vbulletin hacked

[PAKIDIL]

Quote:

Originally Posted by Digital Jedi

My point is, if they've hacked into your server, your file permissions aren't going to matter. They will have access to everything anyway.

YEAH YOU are rite if they hack in to the server then this permission are not going to matter.ofcourse they will hack it again .it will be like a theif has entered in the house and after that you are locking the door. must search for the good hosting company.

[Quarterbore]

It took some time but I figured out my hacker came from IP: 84.121.141.217

IP owner info (Whois)

Quote:

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 84.0.0.0 - 84.255.255.255
CIDR: 84.0.0.0/8
NetName: 84-RIPE
NetHandle: NET-84-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS3.NIC.FR
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at Query the RIPE Database
RegDate: 2003-11-17
Updated: 2004-03-16

# ARIN WHOIS database, last updated 2008-08-23 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.



Deferred to specific whois server: whois.ripe.net...


% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See Whois Database Copyright

Quote:

Whois record :

[Querying whois-ita.nominalia.com]
[whois-ita.nominalia.com]

NOMINALIA INTERNET S.L. - Whois Server Version 1.4

The Registry database contains ONLY .COM, .NET and .ORG domains.

Domain name: ONO.COM
Created on: 2003-07-28
Updated on: 2008-01-17
Expires on: 2008-12-14
Registrant Name: CABLEUROPA SA
Contact: Cableuropa SA
Registrant Address: C\ Basauri, 7
Registrant City: Aravaca
Registrant Postal Code: E-28023
Registrant Country: ES
Administrative Contact Organization: Cableuropa S.A
Administrative Contact Name: Nicolas Chapa
Administrative Contact Address: Basauri 7-9 Urbanizacion La Florida
Administrative Contact City: Aravaca
Administrative Contact Postal Code: 28023
Administrative Contact Country: ES
Administrative Contact Email: dominios@ono.es
Administrative Contact Tel: +34 911809300
Administrative Contact Fax: +34 911809600
Technical Contact Organization: Cableuropa S.A
Technical Contact Name: Gerente de Servicios de Internet
Technical Contact Address: Basauri 7,9-Urbanizacion La Florida
Technical Contact City: Aravaca
Technical Contact Postal Code: 28023
Technical Contact Country: ES
Technical Contact Email: dominios@ono.es
Technical Contact Phone: +34 911809300
Technical Contact Fax: +34 911809600
Primary Name Server Hostname: DNS01.ONO.COM
Secondary Name Server Hostname: DNS03.ONO.COM


>>> Last update of whois database: Sun Aug 24 12:48:31 2008 <<<

Related IPs:

Quote:

62.42.230.18 A ono.com
62.42.230.22 MX mx.ono.com
62.42.230.135 NS dns01.ono.com
62.42.230.136 NS dns02.ono.com
62.42.63.51 NS dns03.ono.com

I locked out the hacker's IP and all related IPs. Perhaps this will help someone else

[Videx]

Thanks. 84.0.0.0-84.255.255.255 added to my cpanel ip deny manager. I don't expect any legit visitors from NL, so I can get away with that!

[Marco van Herwaarden]

Your "hacker" has used an IP address that is asigned to a Spanish ISP. So he is just 1 of the customers of this ISP. He is not located in the Netherlands.

PS RIPE is the european registrar and it's headquarters are located in the Netherlands, this has got nothing to do with your hacker.

[Videx]

Thanks for the clarification. I'm not expecting anyone legit from Spain either, so I'm still safe denying the whole range.

[bebeko]

Any updates on this vulnerability? I had a site hacked twice exactly the same way (base64 encrypted php code was inserted at table 'template' , field 'template' , key record 'spacer_open', which was evaluated and defaced the website). My vBulletin version is 3.7.3 PL1. Modules used (all latest available version):

• MorbiD SuitE [9 Flavours] | LYCHEE new| 3.7.2
• Cyb - Advanced Permissions Based on Post Count
• Automatic Thread Tagger
• Periodic Prune Pms [ Cron Job - Fully Controlable ]
• Separate Sticky and Normal Threads
• Embed XHTML valid YouTube and Google Video into your posts
• Automatic Inactive Users Pruning - vB3.7 RC2
• vbAnonymizer
• GTCustom Pages - Create Custom Pages With Ease
• Send emails with HTML as HTML

[bebeko]

It seems that the only module installed alike with bilderback's configuration is "Separate Sticky and Normal Threads".
I still haven't found how attackers managed to rewrite the spacer_open template in all styles with an eval(base64) function...
Anyone with the same problem?

[Bilderback]

In our case, there was a php shell script already planted somewhere on the BlueHost shared server.
Amazingly and rare, the hacker actually communicated in the forum for some time.
http://thebestforumever.com/archives...c-ur-site.html

[RS25com]

Quote:

Originally Posted by Bilderback

In our case, there was a php shell script already planted somewhere on the BlueHost shared server.
Amazingly and rare, the hacker actually communicated in the forum for some time.
http://thebestforumever.com/archives...c-ur-site.html

I'd be interested in seeing what he said, but without registering. Care to post his comments?

[fattony69]

Quote:

Originally Posted by RS25com

I'd be interested in seeing what he said, but without registering. Care to post his comments?

I have some quotes if you want them:

Quote:

hi tbfe admins and users . .

i think u know me ?

any way i ViRuS_HiMa , the person who hacked ur site 3 times be4

fisrt sorry me about my english cuz i 17 y old from egypt

when i read the topic , its talk about this site hacked more than 4 or 5 times i think !!

how did i hack u ?

i was have phpshell script on the server that ur site has hosted on . .

but i was user and it mean that i can only read files from other sites on the server

so i look for forums to read the config thin use an script to change all forum home pages . .

and i think some one tlak about me and about the scrept in the vBulletin site :

vbulletin hacked - vBulletin.org Forum

but u know they was wrong in more of things cuz they talk about 777 permissions

but i dont need to 777 permissions to hack the vb forums cuz i can hack it with the only config data . . .

how to protect ur selfs from the next attacks ?

u have to change the include directory place

if u dont know what include dirctory

its folder in the vBulletin script . . .

and u have also to crypt the config by zend program . . .

last advic to u that u have to change ur passwords cum my some one have it now

and u have to see wich users are administrator and can log to the vb cpanel

cus the hacker can creat new user have the administrators access to the vb cpanel

now i tell u some of the forums security ways and u should know more

but any way if u dont know more about forums and sites security

u can contact me and i gonna help u as i can

A.e@hotmail.com


that was my advvices and i w8 for u . . .

and for the second time sorry me about my english . .

ViRuS_HiMa

Quote:

look when i deface ur forum i wasnt have phpshell on the "tbfe" i was have the shell on another site of the server

so when my id on the sell is user , and i wanna hack another site on the server ,

i have to use the script that i talkin about . .

i have use 2 scripts , one to read the config of the forum and the other is to deface all forum home pages .

about the milw0rm script , there is big defranse between my scriptes and the milw0rm script . .

the job of milw0rm script is to send the new exploits by the useres to stroky the milw0rm admin

then he add it to the script , so any 1 can see it . use it , and hack by it . . .

ViRuS_HiMa . .