Security concerns

[VBall]

Hi All,

I'm running a 3.8.1 forum and recently we've had a couple of intrusions where .js files were modified in the clientscript folder. I was able to remove those but some users have reported that they still getting virus warnings occasionally.

Can anyone help me understand how someone may be able to modify the files in the clientscript folder? I don't believe they've gain access to the server directly. Could there be malicious code in our database? if so, which tables/fields should I know? Is there a query I can use to find them?

Thanks.

[borbole]

Ask your host to check the access/ftp logs for around the time of the hack to see what exactly went down. You are running a very old version which has several known security issue. I think it would help to upgrade your forum to the latest version of the 3.8x series.

[vijayninel]

Quote:

Originally Posted by borbole

I think it would help to upgrade your forum to the latest version of the 3.8x series.

I agree with this. There have been a lot of security patches since 3.8.1. Not having them will leave your forum vulnerable.

[Eric]

Ineed, if you are able to, upgrade to vB 3.8.7 - other than that, check the permissions on your clientscript folder - do you allow files to be written in /clientscript/vbulletin_css/ ?

[TheLastSuperman]

I know on one occasion, a client of mine was hacked... come to find out a plugin was created w/o them knowing so check your files for any changes via timestamps and also check your plugins, ensure that there are no spare "iffy" plugins active .

[VBall]

Quote:

Originally Posted by borbole

Ask your host to check the access/ftp logs for around the time of the hack to see what exactly went down. You are running a very old version which has several known security issue. I think it would help to upgrade your forum to the latest version of the 3.8x series.

We've checked the logs and didn't see anything related to the files. We have plans to upgrade to the latest version this weekend... hopefully that will help

--------------- Added [DATE]1314984001[/DATE] at [TIME]1314984001[/TIME] ---------------

Quote:

Originally Posted by Eric

Ineed, if you are able to, upgrade to vB 3.8.7 - other than that, check the permissions on your clientscript folder - do you allow files to be written in /clientscript/vbulletin_css/ ?

It is indeed open with 777 access. what should the vbulletin_css folder permissions be?

--------------- Added [DATE]1314984225[/DATE] at [TIME]1314984225[/TIME] ---------------

Quote:

Originally Posted by TheLastSuperman

I know on one occasion, a client of mine was hacked... come to find out a plugin was created w/o them knowing so check your files for any changes via timestamps and also check your plugins, ensure that there are no spare "iffy" plugins active .

The other admin handles the plugins and we may have a few that may be suspect... I'll have to check them out. Thanks

[TheLastSuperman]

Quote:

Originally Posted by VBall

It is indeed open with 777 access. what should the vbulletin_css folder permissions be?

755

[VBall]

Quote:

Originally Posted by TheLastSuperman

755

Thank you! I've changed it to 755 now. Do you guys think this could of allowed access into the clientscript folder for modification? I thought permissions can not go up the tree.

[nhawk]

Umm.. this might be a dumb question but..

If you've changed the CSS to be stored on disk, doesn't that folder need to be 777? I think 755 will give a write access error.