Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #31  
Old 13 May 2011, 23:18
madshark's Avatar
madshark madshark is offline
 
Join Date: Oct 2009
Ugh! Again? I just got the email as well. Wonder whats wrong now? >< Poor Valter.
Reply With Quote
  #32  
Old 13 May 2011, 23:32
CK CK is offline
 
Join Date: Dec 2007
Real name: http://xenforo.com/
I keep reading "hacked by team Anus".
Reply With Quote
  #33  
Old 13 May 2011, 23:37
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
Originally Posted by borbole View Post
I think in such cases you can contact the admins here.
For future reference, don't PM. I'm told the correct thing to do would have been to click on "Report this Post" in the mod thread.

Last edited by kh99; 14 May 2011 at 00:26.
Reply With Quote
  #34  
Old 14 May 2011, 01:36
Suiram's Avatar
Suiram Suiram is offline
 
Join Date: Jan 2009
Originally Posted by Bulldog Stang View Post
I have now been hacked twice. I followed the stated guidlines and updated my CYB - Advanced Forum Rules as well. I have checked all files in FTP and removed any new ones. Also checked the db and deleted the new user.

I do not know what else to do here.
you, me and many others.
uninstall this rotten back door to hell. it is now without a doubt that it has not been fixed, no matter the claims. it's getting to the point where you have to wonder if it's some kind of conspiracy or something.
it' is not a case where they breached before and were "waiting". i was only hacked after i upgraded to v4.0.4 and not before.

UNINSTALL ANY AND ALL MODS - PERIOD!!
Reply With Quote
  #35  
Old 14 May 2011, 01:42
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Real name: Rob
Removing all mods is a little extreme, don't you think?
Reply With Quote
  #36  
Old 14 May 2011, 01:52
g0dfather1984's Avatar
g0dfather1984 g0dfather1984 is offline
 
Join Date: May 2008
Originally Posted by Boofo View Post
Removing all mods is a little extreme, don't you think?
While I do understand your frustration about everything, I kind of agree with Boofo here. Uninstalling every mod is a little extreme.
Reply With Quote
  #37  
Old 14 May 2011, 02:29
Suiram's Avatar
Suiram Suiram is offline
 
Join Date: Jan 2009
yeah, sure. i suppose you could change that to all cyb mods.
but in my case i only ever used one mod. the cyb afr one. i uninstalled it and also decided to keep my vb forum vanilla. apart from changing colors and stuff from within it, that is it for me. lesson learned. i'm too much a control freak to allow myself to be "violated" again. :P (one rape is enough)
Reply With Quote
  #38  
Old 14 May 2011, 02:29
aquariumpros aquariumpros is offline
 
Join Date: Jul 2002
Real name: AJ
Originally Posted by Suiram View Post
you, me and many others.
uninstall this rotten back door to hell. ...

UNINSTALL ANY AND ALL MODS - PERIOD!!
Might want to try to understand that ANY AND ALL code is susceptible to exploits - hence the reason there are always updates and patches offered (even for operating systems, and vBulletin core software, etc.).


If you were hacked again - you didn't completely purge the server of the exploitable code.

Ensure that all copies of vba.php have been removed:
/forum/includes/vba.php
/forum/includes/xml/vba.php


Also - check (or get your host to check) your server logs for access.

Also - do a full scan of the database; as we had base64 data encoded into the database in the rtable field within the guest table.


Entries I removed:

| guestid | hostip | useragent | lastactive | spider | script | rdata | a33ea4abd15916de0fe47c20e8efc48f | 203.147.62.92 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1278294864 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:262:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| 1eafdc25e937348e21e2bb1158b73c48 | 193.71.28.34 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1279528160 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| 544953a2c138f10bf32df7677065d1ed | 205.251.131.33 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1279527971 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| 494edcf8661b32d80c1078019f0f25a7 | 208.64.68.228 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1280926630 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| 13640f07244b04a849cb78f5c8fc4dbf | 61.47.40.39 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1285330209 | | externalframe | a:9:{s:3:"ref";s:37:"http:/www.t...om/cephcare/contact.php";s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| ad7b15b9bdcf0993071e56659d065a9e | 110.45.165.22 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1290781080 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| 23cf7b6e31cd2d81162dc26542cb3f10 | 70.38.37.151 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1290961798 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| b70f8e63432d70f392cc060fdc411975 | 174.121.219.80 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1294083379 | | showthread | a:8:{s:6:"postid";i:346415;s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:8:"threadid";i:0;s:7:"forumid";s:3:"156";s:6:"pollid";i:0;s:1 :"a";s:0:"";} |
| 51da94725eda052743162729a45c12e4 | 67.192.224.98 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30 | 1294480629 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:919:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| 4fe82d2e1e7c29e795a3d5617e803d3b | 195.42.120.131 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1295022885 | | forumdisplay | a:9:{s:1:"f";s:14:"49/contact.php";s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:7:"forumid";i:49;s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:6:"pol lid";i:0;s:1:"a";s:0:"";} |
| 2f85afe9e6bf839981d96c6482d2b90d | 199.124.61.2 | Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16 Flock/ | 1295771568 | | showthread | a:9:{s:1:"p";s:18:"347103/contact.php";s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:6:"postid";i:347103;s:1:"s";s:0:"";s:8:"threadid";i:0;s:7:"forumid";s:2:"28" ;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| ffb65c6cc094dcbfbb05b96e368d9c53 | 208.91.57.65 | Opera/9.99 (Windows NT 5.1; U; pl) Presto/9.9.9 | 1295778092 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| e783bb5c77bf9a59f9d63d9551a53cd6 | 81.94.196.51 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1297787694 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| bbc645e5264e506520e938c779d4f23d | 67.192.224.98 | Mozilla/5.0 (Windows; U; Windows NT 5.1; pl-PL; rv:1.8.1.24pre) Gecko/20100228 K-Meleon/1.5.4 | 1298619810 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:919:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |


...cont'd in next post due to character limits
__________________
*~AJ~*
AquariumPros.ca
Reply With Quote
  #39  
Old 14 May 2011, 02:30
aquariumpros aquariumpros is offline
 
Join Date: Jul 2002
Real name: AJ
| 8c4734033eff728379948bcfb8f45653 | 202.136.168.37 | Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16 Flock/ | 1299793822 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| 9f0427858f5c797717a3aaf69e082c01 | 207.58.131.77 | Mozilla/3.0 (X11; I; SunOS 5.4 sun4m) | 1300883385 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| c1d576eaa0bf6e9b1867413a940cf56a | 207.58.131.77 | Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 | 1300883385 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| c3f76c51b678d379c20cbbc5580e20ad | 80.38.87.254 | Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0) | 1301251374 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| 85fbda11bb0d353a5b4db40ad309b0dc | 88.80.207.132 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b | 1301678740 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| f7b4a57131b4887a2a1eea92376e9697 | 205.204.32.194 | Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320) | 1302083349 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |
| f8b72c4b4b12138accc7f62c2692ce98 | 183.99.33.109 | Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0) | 1305032315 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"poll id";i:0;s:1:"a";s:0:"";} |



One way people make mass chances of that nature is to use a mass defacer script. In part the code I removed from the database did allow for php or shell commands to be executed without placing files into the account.

One occurrence was at: Tue May 10 07:58:35 CDT 2011 by this IP: 183.99.33.109

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

__________________
*~AJ~*
AquariumPros.ca
Reply With Quote
  #40  
Old 14 May 2011, 02:44
A Dead Puppie A Dead Puppie is offline
 
Join Date: Oct 2009
Anyone who was using the old version of the Advanced Forum Rules mod, any version, could/was suspect to hackers. There is a fixed update somewhere. Best thing to do is uninstall the mod, remove all files from the server, and re-upload the updated version.
Reply With Quote
  #41  
Old 14 May 2011, 02:57
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Real name: Rob
Originally Posted by aquariumpros View Post
Might want to try to understand that ANY AND ALL code is susceptible to exploits - hence the reason there are always updates and patches offered (even for operating systems, and vBulletin core software, etc.).
I don't necessarily agree with the idea that ALL code is susceptible to exploits. It depends on what the code does.
Reply With Quote
  #42  
Old 14 May 2011, 03:11
aquariumpros aquariumpros is offline
 
Join Date: Jul 2002
Real name: AJ
Originally Posted by Boofo View Post
I don't necessarily agree with the idea that ALL code is susceptible to exploits. It depends on what the code does.
Sorry for the misinterpretation. What I intended to convey was that it's NOT just hacks and mods that are susceptible to being hacked...so removing all mods won't unilaterally make a site safe. This exploit could just as easily have been found in the base vBulletin code; or even an exploit in coding within the server OS, etc.

Vigilance in keeping up to date on ALL software patches & updates is still needed to have any real security; and even then - there's ALWAYS a risk.

Daily back-ups is your only real security.
__________________
*~AJ~*
AquariumPros.ca
Reply With Quote
  #43  
Old 14 May 2011, 03:59
madshark's Avatar
madshark madshark is offline
 
Join Date: Oct 2009
Originally Posted by ChemicalKicks View Post
I keep reading "hacked by team Anus".
Haha that would be appropriate wouldn't it? lol At least some of us still see a lighter side.

Just lets not jump at the developers throat, like aquariumpros said the issue couldve come from anywhere. It's unfortunate that it was Valter who was the one in the primary line of fire this time. Fundamentally the web is worse than reality as far as safety is concerned so what more do we argue from there?

Boofo is right. Not everything is evil but there is always someone trying to better something that causes an addition that is slightly overlooked. But if we said ok Windows 98 is the shit we dont need to go anywhere from here or worse if apple said ok iMac thats it weve done perfect lets not screw it up where would we be today?

In that same light no add-ons at all would be similar to saying ok Im born. I'm vanilla there are viruses and germs out there so I'm going to build a sanitized glass orb and live in it the rest of my life. But in a funny kind of way VB allows backups that make risks a little manageable. Life doesn't really give us that option in the ideal form does it? Something to ponder. Make use of it I'm sure its been said a gazillion times before.
Reply With Quote
  #44  
Old 14 May 2011, 04:18
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Real name: Rob
You also have to remember how long Valter's mod was out before it got exploited. All it takes is someone playing around with something long enough to find a way around certain things. Valter is an excellent coder that caught an unlucky break that could happen to any one of us.
Reply With Quote
  #45  
Old 14 May 2011, 05:47
AusPhotography's Avatar
AusPhotography AusPhotography is offline
 
Join Date: Nov 2007
Real name: Rick-owner, Kym-admin
Originally Posted by Boofo View Post
You also have to remember how long Valter's mod was out before it got exploited. All it takes is someone playing around with something long enough to find a way around certain things. Valter is an excellent coder that caught an unlucky break that could happen to any one of us.
+100
__________________
www.AusPhotography.net.au a.k.a. AP is a photography forum where members share their photography, photo editing skills and techniques. We run regular photographic competitions; Rick (site owner) and Kym (site tech) using this account
*** Home of the AP fully comprehensive vb4 photographic competition management solution ***
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 20:47.

Layout Options | Width: Wide Color: