Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #21  
Old 10-10-2013, 06:31 AM
tbworld tbworld is offline
 
Join Date: Oct 2008
Posts: 2,126
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Good luck, were around
Reply With Quote
Благодарность от:
  #22  
Old 10-10-2013, 05:02 PM
ice9 ice9 is offline
 
Join Date: Jun 2003
Posts: 34
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I noticed a couple dozen 'qaz001' Administrator accounts yesterday on my forum too. I deleted the accounts, and deleted the install directory. On my site, no nefarious plugins had been installed. I think what saved us was .htaccess password protection on the admincp directory. The real danger was almost dying of a heart attack when I saw all those unknown admin accounts!

If you google for inurl:/forum qaz001 administrator you can see that a lot of these accounts have been added to many forums recently.
Reply With Quote
Благодарность от:
  #23  
Old 10-10-2013, 05:51 PM
RedTurtle's Avatar
RedTurtle RedTurtle is offline
 
Join Date: May 2006
Location: California
Posts: 205
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by afonseca View Post
Thanks for sharing, I noticed the same plugins "ech" installed with the following code:

PHP Code:
if(isset($_GET["ech"])) {
echo(
"0101");
exit;

I've just deleted them.
Anyone have any idea what this plugin code is doing?
Reply With Quote
  #24  
Old 10-10-2013, 06:09 PM
ice9 ice9 is offline
 
Join Date: Jun 2003
Posts: 34
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It looks like a way to detect which forums have been successfully compromised.

Google for a compromised forum, as described in my last post. Then, append &ech to the url. You should see a blank page that contains only "0101".

So, maybe it goes like this:

1. Use /install directory exploit to add new admin users.
2. Login to admincp interface, and install plugin.
3. Check which forums return "0101" when &ech is appended to their url.
4. Deface the forums that are returning "0101".

--------------- Added [DATE]1381433980[/DATE] at [TIME]1381433980[/TIME] ---------------

Here's the IP and user agent that tried to access my admincp directory on Oct. 9th, and failed about 30 times:

178.158.214.36
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

Also, this IP, same user agent: 46.183.218.214 .

It's going like this (I've asterisked out my admincp directory):

178.158.214.36 - - [09/Oct/2013:15:26:43 -0500] "GET /forum/install/upgrade.php HTTP/1.0" 200 13295 "-" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"
178.158.214.36 - - [09/Oct/2013:15:26:44 -0500] "POST /forum/install/upgrade.php HTTP/1.0" 200 279 "-" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"
178.158.214.36 - - [09/Oct/2013:15:26:45 -0500] "GET /forum/******/index.php HTTP/1.0" 401 401 "-" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"

Looks like they're testing for the existence of /forum/install/upgrade.php, then POST'ing to it (assumedly adding the new admin username). Then they try to access the admincp directory, but you can see here how they're being denied (401) because of the .htaccess directory protection on the admincp directory.
Reply With Quote
2 благодарности(ей) от:
tbworld
  #25  
Old 10-10-2013, 11:31 PM
michelle86 michelle86 is offline
 
Join Date: Jan 2010
Posts: 116
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I had the same qaz001 admin accounts on my website - several of them. I also had the ech plugin - about 5 of them. Deleted them.

Also check your clientscript directory. Under vbulletincss there were a bunch of files that had been added the other day on my website - same day the accounts had been created. Deleted those too.
Reply With Quote
Благодарность от:
  #26  
Old 10-16-2013, 02:43 AM
ThatGreenAlien ThatGreenAlien is offline
 
Join Date: Dec 2012
Location: Betelgeuse
Posts: 58
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Sorry for the late response. We hadn't cleared the install folder previous to the hack however afterwards we deleted the folder, the account, and that weird plugin (we had it too) and so far we've been alright!
Reply With Quote
2 благодарности(ей) от:
justicechick
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:51 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05153 seconds
  • Memory Usage 2,221KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (6)post_thanks_box
  • (2)post_thanks_box_bit
  • (6)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (5)post_thanks_postbit
  • (6)post_thanks_postbit_info
  • (6)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete