The Arcive of Official vBulletin Modifications Site.

JacquiiDesigns · #1 02-03-2014, 10:32 PM

While investigating an issue with my mail server, I've found something quite curious and a bit upsetting in the Mail Queue Manager in WHM ... It looks like there's some spam being generated from the ******** account via the vBulletin PHP mail form:

Here's the Extended Header code:

Quote:

Date:
Tue, 21 Jan 2014 11:26:23 -0500
From:
********
Subject:
Spend $12 and earn up to $4000 a week... GUARANTEED!!
Auto-Submitted:
auto-generated
Content-Transfer-Encoding:
8bit
Content-Type:
text/plain; charset="ISO-8859-1"
Message-ID:
<20140121162553.c0c0dea600f4@www.********.com>
MIME-Version:
1.0
Received:
from nobody by vps.********.com with local (Exim 4.80)
(envelope-from <nobody@vps.********.com>)
id 1W5e9f-0008Ju-0p; Tue, 21 Jan 2014 11:26:23 -0500
Return-Path:
********
T To:
sord1992@gmail.com, sordinska@gmail.com, sorinsas60@gmail.com, sornpong24@gmail.com, sorokamail@mail.ru, sorrell116@bellsouth.net, sorrell116@yahoo.com, sory_mal@yahoo.com, soshanya@gmail.com, sosna345@gmail.com, soso09@ediffmail.com, sosumi02@gmail.com, soswalker@gmail.com, soubanpk@hotmail.com, sougatadas56@gmail.com, souhail40@gmail.com, souissihoucine12@yahoo.fr, soul_lich10@yahoo.com, SOUL010683@HOTMAIL.COM, soul100@hotmail.co.uk, soule990@aol.com, soulhealer12@hotmail.com, soulplayca@gmail.com, soulsanogo2007@yahoo.fr, soulsearch3r@gmail.com, ----SNIP - there are what appears to be hundreds more email address listed here...
X-Mailer:
vBulletin Mail via PHP
X-Priority:
3

-------------------
-------------------
vBulletin does not automatically generate such code. This seems malicious and should NOT be happening.

My server admin has told me the following:

Quote:

This indicates that there may have been a vBulletin webmaster account compromise. The last occurrence appears to be from Jan. 21. Unfortunately, the DSO PHP handler do not have logs so we cannot determine what component of vBulletin is at fault.

Any additional ideas on what could cause this and how to fix the issue so it never occurs again will be very much appreciated!

J.

ozzy47 · #2 02-03-2014, 10:39 PM

1) Don't allow guestst to email users.

2) ACP--> Settings --> Options --> Site Name / URL / Contact Details, find the setting, Allow Unregistered Users to use 'Contact Us' ans set it to "No"

3) Your forum might have been compromised. Run the Suspect File Versions tool and look for anything suspicious, most notably, anything that says File does not contain expected contents. If there's anything that says File not recognized as part of vBulletin, that's normal, as it's from modifications you have. Just make sure all those modifications are modifications you installed yourself.

Max Taxable · #3 02-03-2014, 10:42 PM

Excuse me for asking also but, didn't you just publish the email addresses of some of your users in a open forum?

ozzy47 · #4 02-03-2014, 10:45 PM

Ohhh, and you may want to run this query to get rid of any more emails:

Code:

TRUNCATE TABLE mailqueue;

If you are using a table prefix, be sure to add it before mailqueue.

ForceHSS · #5 02-03-2014, 10:50 PM

If you think you have been hacked then follow this. But you would be best to follow post 2 as it looks like that is your problem

First you need to follow our advisory about deleting the install folder off your forums.

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

JacquiiDesigns · #6 02-04-2014, 07:47 PM

Thanks so much for the tips Chris and ForceHSS. Much appreciation!

Quote:

Originally Posted by Max Taxable

Excuse me for asking also but, didn't you just publish the email addresses of some of your users in a open forum?

No I didn't. I would never do such a thing.

For clarification: The spam email had NOT been sent to forum members, but rather to email addresses that appear to be compiled from a generic mail list. The email address listed in the op is part of that generic mail list.

Thanks again guys. Off to do more troubleshooting.

J.

ozzy47 · #7 02-04-2014, 07:50 PM

Please report back any findings, so we can see what's going on.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04444 seconds Memory Usage 2,252KB Queries Executed 12 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)bbcode_code (3)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (7)post_thanks_box (1)post_thanks_box_bit (7)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit (7)post_thanks_postbit_info (7)postbit (1)postbit_attachment (7)postbit_onlinestatus (7)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start fetch_musername post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_attachment postbit_display_complete post_thanks_function_can_thank_this_post_start post_thanks_function_fetch_thanks_bit_start post_thanks_function_show_thanks_date_start post_thanks_function_show_thanks_date_end post_thanks_function_fetch_thanks_bit_end post_thanks_function_fetch_post_thanks_template_start post_thanks_function_fetch_post_thanks_template_end tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

Благодарность от:
Max Taxable

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!