Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 04-14-2011, 07:34 PM
Erika Erika is offline
 
Join Date: Jan 2007
Location: Maryland
Posts: 46
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Spammers using Moderators/Administrator accounts to Edit Old Posts

Hi -

I was wondering if anyone else has ever had this problem. Today I logged onto my site to find that one of my moderator and one of administrators accounts had been hacked. Over 2,000 older posts on my site made by these 2 staff members had been edited to insert spam links that appear under their original post like this:

________
Body Science

Does anyone know where I can begin to correct this problem? I've told everyone on staff they should change their passwords immediately, but other than that, I've got no idea where to begin??? I'm running VB 3.7.4

In addition, it looks as though some of these edits do appear in the moderator logs, but only a very few of them. I've banned all the IP addresses that made the changes from the few mod log entries that I can see. All of the IP's look like proxies.

Any suggestions?
Reply With Quote
  #2  
Old 04-14-2011, 07:54 PM
borbole's Avatar
borbole borbole is offline
 
Join Date: Jan 2010
Posts: 2,559
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Erika View Post
Hi -

I was wondering if anyone else has ever had this problem. Today I logged onto my site to find that one of my moderator and one of administrators accounts had been hacked. Over 2,000 older posts on my site made by these 2 staff members had been edited to insert spam links that appear under their original post like this:

________
Body Science

Does anyone know where I can begin to correct this problem? I've told everyone on staff they should change their passwords immediately, but other than that, I've got no idea where to begin??? I'm running VB 3.7.4

In addition, it looks as though some of these edits do appear in the moderator logs, but only a very few of them. I've banned all the IP addresses that made the changes from the few mod log entries that I can see. All of the IP's look like proxies.

Any suggestions?
Contact your host to check their logs and see how they were able to hack into the admin accounts. Check your server space for any suspicious file/s. Then upgrade your forum to the latest version of your branch.
Reply With Quote
  #3  
Old 04-14-2011, 08:32 PM
Alfa1's Avatar
Alfa1 Alfa1 is offline
 
Join Date: Dec 2005
Location: Netherlands
Posts: 3,537
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Likely its the security issue that was discovered in 3.8.5 and below. Upgrade to the latest version.
The issue allowed people to registered duplicate staff accounts.
Reply With Quote
  #4  
Old 05-17-2011, 01:56 PM
Wreck713 Wreck713 is offline
 
Join Date: Feb 2009
Posts: 43
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I got this issue too. total suckage. Is there anyway to see all external links coming from your site ....... as its hard to clean this up properly ?
Reply With Quote
  #5  
Old 06-02-2011, 04:42 AM
RyanC RyanC is offline
 
Join Date: Jan 2005
Posts: 77
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I got it as well...
Reply With Quote
  #6  
Old 08-07-2011, 06:02 PM
Wreck713 Wreck713 is offline
 
Join Date: Feb 2009
Posts: 43
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What measures did you all take to fix?

I was told this ... To fix the exploit you go into "Vbulletin Options > Registration Options > Username Regular Expression > input "^[A-Z0-9 ]+$"

and then added this in illegal usernames

@ ~ ` # $ % ^ ( ) + = { [ ] } | \ / ? < > , ; : " '

I'm hoping that fixes the exploit.
Reply With Quote
  #7  
Old 08-08-2011, 05:19 PM
Alfa1's Avatar
Alfa1 Alfa1 is offline
 
Join Date: Dec 2005
Location: Netherlands
Posts: 3,537
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Also add the usernames of all your staff members to the illegal usernames.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:02 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04004 seconds
  • Memory Usage 2,213KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (7)post_thanks_postbit_info
  • (7)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete