Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > Premium Archives > ibProArcade Archive
Reload this Page ibProArcade 2.7.2Hacked
FAQ Community Calendar Today's Posts Search

Reply
Page 1 of 2 1 2
 
Thread Tools
ibProArcade 2.7.2Hacked Details »»
ibProArcade 2.7.2Hacked
MOD Information
The Developer
 
Version: , by XGC Viper XI XGC Viper XI is offline
Developer Last Online: Jan 2020 Show Printable Version Email this Page
Version: Unknown Rating:
Released: 11-16-2014 Last Update: Never Installs: 0
 
No support by the author.

Recently ibProArcade 2.7.2+ was hacked where the hacker was able to insert the root file into the arcade/tar folder. This was confirmed with the webmaster once this was identified based on the file that was inserted. The only file that should be in that folder is the index.html.

As it has been a while since ibProArcade was updated, has there been any updates or fixes that addresses this issue?

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #2  
Old 11-16-2014, 06:28 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Then you need to report the modification from the modifications thread, so it will be handled correctly.
Reply With Quote
  #3  
Old 11-16-2014, 06:32 PM
blind-eddie's Avatar
blind-eddie blind-eddie is offline
 
Join Date: Apr 2006
Location: Michigan
Posts: 2,310
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
What was done to your site from being hacked and how was it confirmed the hacker entered through ibProArcade?
Reply With Quote
Благодарность от:
ozzy47
  #4  
Old 11-16-2014, 07:06 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
As far as I can see, the only place where the tar module is being used which uses the arcade/tar/ folder, is in the adminCP.

Either someone accessed your ACP through an other vulnerability or the hacker just uploaded a malicious file to that folder because it has public read/write access on it. (0777 chmodded)
Reply With Quote
Благодарность от:
ozzy47
  #5  
Old 11-16-2014, 07:09 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
That's what I kinda figured Dave, and I know you would be able to spot a vulnerability pretty quick.
Reply With Quote
  #6  
Old 11-17-2014, 06:00 AM
XGC Viper XI XGC Viper XI is offline
 
Join Date: Sep 2007
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
No, the arcade/tar folder is in the root based on the installation files and the folder has 755 permission to include the arcade folder. This was pin pointed by the webmaster who had been troubleshooting this issue before I made him aware of it where a file was inserted that began the root of the problem. The only part of our site that uses that folder structure is the ibProArcade.

After the site was hit with the root file, it pathed to change all the main files of vBulletin and almost all index.html page to insert code in to the files.
Reply With Quote
  #7  
Old 11-17-2014, 09:13 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
But that still does not prove it was the arcade mod that allowed them to do this.
Reply With Quote
  #8  
Old 11-19-2014, 10:13 PM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
  
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I was working on someones site last night, who had DB Tech's arcade installed... I only mention that mod because of what I'm about to tell you to check.

- Check the game folders, anywhere it stores the game itself, either the specific folder OR any /temp folders.

Why? Sometimes the games you install/import can have malware and malicious files.

How do I know? This is one of the few games I've ran into where the files would not transfer to my pc when running a backup so I knew something was up.

Is the game Bobsled GC installed?
I found this in a sub-folder:

/forums/dbtech/vbarcade/import/temp/bobsledGC/gamedata/

Now in any arcade if a game has a folder /gamedata/ it can be legit. However these are the files I noticed that seemed odd in that gamedata folder:

loader.swf
game.swf
game_7.swf
game_66.swf
comm.swf
shell.xml

Now normally a game.swf would be ok but as I noticed my pc did not even allow that one to come through - couple that with the fact there's variants and one that stood out more than others was shell and comm files. Needless to say these had to be removed using the root user as nothing we did from normal accounts allowed us to delete the files basically permission denied every time.

So like I said above, I only mention DB Tech arcade because of what I recently ran into last night with those iffy game files. The owner of the site logged in as root, delete those files and uninstalled the game from the arcade. What I'm trying to convey is that, the arcade COULD have an unknown exploit OR one of your games does - Be Careful where you download games from.
Reply With Quote
2 благодарности(ей) от:
blind-eddie, ozzy47
  #9  
Old 11-25-2014, 02:11 AM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
  
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by XGC Viper XI View Post
After the site was hit with the root file, it pathed to change all the main files of vBulletin and almost all index.html page to insert code in to the files.
I imagine this was base64_decode? If you found out anything else regarding this since time of the above post please let us know.
Reply With Quote
  #10  
Old 03-15-2015, 06:36 PM
XGC Viper XI XGC Viper XI is offline
 
Join Date: Sep 2007
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Sorry it took so long to answer. The file name was hb2ymtdn.php and it had the base64_decode inside it.

What does that mean?
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 01:21 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04795 seconds
  • Memory Usage 2,302KB
  • Queries Executed 23 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (4)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (3)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (9)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete