Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 07-19-2016, 05:08 AM
tanzeelniazi tanzeelniazi is offline
 
Join Date: Apr 2012
Posts: 375
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Need Help about hacking

Hello all i have a problem today i got so many email about database errors
i think someone try to hack but fail not complete sure
i got this emails

Code:
Database error in vBulletin 4.2.0:

Invalid SQL:

                SELECT post.postid, post.threadid, post.visible, post.title, post.userid,
                        thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid
                FROM post AS post
                LEFT JOIN thread AS thread USING (threadid)
                WHERE postid IN (1) AND 81 44 AND (7397=7397);

MySQL Error   : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '44 AND (7397=7397)' at line 5
Error Number  : 1064
Request Date  : Monday, July 18th 2016 @ 07:03:58 PM
Error Date    : Monday, July 18th 2016 @ 07:03:58 PM
Script        : http://www.XXXXXX.com/forumrunner/request.php
Referrer      :
IP Address    : 18*.6*.1**.**9
Username      : Unregistered
Classname     : **_******_MySQLi
MySQL Version :

Code:
Database error in vBulletin 4.2.0:

Invalid SQL:

                SELECT post.postid, post.threadid, post.visible, post.title, post.userid,
                        thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid
                FROM post AS post
                LEFT JOIN thread AS thread USING (threadid)
                WHERE postid IN (1) AND (SELECT CHAR(122)||CHAR(107)||CHAR(75)||CHAR(66) FROM INFORMATION_SCHEMA.SYSTEM_USERS)=CHAR(122)||CHAR(107)||CHAR(75)||CHAR(66) AND (7852=7852);

MySQL Error   : Unknown table 'SYSTEM_USERS' in information_schema
Error Number  : 1109
Request Date  : Monday, July 18th 2016 @ 07:04:18 PM
Error Date    : Monday, July 18th 2016 @ 07:04:19 PM
Script        : http://www.XXXXX.com/forumrunner/request.php
Referrer      :
IP Address    : 18*.6*.1**.**9
Username      : Unregistered
Classname     : **_******_MySQLi
MySQL Version :
Code:
Database error in vBulletin 4.2.0:

Invalid SQL:

                SELECT post.postid, post.threadid, post.visible, post.title, post.userid,
                        thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid
                FROM post AS post
                LEFT JOIN thread AS thread USING (threadid)
                WHERE postid IN (1) AND (SELECT CHAR(122)||CHAR(107)||CHAR(75)||CHAR(66) FROM INFORMATION_SCHEMA.SYSTEM_USERS)=CHAR(122)||CHAR(107)||CHAR(75)||CHAR(66) AND (7852=7852);

MySQL Error   : Unknown table 'SYSTEM_USERS' in information_schema
Error Number  : 1109
Request Date  : Monday, July 18th 2016 @ 07:04:18 PM
Error Date    : Monday, July 18th 2016 @ 07:04:19 PM
Script        : http://www.XXXXXX.com/forumrunner/request.php
Referrer      :
IP Address    : 18*.6*.1**.**9
Username      : Unregistered
Classname     : **_******_MySQLi
MySQL Version :
and some other types of database errors
Some one try to hack me ?
Someone got my database ?
any help
Reply With Quote
  #2  
Old 07-19-2016, 07:13 AM
Kane@airrifle's Avatar
Kane@airrifle Kane@airrifle is offline
 
Join Date: Jun 2011
Location: ZA
Posts: 181
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You had better update and patch ASAP: http://www.vbulletin.com/forum/forum...or-vbulletin-4
Reply With Quote
  #3  
Old 07-19-2016, 08:59 AM
z3r0's Avatar
z3r0 z3r0 is offline
 
Join Date: Apr 2005
Posts: 339
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Check for a new plugin added named "vbulletin" in the hook location "init_startup" containing a load of base64 encoded stuff, if it's there you have been hacked and you should disable/remove it and have a check for any files uploaded to your forum (left menu -> maintenance -> diagnostics -> suspect file versions)
Reply With Quote
Благодарность от:
grey_goose
  #4  
Old 07-19-2016, 10:58 AM
tanzeelniazi tanzeelniazi is offline
 
Join Date: Apr 2012
Posts: 375
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

how i check in "vbulletin" in the hook location "init_startup" containing a load of base64 encoded stuff ???
Reply With Quote
  #5  
Old 07-19-2016, 11:43 AM
z3r0's Avatar
z3r0 z3r0 is offline
 
Join Date: Apr 2005
Posts: 339
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

From the admincp go to plugin manager in the left column then check for a product titled "vbulletin" that has the hook location "init_startup", click edit and if in contains the word base64 and a load of random text then you need to disable it.
Reply With Quote
2 благодарности(ей) от:
alcazarx, MarkFL
  #6  
Old 07-19-2016, 12:04 PM
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Location: CT - Down in a hole..
Posts: 3,057
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If you need help let me know.. Definitely follow the above advice asap. Also disable forumrunner until you upodate.
Reply With Quote
Благодарность от:
MarkFL
  #7  
Old 07-19-2016, 12:14 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Delete the forumrunner directory or rename it to something random asap in case you haven't patched it yet.
Reply With Quote
Благодарность от:
MarkFL
  #8  
Old 07-19-2016, 03:53 PM
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Location: Nottingham, UK
Posts: 23,748
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by RichieBoy67 View Post
If you need help let me know.. Definitely follow the above advice asap. Also disable forumrunner until you upodate.
Disabling Forumrunner will have no effect on the issue, you must either patch it, or remove it.
Reply With Quote
4 благодарности(ей) от:
alcazarx, Lynne, MarkFL, RichieBoy67
  #9  
Old 07-19-2016, 09:19 PM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
 
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by z3r0 View Post
Check for a new plugin added named "vbulletin" in the hook location "init_startup" containing a load of base64 encoded stuff, if it's there you have been hacked and you should disable/remove it and have a check for any files uploaded to your forum (left menu -> maintenance -> diagnostics -> suspect file versions)
Actually, it's best to check the datastore table, (Edit: well truth be told check regular plugins via admincp, the plugin table as well PLUS the datastore table, check them all!) then look in the pluginlist (there are two, pluginlist and pluginlistadmin so be sure to check both, typically malicious cade is only in pluginlist though) because code added to the bottom of this will not show in one single/particular "plugin" via the admincp because this contains all the plugins in one list not a single view per say . You can also scroll the entire contents of pluginlist to see a complete list of plugins installed on your site, be careful if editing out malicious code and once done go to your admincp then into plugin manager and save the active status (to reset datastore/plugins) otherwise changes may not show immediately and/or could cause display issues.

What some have been doing is injecting their base64 code at the very bottom (scroll to find, they add tons of white space so you won't notice right off the bat unless you scroll down, i.e. if a scrollbar exist when viewing via phpmyadmin, scroll scroll scroll ) and more so we see this with myfilestore than any other type of exploit (also if you're dealing with that in particular, myfilestore redirect then also check the file datastore_cache.php which is located in /includes/datastore/ for any mal code).
Reply With Quote
3 благодарности(ей) от:
grey_goose, MarkFL, RichieBoy67
  #10  
Old 07-19-2016, 09:23 PM
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Location: CT - Down in a hole..
Posts: 3,057
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

There is a good chance that debase64 code was already added to all of the files as well at this point.

--------------- Added [DATE]1468970657[/DATE] at [TIME]1468970657[/TIME] ---------------

Quote:
Originally Posted by Paul M View Post
Disabling Forumrunner will have no effect on the issue, you must either patch it, or remove it.
Yes, correct. Thank you Paul for the correction. :up: That is why you get the big bucks!
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:22 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04545 seconds
  • Memory Usage 2,284KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_code
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (12)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (6)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete