Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #11  
Old 02-29-2008, 07:02 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If reinstalling the default style using tools.php solves your problem, then this indicates that 1 of the following is happening:
- The hacker is able to change your MASTER_STYLE. This style is only accessible when the board is in debug-mode. Unless you are running in debug-mode, this can only be changed by a direct edit in the database.
- The precompiled cached version of your templates is edited. Again this can only be done by direct editing of the database. The problem gets "solved" when the cache is rebuild (like is done when using tools.php).

Both of these scenario's require that the hacker has direct access to your database, so i would start by focussing on how he gained access to your database and close this gap. You might want to contact your host about this.
Reply With Quote
  #12  
Old 02-29-2008, 05:41 PM
Daniel Thomas Daniel Thomas is offline
 
Join Date: Jul 2005
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Marco van Herwaarden View Post
If reinstalling the default style using tools.php solves your problem, then this indicates that 1 of the following is happening:
- The hacker is able to change your MASTER_STYLE. This style is only accessible when the board is in debug-mode. Unless you are running in debug-mode, this can only be changed by a direct edit in the database.
- The precompiled cached version of your templates is edited. Again this can only be done by direct editing of the database. The problem gets "solved" when the cache is rebuild (like is done when using tools.php).

Both of these scenario's require that the hacker has direct access to your database, so i would start by focussing on how he gained access to your database and close this gap. You might want to contact your host about this.
Yes, I was actually able to find the php file they were using to overwrite the database. Somehow, they even managed to access the config file so they could get our MySQL database information to use in their script to overwrite the forum. I do have a copy of this file, if you would like, I can send it to you.

Is it possible they found an exploit in a plugin or something that allowed them to place this file on the server and then manage to hack the config.php file, all without having to actually hack the server?
Reply With Quote
  #13  
Old 03-01-2008, 06:50 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If they can place a PHP file on your server and execute it, then it is not problem to get the contents of your config.php.

I don't know how they placed that file on your server, i doubt it was done thru standard vBulletin. More likely: FTP Access/Server Control Panel, vulnerable modification,...
Reply With Quote
  #14  
Old 03-01-2008, 06:51 AM
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Location: Des Moines, IA (USA)
Posts: 15,776
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Or maybe a disgruntled ex-Staff member with access to the server?
Reply With Quote
  #15  
Old 03-11-2008, 02:01 PM
Daniel Thomas Daniel Thomas is offline
 
Join Date: Jul 2005
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

We're still being hacked. We've changed the password to our server and we've upgraded our forum to the latest version and still these Saudi Arabian hackers keep hacking the forum. Earlier, in the week they were even hacking my account and taking over and now they are back at overwriting the forum skin again. I keep going in an deleting the files they place on the server that allows them to overwrite the forum and now im completely out of ideas on how to secure the forum.
Reply With Quote
  #16  
Old 03-12-2008, 08:58 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If they can place files on the server, then it (most likely) indicates a problem on the server level (eg. FTP or SSH). It could also be caused by another script.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:53 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03997 seconds
  • Memory Usage 2,208KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (6)post_thanks_box
  • (6)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (6)post_thanks_postbit_info
  • (6)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete