Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 11-02-2013, 02:28 AM
DJ-Dez DJ-Dez is offline
 
Join Date: Jun 2010
Posts: 61
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Strange Issue

hello! hoping some of you guys can shine some light on this strange issue. Tonight we had a person register on our Forum with a username of an Admin. They didn't have perms,only the username and we can't figure out how. We have our install directory deleted long ago so it's nothing to do with 0day exploit. No special ascii characters were used either...

hopefully someone can help me on this one thanks.
Reply With Quote
  #2  
Old 11-02-2013, 02:36 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The name was Admin, or they were in the usergroup Admin?
Reply With Quote
Благодарность от:
DJ-Dez
  #3  
Old 11-02-2013, 02:42 AM
DJ-Dez DJ-Dez is offline
 
Join Date: Jun 2010
Posts: 61
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It was an admins name, in fact it was mine. The user registered with the name "Dez" but with no admin permissions and I already have that name. They then asked other admins to give perms but they refused. Strange and I can't figure out how it was done. I also use ^[A-Z]+$ in regular expression settings.
Reply With Quote
  #4  
Old 11-02-2013, 04:17 AM
Amaury Amaury is offline
 
Join Date: Nov 2011
Location: Ellensburg, WA
Posts: 1,075
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Delete it and your install directory.
Reply With Quote
  #5  
Old 11-02-2013, 04:30 AM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Please read the notices in your Admincp about deleting the /install directory. Now please delete any new Administrators and plugins they made and template edits they may have done.
Reply With Quote
Благодарность от:
DJ-Dez
  #6  
Old 11-02-2013, 07:56 AM
cellarius's Avatar
cellarius cellarius is offline
 
Join Date: Aug 2005
Posts: 1,987
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If I understand the OP correctly at all:
1. A person registered using the (seemingly?) same username as an already existing admin.
2. That newly registered user did NOT have any admin permissions, i.e. did not make himself admin, but tried to get those permissions by asking other admins for them

While it is of course smart to remove the install directory, what indication is there that the forum was hacked? Is this something that has turned up in the recent situation (just curious)?
Reply With Quote
Благодарность от:
DJ-Dez
  #7  
Old 11-02-2013, 11:07 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I would use this:

Code:
^[a-zA-Z0-9\s.\-_']+$
Which allows for characters but still prevents the 'hidden' ones.
Reply With Quote
Благодарность от:
Ba'al
  #8  
Old 11-02-2013, 01:51 PM
DJ-Dez DJ-Dez is offline
 
Join Date: Jun 2010
Posts: 61
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks for the the answers guys

Quote:
Originally Posted by cellarius View Post
If I understand the OP correctly at all:
1. A person registered using the (seemingly?) same username as an already existing admin.
2. That newly registered user did NOT have any admin permissions, i.e. did not make himself admin, but tried to get those permissions by asking other admins for them

While it is of course smart to remove the install directory, what indication is there that the forum was hacked? Is this something that has turned up in the recent situation (just curious)?

As I've said above, the install directory has been deleted a while and everything else above from cellarius is correct. The Forum wasn't hacked but I can't figure out how they managed to use an existing name. Something that could easily cause problems.
Reply With Quote
  #9  
Old 11-02-2013, 02:18 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

They somehow used a hidden character, by using the code I posted for Username Regular Expression that should stop issues like that.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:04 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04401 seconds
  • Memory Usage 2,248KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (9)post_thanks_box
  • (4)post_thanks_box_bit
  • (9)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (4)post_thanks_postbit
  • (9)post_thanks_postbit_info
  • (9)postbit
  • (9)postbit_onlinestatus
  • (9)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete