Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 12-24-2008, 04:26 PM
Joe Hinkle Joe Hinkle is offline
 
Join Date: May 2007
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Possible Security Issue

I purchased VBulletin several years ago.

Currently using Version 3.6.7

I have not upgraded because I use it for a Tech Support BB and thought all would be well.

I just upgraded to Kaspersky 9.0 and it reports that access to my VBulletin contains a link to 78.110.75.21 and has been identified as a site that steal passwords, credit card numbers, etc.

I ran some software that captures all network traffic and monitored communication with my site and VBulliten. In the middle of the page load - thers was a lot of data transferred to THAT IP address.

I called the people who host my site and asked if THEY were injecting this detour or communication. Their reply was NO. They said that they have seen hackers inject java scripts into BB to accomplish things like this.

So ... Now I am asking the folks at VBulletin if this is YOUR communication or is it a real security issue?

Will an upgrade to the latest release address this?

Thanks in advance for your reply.
Reply With Quote
  #2  
Old 12-24-2008, 04:35 PM
pein87's Avatar
pein87 pein87 is offline
 
Join Date: Sep 2008
Posts: 352
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Not a pro vb coder but in my opinion you need to actually vist that ip to check if its a site or just someones server ip. Vbulletin doest streamline things from your site they only have a call back function that lets them verify if theres a real liscence there and who its registered to. I would upgrade but most of your mods wont work if you upgrade to 3.7.4 seeing its the securest stable out right now. Have you checked the ip? you can paste it in the browser and view that way if that helps.
Reply With Quote
  #3  
Old 12-24-2008, 04:38 PM
Joe Hinkle Joe Hinkle is offline
 
Join Date: May 2007
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You get a "Fail to Connect".

My question is Why/How is this redirect taking place and can it be terminated?
Reply With Quote
  #4  
Old 12-24-2008, 04:40 PM
Medtech's Avatar
Medtech Medtech is offline
 
Join Date: Oct 2007
Posts: 310
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

you can always bann that ip from your server. I would run suspect file versions and see if anything strange shows up.
Reply With Quote
  #5  
Old 12-24-2008, 04:44 PM
pein87's Avatar
pein87 pein87 is offline
 
Join Date: Sep 2008
Posts: 352
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You can you`ll have to find where the leak is. Its probably someon using some javascript to access the site and them having that info stored by php or perl into a database. My suggestion is to upgrade to a version thats CRSF and XSS protected. I would say 3.7.4 SP1 since the newest 3.6 doenst have the hole fix.

--------------- Added [DATE]1230144309[/DATE] at [TIME]1230144309[/TIME] ---------------

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 78.0.0.0 - 78.255.255.255
CIDR: 78.0.0.0/8
NetName: 78-RIPE
NetHandle: NET-78-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: SUNIC.SUNET.SE
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2006-08-29
Updated: 2006-09-07

# ARIN WHOIS database, last updated 2008-12-23 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

there you the ips info

--------------- Added [DATE]1230144367[/DATE] at [TIME]1230144367[/TIME] ---------------

Might be a proxy or shell account it could be hard to know it thats the only IP being used.

--------------- Added [DATE]1230144505[/DATE] at [TIME]1230144505[/TIME] ---------------

Hers a link to more ip info.

http://www.geoiptool.com/en/?IP=78.110.75.21
Reply With Quote
  #6  
Old 12-26-2008, 01:06 AM
Joe Hinkle Joe Hinkle is offline
 
Join Date: May 2007
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I have upgraded to 3.7.4.

Issue still exists.

It occurs AFTER users or Admin has log on - so Logon name and password may be compromised.

Any suggestions on debugging and killing this thing?
Reply With Quote
  #7  
Old 12-26-2008, 04:57 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Admin CP > Maintenance > Diagnostics > Suspect File Versions

See if anything comes up there.
Reply With Quote
  #8  
Old 12-26-2008, 09:04 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Also:
- Search your post table for this IP
- Search your files for this IP
- Search templates for this IP
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 10:57 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06617 seconds
  • Memory Usage 2,226KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete