Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 10-08-2013, 01:59 PM
ThatGreenAlien ThatGreenAlien is offline
 
Join Date: Dec 2012
Location: Betelgeuse
Posts: 58
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Random account set to Administrator?

Today I woke up to see the newest member, some random account named qaz001 was in the administrator group? We banned them before anything was done, but what is this and what can we do to stop it? Is this like a hack or something?

I did a google search on the name, and a lot of other random boards have the same account set as an administrator... what's up with this?
Reply With Quote
Благодарность от:
  #2  
Old 10-08-2013, 02:13 PM
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Posts: 6,357
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yes its a hacker u would be best to do a full check and plug the hole were they got in
Reply With Quote
Благодарность от:
ThatGreenAlien
  #3  
Old 10-08-2013, 03:33 PM
ThatGreenAlien ThatGreenAlien is offline
 
Join Date: Dec 2012
Location: Betelgeuse
Posts: 58
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Okay, I'm pretty new to server stuff, what should I do exactly? And I looked in their log and saw something with plugin.php, what should I be looking for?
Reply With Quote
  #4  
Old 10-08-2013, 03:44 PM
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Location: Nottingham, UK
Posts: 23,748
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Have you folowed the recent security advice and removed your install folder ? Thats almost certainly how they created the account.
Reply With Quote
Благодарность от:
ThatGreenAlien
  #5  
Old 10-08-2013, 04:50 PM
ThatGreenAlien ThatGreenAlien is offline
 
Join Date: Dec 2012
Location: Betelgeuse
Posts: 58
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'll check that when I get home. Thanks!!

Edit: All install folders have been deleted. Anything else?
Reply With Quote
  #6  
Old 10-08-2013, 10:10 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
Reply With Quote
3 благодарности(ей) от:
Max Taxable, ThatGreenAlien
  #7  
Old 10-09-2013, 09:40 PM
afonseca afonseca is offline
 
Join Date: Jan 2011
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi, I'm having the exact same issue, down to the username that was used. I banned those accounts and the hacker started creating other named accounts also in the Administrators group. The links on vbulletin.com are throwing this error:
"An internal error has occurred and the module cannot be displayed."

Did vbulletin.com get hacked? Any help appreciated.
Reply With Quote
  #8  
Old 10-09-2013, 09:58 PM
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Posts: 6,357
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by afonseca View Post
Hi, I'm having the exact same issue, down to the username that was used. I banned those accounts and the hacker started creating other named accounts also in the Administrators group. The links on vbulletin.com are throwing this error:
"An internal error has occurred and the module cannot be displayed."

Did vbulletin.com get hacked? Any help appreciated.
Sorry are we talking about ur forum being hacked or are u asking that vbulletin has also been hacked
Reply With Quote
  #9  
Old 10-09-2013, 10:03 PM
afonseca afonseca is offline
 
Join Date: Jan 2011
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I was referring to vbulletin.com there as none of the links shared were working for me, they were throwing that error message. They seem to be working fine now.
Reply With Quote
  #10  
Old 10-09-2013, 10:17 PM
Grimes Grimes is offline
 
Join Date: Jun 2012
Posts: 20
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by ThatGreenAlien View Post
Today I woke up to see the newest member, some random account named qaz001 was in the administrator group? We banned them before anything was done, but what is this and what can we do to stop it? Is this like a hack or something?

I did a google search on the name, and a lot of other random boards have the same account set as an administrator... what's up with this?
I have the same exact thing happening. Same user, same situation. The email is qwe@qwe.com and the ip is the same each time out of the Ukraine. It comes up in spam ip searches online. They were able to set the usergroup to admin and registration ip is blank. I believe I caught it in time, but I noticed that that same user account was created multiple times, and their location under 'who's online' was plugin.php?do=doimport&do=doimport.

Check your plugins for strange plugins. I had multiple entries (one for each account) of a plugin titled 'ech' that uses the hook init_startup. I deleted them all. This just happened moments ago. I had registration turned off, but it was still creating that same account. Banning the username and ip + email seems to have stopped it. Bizarre. I'm in the process of a security check right now to see if there's a hole somewhere.
Reply With Quote
Благодарность от:
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:20 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04845 seconds
  • Memory Usage 2,267KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (4)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (5)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete