Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 01-19-2009, 03:09 PM
jimjam jimjam is offline
 
Join Date: Jul 2007
Posts: 75
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Hacked - Database Deleted - Via Downloads II ??

Lunch time today I got a general VB database error. When I checked the site through my server control panel, the site database was not there. I am currently installing a backup.

After nosing around the file structure on the site, I noticed in the Downloads folder, (this is a folder created by the Downloads II mod) a bunch of files that should not have been there, most modified at the time of the crash just after 1pm

Can anyone enlighten me what these files might be and how they got in this folder and are they responsible for my database disappearing.

Thanks in advance
Attached Images
File Type: png hacked.png (9.3 KB, 0 views)
Reply With Quote
  #2  
Old 01-19-2009, 03:16 PM
snakes1100 snakes1100 is offline
 
Join Date: Dec 2001
Location: Michigan
Posts: 3,733
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You have a security hole on the server, check the apache logs for c99 and see if you can find out how they uploaded it, there are numerous ways to stop c99 uploads, but i would suggest you find the security issue first and close that hole.
Reply With Quote
  #3  
Old 01-19-2009, 03:22 PM
jimjam jimjam is offline
 
Join Date: Jul 2007
Posts: 75
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What is a c99 upload?
Reply With Quote
  #4  
Old 01-19-2009, 03:23 PM
snakes1100 snakes1100 is offline
 
Join Date: Dec 2001
Location: Michigan
Posts: 3,733
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

c99 is the bash script they used to nuke your db.

you posted a picture of the files they uploaded, please read the names of the files and note the c99 name in them.
Reply With Quote
  #5  
Old 01-19-2009, 03:29 PM
jimjam jimjam is offline
 
Join Date: Jul 2007
Posts: 75
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yes, the thing is I think i saw him do it.

On the front page we have vbadvanced and there is a VBA module that lists the latest upload, i noticed an upload called aaaaaaaaaaa But when I went to it, it was gone, The upload was atributed to someone who joined today. I watched him, via whos online and he spent a bit of time in the Downloads section and then i thought no more of it. A lot of members do just that they join to get access to the downloads section, shortly after the DB was no more.

That is why I checked the Downloads folder, looking for that aaaaaaaaa file and found all that other c99crap
Reply With Quote
  #6  
Old 01-19-2009, 03:33 PM
snakes1100 snakes1100 is offline
 
Join Date: Dec 2001
Location: Michigan
Posts: 3,733
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well as i stated you can block c99 uploading, thats not really a issue, you need to close the security hole you have open on your server.

Without going over your server to see its setup, i cant really suggest anything more.

1. secure server.
2. check perms.
3. make sure programs are running latest version.
Reply With Quote
  #7  
Old 01-19-2009, 03:48 PM
jimjam jimjam is offline
 
Join Date: Jul 2007
Posts: 75
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks for your help.:up:

I am a newbie to all things "server-side" so it looks like I need to get out and find some help.
Reply With Quote
  #8  
Old 01-19-2009, 03:52 PM
snakes1100 snakes1100 is offline
 
Join Date: Dec 2001
Location: Michigan
Posts: 3,733
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Your welcome.
Reply With Quote
  #9  
Old 01-20-2009, 05:23 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by jimjam View Post
Yes, the thing is I think i saw him do it.

On the front page we have vbadvanced and there is a VBA module that lists the latest upload, i noticed an upload called aaaaaaaaaaa But when I went to it, it was gone, The upload was atributed to someone who joined today. I watched him, via whos online and he spent a bit of time in the Downloads section and then i thought no more of it. A lot of members do just that they join to get access to the downloads section, shortly after the DB was no more.

That is why I checked the Downloads folder, looking for that aaaaaaaaa file and found all that other c99crap
It looks like you've found your hole. Check for updates with that modification.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:14 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04980 seconds
  • Memory Usage 2,256KB
  • Queries Executed 14 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (9)post_thanks_box
  • (9)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (9)post_thanks_postbit_info
  • (9)postbit
  • (1)postbit_attachment
  • (9)postbit_onlinestatus
  • (9)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete