vBulletin Mods

The Official vBulletin Modifications Site
https://www.vbulletin.org/forum/showthread.php?t=301904

Th3H4ck hacked hundreds of VB forums over the last two days.
by lapiervb
05 Sep 2013 12:37

Th3H4ck Has hacked hundreds of VB forums over the last few days, what is the exploit and are we working on a fix???

Just google Th3H4ck

BlkBullitt 05 Sep 2013 13:08

Yeah I saw he joined today and used my Spam-O-Matic features to get rid of him but I would really like to know how he signed up as an Admin?

lapiervb 05 Sep 2013 13:13

Quote:

Originally Posted by BlkBullitt (Post 2443430)
Yeah I saw he joined today and used my Spam-O-Matic features to get rid of him but I would really like to know how he signed up as an Admin?

Did you get an IP or any information as to what he is doing once he's in.

kinkdink 05 Sep 2013 13:42

Looks like a bot attack to me.

It relates to this article
http://www.vbulletin.com/forum/forum...-1-vbulletin-5

Apache Log below:
178.33.229.22 - - [05/Sep/2013:10:10:37 +0100] "GET /forum/core/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:38 +0100] "GET /forum/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:39 +0100] "GET /forums/core/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:39 +0100] "GET /forums/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:40 +0100] "GET /core/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:41 +0100] "GET /install/upgrade.php HTTP/1.1" 200 13394 "-" "-"
66.96.183.79 - - [05/Sep/2013:10:10:45 +0100] "POST /install/upgrade.php HTTP/1.1" 200 279 "-" "-"

lapiervb 05 Sep 2013 14:05

Do we just delete the entire install folder?

nhawk 05 Sep 2013 14:07

Quote:

Originally Posted by lapiervb (Post 2443440)
Do we just delete the entire install folder?

That's what it says.

CareyG 05 Sep 2013 15:14

Quote:

Originally Posted by BlkBullitt (Post 2443430)
Yeah I saw he joined today and used my Spam-O-Matic features to get rid of him but I would really like to know how he signed up as an Admin?

He signed up twice on my forum as admin. I have deleted the install folder. I dont know what else to do or what if anything he did to my forum.

Lynne 05 Sep 2013 16:53

If you want to see what he did on your site, go to Admincp > Statistics & Logs > Control Panel Log. You will see if he added a plugin or accessed the templates, etc.

DELETE YOUR INSTALL DIRECTORY!!!

dawges 05 Sep 2013 17:18

I was a victim of this also. Check my thread. If you guys haven't already you need to check the database and your templates. On my forum they put iframes in the footer of all my templates.

I had 8 Administrators in the admin group with the same name. However, one admin account was just a "."

BlkBullitt 05 Sep 2013 19:06

Quote:

Originally Posted by lapiervb (Post 2443431)
Did you get an IP or any information as to what he is doing once he's in.

IP addy 180.216.122.253 and I checked my Control Panel and I don't see anything logged for the user so it looks like he just signed up and that was it. I am almost 100% certain I deleted my install folder after the initial install a year ago.

ozzy47 06 Sep 2013 00:12

Yeah we went through this with another member yesterday, http://www.vbulletin.org/forum/showthread.php?t=301892

owning_y0u 06 Sep 2013 07:26

a lot of vb clients don't even know he is on there forum as administrator. it's kinda sad that people despite of the warnings to remove there install directory still have that on there server(s).

cellarius 06 Sep 2013 08:47

Well, it's kind of sad it took IB a week to send out security bulletins by mail. Not everyone checks their admincp or the announcement forum on vb.com every day (the latter can't even be subscribed, since that - surprise - does not work in vB5). It's probably not the fault of the support staff, but I imagine they need to get approval from the IB high command to send out such things.

RickyH 06 Sep 2013 11:19

Despite who reads things on the announcements, it shouldn't matter. People are urged to delete install folders on their server after a successful install, therefore it's their own fault if they've been hacked. It does state that leaving precious files and folders on the server can cause people to "hack" or "attack" the forum.

cellarius 06 Sep 2013 12:22

Quote:

Originally Posted by RickyH (Post 2443668)
People are urged to delete install folders on their server after a successful install, therefore it's their own fault if they've been hacked.

No, this is wrong. People were told to remove install.php from the server, not the install folder. Just the opposite: People who asked have explicitly been told to leave the install folder on the server, because it contains files like the style or language xml files that can be useful when troubleshooting. This is why you can't access AdminCP after install/upgrade when install.php is present, but you can access AdminCP perfectly when the install folder is present.

You should at least get your facts straight before you tell people it's their own fault.


All times are GMT. The time now is 03:05.

Powered by vBulletin® Version 3.8.14
Copyright © 2020, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.