Forum hacked because of /install/upgrade.php delete it

[NeDra]

v4.21 forum got hacked 3 times from raw forum no modification, no addon, fresh, clean DB...

I than look at the log it and pointed toward
/install/upgrade.php

I got curious and went to check how they could manage such a thing...
and to my surprise...

The page ask for the customer number... that fine...
View source code on that page

Code:

            <!--
                var IMGDIR_MISC = "../cpstyles/vBulletin_3_Silver";
                var CLEARGIFURL = "./clear.gif";
                var CUSTNUMBER = "XXXXXXXXXXXXXXXXXXXXX";
                var VERSION = "";
                var SCRIPTINFO = {
                    version: "",
                    startat: "",
                    step   : "",
                    only   : ""
                };
                var ADMINDIR = "../cp_admin";

The CUSTNUMBER is the MD5(customerNumber)
And guess what, It can be reversed in 5 minutes from what I've seen.
Customer number are what, 12 symbols A-Z0-9
I guess there even DB that contain all possible MD5 with those values.

So they get my customer number and execute the upgrade script and create a new account from the upgrade script...

Why did you even bothered giving them the MD5 of the answer and the link to the admin control pannel?

So yes, delete your install folder entirely or move it outside of your forum asap.

[ozzy47]

That was announced on the 27th of August.

Please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

[NeDra]

Why weren't we contacted by mail for such thing...

The only thing I've received was v4.22 recently which claim some exploit related to forumrunner xss or something which I've ignored and deleted forumrunner entirely.

The only one reading the exploit announcement are those after they get hacked or those that want to hack forum... Guess it only those that upgraded to v5 that got the email and everyone else was left in the dark.

[ozzy47]

It was in your ACP in the News section. I would also subscribe to this forum, http://www.vbulletin.com/forum/forum...nouncements_aa

That way you will get a email every time there is a announcement.

You could also install this mod, AdminCP News as Posts or PMs by BOP5 (Get your Admin CP News PMed to you!)

--------------- Added [DATE]1381969364[/DATE] at [TIME]1381969364[/TIME] ---------------

Also there was a email sent, September third:

Code:

vBulletin Security eBulletin
http://www.vbulletin.com/
September 3rd, 2013

* vBulletin 4.1.x & 5.0.x Security Issue
* Your License Information
* Contact Us

------ vBulletin 4.1.x & 5.0.x Security Issue ------

A potential exploit vector has been found in the vBulletin 4.1+ and 5.0+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, you should delete the install directory for your installation. This folder is not required for normal operation of vBulletin.

The directories that should be deleted are:

4.x - /install/

5.x - /core/install

On vB5, make sure you delete only the install folder, not the core folder.
After deleting these directories your sites can not be affected by the issues we?re currently investigating.

vBulletin 3.x would not be affected by these issues. However if you want the best security precautions, you should delete your install directory as well.

The Support forum thread on this topic can be found here - http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5


---------------- YOUR LICENSE INFORMATION ----------------

You can use this information to log into the customers area to download vBulletin, ImpEx and other vBulletin-related support materials:

Your Customer Email: XXXXXX@.com

Your Customer Number: XXXXXXXXXXXXXX

If you have misplaced your customer password, you can request that it be re-sent to your registered email address using the following form:
http://www.vbulletin.com/go/lostpw

The customers area is located here:
http://members.vbulletin.com/


-------------------- CONTACT US --------------------------

Please do not respond to this email directly. We will not receive your response. Please use the links below.

Got a vBulletin technical query? Contact support:
http://www.vbulletin.com/go/techsupport

For all other queries, please visit this page:
http://www.vbulletin.com/contact.php

----------------------------------------------------------

Security bulletins and periodic email newsletters are delivered to all current vBulletin customers, and contain information about new software versions and vBulletin.com web site features and content. If you have any questions or comments about this mailing, please contact us via the links above. You can unsubscribe from newsletters in the customer area at the bottom of the page: http://members.vbulletin.com 

This email was sent to: User, XXXXX@.com

Copyright ?2000-2013, vBulletin Solutions Inc.

[joeychgo]

Quote:

Originally Posted by NeDra

Why weren't we contacted by mail for such thing...

The only thing I've received was v4.22 recently which claim some exploit related to forumrunner xss or something which I've ignored and deleted forumrunner entirely.

The only one reading the exploit announcement are those after they get hacked or those that want to hack forum... Guess it only those that upgraded to v5 that got the email and everyone else was left in the dark.

It was emailed... It was also in your ACP as a notice. Its also been all over the web on various forums and blogs.

Guess only people that paid attention noticed it.

[XGC Paravain]

Just looking back I got that email on Sep. 4th, also remember the notice in the admincp but really red flags come up for me when I had all kinds of Guests login into the admin panel I also had some random account named admin2 registered and in the administrator usergroup!!

[NeDra]

Quote:

Originally Posted by XGC Paravain

Just looking back I got that email on Sep. 4th, also remember the notice in the admincp but really red flags come up for me when I had all kinds of Guests login into the admin panel I also had some random account named admin2 registered and in the administrator usergroup!!

Hum... amazing... I also received the e-mail on Sept 3rd...
vBulletin Security eBulletin: Potential Exploit of vB4.1.x & 5.0.x

Guess they meant vB4.1.x and higher... because vB4.2 was also affected...
They should of simply claimed vB4.x

I figured if you keep your version to the last version you're safe, I didn't bothered reading the news...

Well they did contacted me... so it's partially my fault...

[ozzy47]

Yeah this stuff happens, it is best to read through their emails completely, and even if it is not for your version number, it is sometimes best to follow it anyway.