXXXXX@.com

Your Customer Number: XXXXXXXXXXXXXX

If you have misplaced your customer password, you can request that it be re-sent to your registered email address using the following form:
http://www.vbulletin.com/go/lostpw

The customers area is located here:
http://members.vbulletin.com/


-------------------- CONTACT US --------------------------

Please do not respond to this email directly. We will not receive your response. Please use the links below.

Got a vBulletin technical query? Contact support:
http://www.vbulletin.com/go/techsupport

For all other queries, please visit this page:
http://www.vbulletin.com/contact.php

----------------------------------------------------------

Security bulletins and periodic email newsletters are delivered to all current vBulletin customers, and contain information about new software versions and vBulletin.com web site features and content. If you have any questions or comments about this mailing, please contact us via the links above. You can unsubscribe from newsletters in the customer area at the bottom of the page: http://members.vbulletin.com 

This email was sent to: User, XXXXX@.com

Copyright ?2000-2013, vBulletin Solutions Inc.
Reply With Quote
Благодарность от:
ForceHSS
  #5  
Old 10-17-2013, 01:47 AM
joeychgo's Avatar
joeychgo joeychgo is offline
 
Join Date: Mar 2004
Location: Chicago, IL
Posts: 933
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by NeDra View Post
Why weren't we contacted by mail for such thing...

The only thing I've received was v4.22 recently which claim some exploit related to forumrunner xss or something which I've ignored and deleted forumrunner entirely.

The only one reading the exploit announcement are those after they get hacked or those that want to hack forum... Guess it only those that upgraded to v5 that got the email and everyone else was left in the dark.

It was emailed... It was also in your ACP as a notice. Its also been all over the web on various forums and blogs.

Guess only people that paid attention noticed it.
Reply With Quote
2 благодарности(ей) от:
CharlieDelta, ForceHSS
  #6  
Old 10-17-2013, 02:19 AM
XGC Paravain's Avatar
XGC Paravain XGC Paravain is offline
 
Join Date: Oct 2012
Location: Millbury,Mass
Posts: 184
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Just looking back I got that email on Sep. 4th, also remember the notice in the admincp but really red flags come up for me when I had all kinds of Guests login into the admin panel I also had some random account named admin2 registered and in the administrator usergroup!!
Reply With Quote
  #7  
Old 10-17-2013, 10:40 PM
NeDra NeDra is offline
 
Join Date: Dec 2008
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by XGC Paravain View Post
Just looking back I got that email on Sep. 4th, also remember the notice in the admincp but really red flags come up for me when I had all kinds of Guests login into the admin panel I also had some random account named admin2 registered and in the administrator usergroup!!
Hum... amazing... I also received the e-mail on Sept 3rd...
vBulletin Security eBulletin: Potential Exploit of vB4.1.x & 5.0.x

Guess they meant vB4.1.x and higher... because vB4.2 was also affected...
They should of simply claimed vB4.x

I figured if you keep your version to the last version you're safe, I didn't bothered reading the news...

Well they did contacted me... so it's partially my fault...
Reply With Quote
  #8  
Old 10-17-2013, 10:42 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yeah this stuff happens, it is best to read through their emails completely, and even if it is not for your version number, it is sometimes best to follow it anyway.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:04 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06979 seconds
  • Memory Usage 2,240KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (3)post_thanks_box_bit
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete