The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#21
|
|||
|
|||
Good luck, were around
|
Благодарность от: | ||
#22
|
|||
|
|||
I noticed a couple dozen 'qaz001' Administrator accounts yesterday on my forum too. I deleted the accounts, and deleted the install directory. On my site, no nefarious plugins had been installed. I think what saved us was .htaccess password protection on the admincp directory. The real danger was almost dying of a heart attack when I saw all those unknown admin accounts!
If you google for inurl:/forum qaz001 administrator you can see that a lot of these accounts have been added to many forums recently. |
Благодарность от: | ||
#23
|
||||
|
||||
Anyone have any idea what this plugin code is doing?
|
#24
|
|||
|
|||
It looks like a way to detect which forums have been successfully compromised.
Google for a compromised forum, as described in my last post. Then, append &ech to the url. You should see a blank page that contains only "0101". So, maybe it goes like this: 1. Use /install directory exploit to add new admin users. 2. Login to admincp interface, and install plugin. 3. Check which forums return "0101" when &ech is appended to their url. 4. Deface the forums that are returning "0101". --------------- Added [DATE]1381433980[/DATE] at [TIME]1381433980[/TIME] --------------- Here's the IP and user agent that tried to access my admincp directory on Oct. 9th, and failed about 30 times: 178.158.214.36 Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 Also, this IP, same user agent: 46.183.218.214 . It's going like this (I've asterisked out my admincp directory): 178.158.214.36 - - [09/Oct/2013:15:26:43 -0500] "GET /forum/install/upgrade.php HTTP/1.0" 200 13295 "-" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0" 178.158.214.36 - - [09/Oct/2013:15:26:44 -0500] "POST /forum/install/upgrade.php HTTP/1.0" 200 279 "-" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0" 178.158.214.36 - - [09/Oct/2013:15:26:45 -0500] "GET /forum/******/index.php HTTP/1.0" 401 401 "-" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0" Looks like they're testing for the existence of /forum/install/upgrade.php, then POST'ing to it (assumedly adding the new admin username). Then they try to access the admincp directory, but you can see here how they're being denied (401) because of the .htaccess directory protection on the admincp directory. |
2 благодарности(ей) от: | ||
tbworld |
#25
|
|||
|
|||
I had the same qaz001 admin accounts on my website - several of them. I also had the ech plugin - about 5 of them. Deleted them.
Also check your clientscript directory. Under vbulletincss there were a bunch of files that had been added the other day on my website - same day the accounts had been created. Deleted those too. |
Благодарность от: | ||
#26
|
|||
|
|||
Sorry for the late response. We hadn't cleared the install folder previous to the hack however afterwards we deleted the folder, the account, and that weird plugin (we had it too) and so far we've been alright!
|
2 благодарности(ей) от: | ||
justicechick |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|