Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 04-05-2008, 10:26 AM
lfpm lfpm is offline
 
Join Date: Jan 2005
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Help - Forum Being hacked?

Our Forum is being hacked or something?

Many members, without their knowledge are posting a smile which includes somekind of a link, anyone who opens that page, a popup appears and asks for the username and password, the popup location is on another site and when the members insert their username and password, the other site is getting them:

Here is an image (forum.tayyar.org is our forum url, while alhms.com is the site that is hacking us?)



This is the smile that is appearing in many threads and PMs by the members (the members are not aware that they are inserting it)



The smile contains this link: http://www.alhms.com/jz/smile.gif (click on it and the pop up will appear)

Any idea what is happening and how can i stop it?

Thank you
Reply With Quote
  #2  
Old 04-05-2008, 10:33 AM
Opserty Opserty is offline
 
Join Date: Apr 2007
Posts: 4,103
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You need to figure how the smilie is getting into the posts and messages. Disable your modifications and see if it still appears. What version of vBulletin are you running?

Tell your members not to enter their details, I think the domain/folder on which the image is hosted is protected by a login. Whether the site is collecting the Login Information I don't know.

But as you have correctly identified, the problem is with that image. That is what is causing the login to appear, you need to find out how it is getting there.
Reply With Quote
  #3  
Old 04-05-2008, 10:55 AM
lfpm lfpm is offline
 
Join Date: Jan 2005
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The person who is doing it opened an account and posted that he is doing it, his IP match with several other IPs that our members posted with that smile (they told me they did not post, they inserted their username and password when the page poped up).

Now i turned the Forum off, and disabled all the modifications and tried to open a page, the pop up is still showing.
Reply With Quote
  #4  
Old 04-05-2008, 10:59 AM
SEOvB's Avatar
SEOvB SEOvB is offline
 
Join Date: May 2007
Location: Indianapolis
Posts: 2,451
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

you need to remove the image from the posts
Reply With Quote
  #5  
Old 04-05-2008, 11:03 AM
lfpm lfpm is offline
 
Join Date: Jan 2005
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by FRDS View Post
you need to remove the image from the posts
we are doing that, we emailed the person with his IP that he has 1 hour to disable what he is doing or we will report his IP to the authorities, http://www.alhms.com/jz/smile.gif is now not asking for username and pasword (he removed it) and we opened the Forum back:

http://forum.tayyar.org/f8/bug-reporting-33058/
Reply With Quote
  #6  
Old 04-05-2008, 11:14 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by lfpm View Post
The person who is doing it opened an account and posted that he is doing it, his IP match with several other IPs that our members posted with that smile (they told me they did not post, they inserted their username and password when the page poped up).
So you are saying that he used the accounts of other members to make those posts? Did he maybe steal their login info with that login popup?
Reply With Quote
  #7  
Old 04-05-2008, 11:42 AM
lfpm lfpm is offline
 
Join Date: Jan 2005
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ok, here is the source of the hacker: http://lebforces.org/forum/showthread.php?t=31501

When the pop up came up, i inserted the following "212.107.116.238 proxy4.cyberia.net.sa"

Now that use who opened that thread in the above link is putting what i sent.

--------------- Added [DATE]1207400355[/DATE] at [TIME]1207400355[/TIME] ---------------

Here is what is happening, first a user (the hacker) is a manually inserting a picture (the Smile), the picture contains link and when someone opens the thread, the pop up appears, members are seeing the pop up and inserting the username and password, the username and password is going to the hacker, who is using them and posting more of the same.

We know the source, but how can we stop it? I disabled html and it is still happening
Reply With Quote
  #8  
Old 04-05-2008, 03:22 PM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You can not stop this unless you disable external images completly.

The best is to educate your members never to enter their board details when presented with an unexpected password popup.
Reply With Quote
  #9  
Old 04-05-2008, 03:39 PM
SEOvB's Avatar
SEOvB SEOvB is offline
 
Join Date: May 2007
Location: Indianapolis
Posts: 2,451
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ban his IP at the server level, I'm sure he'll get around it, then use a replacement variable to rename the image link, censor the domain its coming from, umm thats all i can think of that may help short of disabling all external images till he moves on.
Reply With Quote
  #10  
Old 04-05-2008, 04:08 PM
lfpm lfpm is offline
 
Join Date: Jan 2005
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Marco van Herwaarden View Post
You can not stop this unless you disable external images completly.

The best is to educate your members never to enter their board details when presented with an unexpected password popup.
Quote:
Originally Posted by FRDS View Post
Ban his IP at the server level, I'm sure he'll get around it, then use a replacement variable to rename the image link, censor the domain its coming from, umm thats all i can think of that may help short of disabling all external images till he moves on.
Done all that,

Thank you
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:07 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04129 seconds
  • Memory Usage 2,257KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete