Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
Reload this Page my vB forums have been hacked - help
FAQ Community Calendar Today's Posts Search

Reply
Page 1 of 2 1 2
 
Thread Tools Display Modes
  #1  
Old 03-19-2007, 08:01 PM
blakespot blakespot is offline
 
Join Date: Jan 2005
Posts: 10
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default my vB forums have been hacked - help
I am running vB 3.5.2 on Linux (with a patch from 3.5.3 I believe). Yes, I need to upgrade.

Was hacked: -removed-

Can you make suggestions to start? Thanks. No new users listed in the administrator with admin rights, but there is a suspicious high-ID entry in table VBADMINISTRATOR.




blakespot

Look at source for page now - last line:

Code:
			<table cellpadding="0" cellspacing="0" border="0">
			<tr valign="bottom">
				<td><a href="#" onclick="history.back(1); return false;"><img src="iSkin/misc/navbits_start.gif" alt="Go Back" border="0" /></a></td>
				<td>&nbsp;</td>
				<td width="100%"><span class="navbar"><a href="index.php?" accesskey="1">iPod Hacks Forums</a></span> 
	<span class="navbar">&gt; <a href="forumdisplay.php?f=1"><meta http-equiv='refresh' content='0; url=http://www.enyenimix.com/hacked.html'></a></span>
Where is that loaded from?



blakespot
Reply With Quote
  #2  
Old 03-19-2007, 08:11 PM
nexialys
Guest
  
Posts: n/a
Default
someone edited your forum title and replaced the text with a redirect...

that's the one thing you have to edit.. the forumid #10.. change its title.
Reply With Quote
  #3  
Old 03-19-2007, 08:32 PM
blakespot blakespot is offline
 
Join Date: Jan 2005
Posts: 10
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by nexialys View Post
someone edited your forum title and replaced the text with a redirect...

that's the one thing you have to edit.. the forumid #10.. change its title.
Ya I found that a few mins ago. But how did they do it? Did someone feed a URL to the system that exploited a hole? I have 2 moderators but I don't think they have forum name change rights. No other admins. No way someone just guessed my password.

Thoughts? Thanks.




blakespot
Reply With Quote
  #4  
Old 03-19-2007, 08:42 PM
nexialys
Guest
  
Posts: n/a
Default
this is what we call an exploit...
Reply With Quote
  #5  
Old 03-19-2007, 08:42 PM
blakespot blakespot is offline
 
Join Date: Jan 2005
Posts: 10
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Also, I changed them back in the VBFORUM table, but the page still renders with the redirrects as the forum titles?! Is there some cache mechanism I must flush? Thanks.

blakespot
Reply With Quote
  #6  
Old 03-19-2007, 08:50 PM
nexialys
Guest
  
Posts: n/a
Default
you have to edit it from the admincp, not the database... and to be sure, post a new thread in that forum so the cache is updated there too..
Reply With Quote
  #7  
Old 03-19-2007, 08:59 PM
blakespot blakespot is offline
 
Join Date: Jan 2005
Posts: 10
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I can't edit it from the adminCP - the frame redirects to the hack site, as it renders the title as HTML, forcing a redirect... Can I not flush the cache another way? I've changed the names in the DB. Thanks.

Will but and upgrade to latest tonight... If I can get this clean first.

blakespot
Reply With Quote
  #8  
Old 03-19-2007, 09:08 PM
Adrian Schneider's Avatar
Adrian Schneider Adrian Schneider is offline
 
Join Date: Jul 2004
Posts: 2,528
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I would be more worried about how they edited the forum title in the first place...

Go into your database and remove the redirect, and then go into ACP > Maintenance > Update Counters > Rebuild Forum Information.
Reply With Quote
  #9  
Old 03-19-2007, 09:22 PM
blakespot blakespot is offline
 
Join Date: Jan 2005
Posts: 10
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Thanks - I'll update tonight.

blakespot
Reply With Quote
  #10  
Old 03-21-2007, 01:57 PM
blakespot blakespot is offline
 
Join Date: Jan 2005
Posts: 10
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Upgraded to 3.6.5. Hopefully that exploit was addressed. I see reports of a Calendar vulnerability of that sort, but can't find reference to a forum-title vulnerability...

blakespot
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 04:56 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04525 seconds
  • Memory Usage 2,238KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (7)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete