Hacker Gave himself Admin privs

[CarolSEL]

A new member registered at our forum, then somehow made himself an Admin. (Obviously, we banned him and his IP.)

How can that happen? What precautions do we need to take?

[Dave]

There's a lot of ways this can happen, it's impossible for us to tell you what exactly caused it.
Here's a few guesses:
- Outdated vBulletin forum
- Vulnerable plugins
- Other vulnerable software on your server

You need to find the cause first before you can implement something to prevent it from happening again in the future.

[CarolSEL]

Thanks Dave,
We're running on 4.2.4, and since the problem we previously had, have not reinstalled any but necessary (vB) plugins.
Host sent me back this reply (pretty much the same answer, but with specifics):

After reviewing the server and logs it appears that the compromise occurred completely within the VBulletin software and not through any form of malware on the site. This compromise was due to vulnerabilities of the End Of Life version of your software. I determined this by reviewing all access logs from that IP address as well as scanning the account for malware (finding 0 hits). I also scanned for standard CMS versions and this was the result.

==== End-Of-Life CMS Packages ====

vBulletin 4.2.1 /home/mydb
vBulletin 4.2.0.3 /home/mydb/forums
vBulletin 4.2.4 /home/mydb/public_html/forums
vBulletin 4.2.0.3 /home/mydb/public_html/moved pb html



The recommended course of action at this point it to fully update your live software while removing accessibility to any that are not being used at this time. Once updated I would also recommend searching for any sort of security based addon for that software that can help mitigate any future threats.

Aren't the older versions automatically overwritten with upgrades?

[Dave]

Your older forums weren't even in the public_html folder so the statement by your host is crap.
The only thing I can think of is that you had forumrunner enabled whilst not updating it to the latest version, it was vulnerable to something that allowed people to take over your forum.

I recommend upgrading your forum to the latest version and change the password of all administrator accounts.
Of course, it's still entirely possible that the hacker left a backdoor somewhere in your files, plugins or datastore cache.

[TheLastSuperman]

Quote:

Originally Posted by CarolSEL

A new member registered at our forum, then somehow made himself an Admin. (Obviously, we banned him and his IP.)

How can that happen? What precautions do we need to take?

If the hacker gains access to the database they can alter their membergroup id #, if they have access to ftp (files) they can also assign themselves as a Super-Administrator per the config file - it's easy IF they have access but basically simply FTP access would allow you to also upload a file and interact with the database directly w/o the need for phpmyadmin or similar.

[TheLastSuperman]

Quote:

Originally Posted by CarolSEL

Aren't the older versions automatically overwritten with upgrades?

Yes and no.

Forums are typically installed in a folder i.e. on many sites you see /forum/ or /forums/. So with that being said when you upgrade then of course the files are overwritten BUT that does not include older outdated files, so if an older vBulletin file still existed and is no longer used in the newer verison then you would still have an old file present. Furthermore any "extra/spare/old/outdated/backup" copies of the software are never updated unless you do two manual upgrades.

[CarolSEL]

Quote:

Originally Posted by TheLastSuperman

If the hacker gains access to the database they can alter their membergroup id #, if they have access to ftp (files) they can also assign themselves as a Super-Administrator per the config file - it's easy IF they have access but basically simply FTP access would allow you to also upload a file and interact with the database directly w/o the need for phpmyadmin or similar.

That makes sense, since host notified us about a month back that someone was attempting to access the FTP ports, so they changed the ports.

I did review the config file (and others) and didn't see signs of any changes to them. How would I find a file they uploaded?

--------------- Added [DATE]1512131938[/DATE] at [TIME]1512131938[/TIME] ---------------

Quote:

Originally Posted by Dave

Your older forums weren't even in the public_html folder so the statement by your host is crap.
The only thing I can think of is that you had forumrunner enabled whilst not updating it to the latest version, it was vulnerable to something that allowed people to take over your forum.

I recommend upgrading your forum to the latest version and change the password of all administrator accounts.
Of course, it's still entirely possible that the hacker left a backdoor somewhere in your files, plugins or datastore cache.

Thanks. What does forumrunner actually do? I saw that the site owner had reactivated it, so I just turned it off. Will that stop members who use mobile devices from logging in?

[Dave]

Quote:

Originally Posted by CarolSEL

That makes sense, since host notified us about a month back that someone was attempting to access the FTP ports, so they changed the ports.

I did review the config file (and others) and didn't see signs of any changes to them. How would I find a file they uploaded?

--------------- Added [DATE]1512131938[/DATE] at [TIME]1512131938[/TIME] ---------------



Thanks. What does forumrunner actually do? I saw that the site owner had reactivated it, so I just turned it off. Will that stop members who use mobile devices from logging in?

Forumrunner is an app, so if people actually used that app then they can't use it.
However, you should remove the entire forumrunner folder from your forum if it's outdated, disabling it is not enough.