Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Closed Thread
 
Thread Tools Display Modes
  #31  
Old 09-07-2013, 02:02 AM
nosmo nosmo is offline
 
Join Date: Nov 2012
Posts: 1
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

ok, I was warned by someone via email my site had been exploited. Boooo.
flat4lv.com

I should know more about this, but I don't.

Anyway,
1. deleted user
2. Deleted install folder
3. Deleted user again (it had made a name again instantly)
4. Saw this thread https://vborg.vbsupport.ru/showthrea...=301892&page=3 but I don't have a Iframe, but do have a link on the bottom of my page. "something you've never seen"
5. Installed check 4 hack. (https://vborg.vbsupport.ru/showthread.php?t=265866) > Setup e-mail, enabled demo, ran task, got email with the demo (pluginlist) corrupt.

Now I'm at a loss. Am I still vulnerable? Am I currently still exploited? Should I just remove the link at the bottom of my page?

Thanks in advance for any advice.
  #32  
Old 09-07-2013, 03:14 AM
dawges dawges is offline
 
Join Date: May 2007
Posts: 96
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by nosmo View Post
ok, I was warned by someone via email my site had been exploited. Boooo.
flat4lv.com

I should know more about this, but I don't.

Anyway,
1. deleted user
2. Deleted install folder
3. Deleted user again (it had made a name again instantly)
4. Saw this thread https://vborg.vbsupport.ru/showthrea...=301892&page=3 but I don't have a Iframe, but do have a link on the bottom of my page. "something you've never seen"
5. Installed check 4 hack. (https://vborg.vbsupport.ru/showthread.php?t=265866) > Setup e-mail, enabled demo, ran task, got email with the demo (pluginlist) corrupt.

Now I'm at a loss. Am I still vulnerable? Am I currently still exploited? Should I just remove the link at the bottom of my page?

Thanks in advance for any advice.
This is a great post at vb.com

http://www.vbulletin.com/forum/forum...35#post3993335
  #33  
Old 09-07-2013, 05:42 PM
induslady induslady is offline
 
Join Date: Jul 2006
Posts: 224
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hello,

I came to know of this exploit and looks like we too had this attack, we did the below:

1.Deleted install folder
2. Deleted suspicious admin user accounts
4. Refer thread - https://vborg.vbsupport.ru/showthread.php?t=301892 as mentioned there I didn't have any Iframe injection , but there was a line added in the "header" template of one of our custom style that reads as "Kindly delete "install" directory of your forums. Otherwise you will keep getting hacked" and the suspicious lines were removed.

Also we notice that few templates in the custom style has edit history that says "Edited by .." the suspicious admin accounts with time stamp in the past year 2010.

Is there any other precautions that need to be done. Am I currently still exploited? What are the other security measures that I need to do to protect my forums.
  #34  
Old 09-08-2013, 12:21 PM
Toorak Times's Avatar
Toorak Times Toorak Times is offline
 
Join Date: Jan 2011
Posts: 436
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I have deleted my install directory and have been hit twice in 24 hours
  #35  
Old 09-08-2013, 12:23 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Toorak Times View Post
I have deleted my install directory and have been hit twice in 24 hours
Wait, the same user is still getting in after the install directory has been deleted?
  #36  
Old 09-08-2013, 12:39 PM
KissOfDeath KissOfDeath is offline
 
Join Date: Dec 2008
Posts: 158
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Toorak Times View Post
I have deleted my install directory and have been hit twice in 24 hours
I had the same thing, from the logs i saw that he created created a plugin then removed it and then created a user and removed that to,

Code:
102106	N/A	18:13, 30th Aug 2013	user.php	kill	user id = 333162	198.203.28.247
102105	N/A	18:13, 30th Aug 2013	user.php	remove	user id = 333162	198.203.28.247
102104	N/A	18:13, 30th Aug 2013	user.php	edit	user id = 333162	198.203.28.247
102103	N/A	18:13, 30th Aug 2013	user.php	find		198.203.28.247
102102	N/A	18:13, 30th Aug 2013	user.php	modify		198.203.28.247
102101	N/A	18:13, 30th Aug 2013	plugin.php			198.203.28.247
102100	N/A	18:13, 30th Aug 2013	plugin.php	kill	plugin id = 8305	198.203.28.247
102099	N/A	18:13, 30th Aug 2013	plugin.php	delete	plugin id = 8305	198.203.28.247
102098	N/A	18:13, 30th Aug 2013	plugin.php	modify		198.203.28.247
102097	N/A	18:05, 30th Aug 2013	plugin.php			198.203.28.247
102096	N/A	18:05, 30th Aug 2013	plugin.php	doimport		198.203.28.247
102095	N/A	18:04, 30th Aug 2013	plugin.php	files		198.203.28.247
what their doing is creating a backdoor to come back in later.

When i saw this i deleted the install folder as advised and restored my database to the 29th of august as this had been done on the 30th i figured that it would undo any database or template alterations,

Wrong, the next day the same user was back with admin access, i removed him again, and checked the admin logs and nothing had been done so i left it at that and just observed the site, the next day my templates had all been reverted to the originals so someone had access the admin cp again......

so then i figured it must be a file uploaded on the server because from what i've seen of the plugin being used gives them the ability to upload files to the server, so then i checked the file dates and found a suspicious "clock.php" file in the custom avatars folder that had been created the same day as the plugin above was installed so i removed that and restored another database backup from the 24th which is the day before the guy registered an account on my forums

I've changed admin, cpanel, & ftp passwords so i'll see where it goes from here, just removing the install folder is not enough,

here's an example of a file someone has uploaded as a backdoor back in to a forum http://www.paccin.org/deface.txt i guess their must be more files as well but this i all is could find on google
  #37  
Old 09-08-2013, 12:54 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Did you try the following?

Run Suspect File Versions: > AdminCP > Maintenance > Diagnostics > Suspect File Versions > *Click Submit > Review the files listed, research and delete all files you suspect are malicious. *Also check your .htaccess file and config.php file for modified code, the suspect file versions script does not check config.php or .htaccess.
  #38  
Old 09-08-2013, 01:02 PM
KissOfDeath KissOfDeath is offline
 
Join Date: Dec 2008
Posts: 158
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by ozzy47 View Post
Did you try the following?

Run Suspect File Versions: > AdminCP > Maintenance > Diagnostics > Suspect File Versions > *Click Submit > Review the files listed, research and delete all files you suspect are malicious. *Also check your .htaccess file and config.php file for modified code, the suspect file versions script does not check config.php or .htaccess.
yes did both the first time round, also if it had been modified the file dates would be different
  #39  
Old 09-08-2013, 01:04 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

OK cool, here is a interesting article TheLastSuperman wrote, it way help, http://www.vbulletin.com/forum/blogs...vbulletin-site
Благодарность от:
Toorak Times
  #40  
Old 09-08-2013, 01:09 PM
KissOfDeath KissOfDeath is offline
 
Join Date: Dec 2008
Posts: 158
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If you look at the options they have once they have installed the plugin you can see how much they can do

Closed Thread


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:29 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07410 seconds
  • Memory Usage 2,283KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (10)post_thanks_box
  • (1)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete