The Arcive of Official vBulletin Modifications Site.

Smitty · #1 03-18-2013, 10:23 PM

I'm not sure if this is really the right forum for this. Please move if it's not "best fit".

This in on a fully patched 3.8.7 Patch Level 3 install. It IS an old forum which is highly modified - Too many mods to list here.

Someone has figured out how to use a phrase in one of my sites and cause spam emails to be sent. It uses the "Email Link to Friend" phrase and some of its variables. I *assume* it is a cross site XSS issue but I am not sure. I know this is happening because of Bounce messages I am getting.

1. I never did have the email to friend feature enabled for any user group and my tests show the people do get the error message if they try.

2. I "emptied" the sendtofriend template so now all a person gets is a message ""Send Link To Friend" DISABLED due to potential spam issues."

3. It is (now was) obviously using some of the "$vbphrase[sendtofriend]" phrase variables, so I emptied that out and put in my own message (without any variables) with an apology. Prior to doing that it gave a link to a web site using the "$vbphrase[sendtofriend]" phrase somehow, and used a couple "real" variables in that phrase.

Now that I have completely eliminated the variables in the phrase and put in my own text (an apology and brief explanation of what I *think* is happening) the spam content they were sending doesn't show - Only the text I put in shows in the emails which are sent.

4. No emails are going to forum members. They are somehow using a mailing list.

5. Somehow they are getting the email address set in the vB adminCP > Options > Site Name / URL / Contact Details as the "Sent By" - If I change that the spam email "From" address changes with it.

6. They are able to put in their own "Subject" in the spam emails being sent.

7. I have vBulletin set up to use php to send outgoing emails.

Has anyone heard of anything like this? And/or any ideas on how it is being done, not to mention how to stop it?

What is surprising is that now that I can control the spam email contents, it seems to me they would stop, which they haven't.

Lynne · #2 03-19-2013, 03:08 AM

If they were able to change your phrases, then they have access to the server and were then using a script to do what they wanted (modified vbulletin file?). I would suggest checking your server access logs and contacting your host about this.

Smitty · #3 03-19-2013, 05:09 AM

They can not change any phrases. I changed the "$vbphrase[sendtofriend]" phrase which changed their spam emails, or at least the body of the emails. See 3 above. They don't have access to the box (it's a dedicated server). I can tell by looking at the ssh and sftp logs. I haven't slogged through the access logs yet to see what's happening with http.

Smitty · #4 03-21-2013, 10:38 AM

As a followup, this turned out to be an xss exploit from another site (a phishing site) which I fixed. I also got the site taken offline. There were some files in my includes directory with the wrong permissions set. I recently did a migration to a new server and some of the file permissions I had set didn't carry over.

Lynne · #5 03-21-2013, 04:30 PM

I'm glad you got the issue resolved!

Smitty · #6 03-21-2013, 05:10 PM

Actually it ended up being sort of fun once I realized what they were doing and how to stop it. It took them about 36 hours before they realized that I changed their spam email message body. That gave me time to watch the http log file and gather info on them before I changed permissions on the files which stopped them dead in their tracks. I also got their web site taken offline by submitting my info to the hosting company whose server they were on. The hosting company was using Amazonaws, but I won't mention the host company here for obvious reasons.

The spammers were rather upset (to say the least). I had gotten the Amazonaws people involved as well as the us-cert.gov people, and they were monitoring things when who ever it was tried to DoS the site. They failed to even slow the site down for more than 10 to 20 seconds at a time. They gave up after about an hour.

Getting their site taken offline gave me a good feeling, so all ended well.

Hall of Famer · #7 09-07-2013, 01:46 AM

Umm is there a way to fix the problem? I am having the second XSS attack through showthread.php page on my VB3.8 forum in 3 months, I am not sure if its the same problem as this one but it may have some connection. The problem is, my webhost will suspend my account even if this is not my fault in any way(unless its a crime to use VB software?).

Smitty · #8 09-07-2013, 10:03 AM

I can't remember exactly what I did now other than what I described herein. I do remember it had something to do with file permissions which had changed when the site was migrated to another server. I wish I could tell you more.

Hall of Famer · #9 09-12-2013, 12:39 AM

Thats too bad... I just received another XSS attack on showthread.php, its getting serious. *sigh*

Smitty · #10 09-12-2013, 12:50 AM

showthread.php?

Exactly what is happening?

Screen shot?

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04102 seconds Memory Usage 2,260KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (10)post_thanks_box (5)post_thanks_box_bit (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start fetch_musername post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start post_thanks_function_fetch_thanks_bit_start post_thanks_function_show_thanks_date_start post_thanks_function_show_thanks_date_end post_thanks_function_fetch_thanks_bit_end post_thanks_function_fetch_post_thanks_template_start post_thanks_function_fetch_post_thanks_template_end pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

5 благодарности(ей) от:
Gophers, Lynne, Simon Lloyd, tbworld, vijayninel

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!