Register Members List Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools
  #76  
Old 17 Sep 2013, 20:06
Steve-Hoog Steve-Hoog is offline
 
Join Date: Sep 2010
loua oz

Please advise on what happens next.

Did you check the Control Panel log for this user?
  #77  
Old 17 Sep 2013, 20:12
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Deleted him.

There was no IP address, just

[email protected]

and he belonged to group Administrators.
No other users were created.

Now looks OK, see my previous post, it was edited while you typed yours.
  #78  
Old 17 Sep 2013, 20:18
Steve-Hoog Steve-Hoog is offline
 
Join Date: Sep 2010
Searched the email and this hacker isn't going out of the way to hide himself, just like the one that got me.

--------------- Added 17 Sep 2013 at 20:27 ---------------

On vb.com one user is suggesting our MySQL database is compromised because of a lack of security on our config.php file. This is the most sensible explanation I have heard so far. But I don't know how to monitor MySQL access; I'll be trying to figure that out next.
  #79  
Old 18 Sep 2013, 07:00
xenite xenite is offline
 
Join Date: Oct 2005
Originally Posted by loua_oz View Post
Deleted him.

There was no IP address, just

[email protected]

and he belonged to group Administrators.
No other users were created.

Now looks OK, see my previous post, it was edited while you typed yours.
Look at VBulletin's admin log. That should tell you the IP address.
  #80  
Old 18 Sep 2013, 10:05
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Real name: Paul M
Originally Posted by loua_oz View Post
Yes, there was no email.
Yes there was.

Originally Posted by loua_oz View Post
Can't believe VB staff watched all the hacks and did nothing.
Maybe you should get facts right before making silly statements.

Thre was an e-mail, an ACP news item, and an announcement. Plus its been discussed in all vB related admin forums.
__________________
Former vBulletin.org Staff Member


Cable Forum
Please do not PM me about custom work - I no longer undertake any.
Note: I will not answer support questions via e-mail or PM - please use the relevant thread or forum.
  #81  
Old 18 Sep 2013, 11:00
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Originally Posted by Paul M View Post
Yes there was.


Maybe you should get facts right before making silly statements.

Thre was an e-mail, an ACP news item, and an announcement. Plus its been discussed in all vB related admin forums.
While I came and said exactly what was done to recover, you came to tell that hundreds of customers got devastated while you did all needed?

I run Windows but never go to Win forums.
Why would I frequent this one? Should I be on a lookout to see if any minute another hacker has trashed your product that I have paid for, not free download?

Red alert in AdminCP was not there, as is when a new version or patch are available. That is where I go 2-3 times a day and could not miss it.

Yahoo is banned as junk site from where I work, checked Inbox at home, other than 1000s "vBulletin Database Error!" no others or summarily deleted with them.
  #82  
Old 18 Sep 2013, 11:38
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Real name: Paul M
Originally Posted by loua_oz View Post
Red alert in AdminCP was not there, as is when a new version or patch are available. That is where I go 2-3 times a day and could not miss it..
There is no such thing as a "red alert". The ACP news item is there, so clearly you did miss it, and unless you dismissed it, it will still be there. If you dismissed it without reading it then thats your issue.

Originally Posted by loua_oz View Post
Yahoo is banned as junk site from where I work, checked Inbox at home, other than 1000s "vBulletin Database Error!" no others or summarily deleted with them.
Whether you can find it does not change the fact an e-mail was sent. It is your responsibility to make sure your e-mail address is up to date, and doesnt filter out vb e-mails.
__________________
Former vBulletin.org Staff Member


Cable Forum
Please do not PM me about custom work - I no longer undertake any.
Note: I will not answer support questions via e-mail or PM - please use the relevant thread or forum.
  #83  
Old 18 Sep 2013, 11:44
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Transaction logs shows (2 screens, too big for 1). Does not look like legit thing, see bottom of pic 2:
Attached Images
File Type: jpg transactionlog01.jpg (91.1 KB, 19 views)
File Type: jpg transactionlog02.jpg (110.9 KB, 18 views)
  #84  
Old 18 Sep 2013, 13:13
tnedator tnedator is offline
 
Join Date: Aug 2007
Originally Posted by Paul M View Post
There is no such thing as a "red alert". The ACP news item is there, so clearly you did miss it, and unless you dismissed it, it will still be there. If you dismissed it without reading it then thats your issue.


Whether you can find it does not change the fact an e-mail was sent. It is your responsibility to make sure your e-mail address is up to date, and doesnt filter out vb e-mails.
It is true that an email was sent out, but only AFTER it was too late for so many sites. There was a forum announcement posted on vb.com on 8/27, but no email was sent until 9/3, presumably once it moved from a "potential exploit" that vB was investigating to a case of hundreds or thousands of sites being hacked.

For most of us, we have followed VB installation instructions for many years. This is from the 4.2 read me/install instructions:

8. When the installation wizard is complete, it will ask if you want to go to the Admin Control Panel. Before proceeding to the Admin Control Panel, you must delete the 'install/install.php'file from your webserver. You may then enter the control panel and start working on your new vBulletin!
Nothing about deleting the entire directory. Now, if there was enough of a potential exploit to post a vBulletin announcement about deleting the /install directory, there should have been an email on 8/27. Instead, myself, like so many others, got the email AFTER the site was hacked, rather than a week before.
  #85  
Old 18 Sep 2013, 14:35
loua_oz loua_oz is offline
 
Join Date: Dec 2010
yes, exactly. that version was asking for that, 4.2.1 does not.
let alone deleting the whole /install directory.

vB staff are in damage control, bshitting and pointing at customers as their guilt. this blunder may spell the end of them, as a company and their jobs.

next morning, someone may wake up and say: let's hack another 100 of vB sites.
  #86  
Old 18 Sep 2013, 17:35
pityocamptes's Avatar
pityocamptes pityocamptes is offline
 
Join Date: May 2010
Originally Posted by loua_oz View Post
Transaction logs shows (2 screens, too big for 1). Does not look like legit thing, see bottom of pic 2:
Personally, since you have expended so much time, only to find things are slightly off, I would take a known CLEAN backup of your site BEFORE you had issues. I would then take a current version of your site (the only that is "dirty"), and use a program like winmerge to compare files and folders, to see what may have been changed.

From looking at that pic they are NOT legit!!!!!! I would also use a DB comparison tool, and see what, if anything may have been added to your db prior to the hack, and after... HTH
  #87  
Old 18 Sep 2013, 18:07
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Originally Posted by loua_oz View Post
yes, exactly. that version was asking for that, 4.2.1 does not.
let alone deleting the whole /install directory.

vB staff are in damage control, bshitting and pointing at customers as their guilt. this blunder may spell the end of them, as a company and their jobs.

next morning, someone may wake up and say: let's hack another 100 of vB sites.
I see staff over there busting their arse to help, I bet they are handling an abundance of tickets the best they can honestly.

Now let's think about this for a minute...
- This is a 100% new exploit that was just brought to their attention, they immediately went about investigating and offering a potential fix before knowing the full extent of the issue and it was on par i.e. delete the /install/ directory. My point is they took immediate action, it's not like they are vBSEO where a KNOWN exploit was left included across countless versions over the course of a year, that was horrid and unforgivable, this was just another case of someone having too much time on their hands and just enough brainpower to pull it off half proper.
- While I agree with you on the delayed "eBulletin" email being a "fail" per say as it was several days late, the fact of the matter is this was announced, on a site that is RSS feed into more sites than there are Chevrolet cars on the road so how you missed it ENTIRELY is beyond me I'm literally baffled. Please bookmark the site and check it daily, as a vBulletin forum owner you need to check the site once daily the same as you do the mail, reading the paper, or watching the news those are daily habits and maintaining your forum is now one, make note of that!
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
  #88  
Old 18 Sep 2013, 18:37
cellarius's Avatar
cellarius cellarius is offline
 
Join Date: Aug 2005
Real name: Sven
Originally Posted by TheLastSuperman View Post
While I agree with you on the delayed "eBulletin" email being a "fail" per say as it was several days late
Thanks for acknowledging that. When I asked why it was send out so late that was not a question well received at vbulletin.com.

, the fact of the matter is this was announced, on a site that is RSS feed into more sites than there are Chevrolet cars on the road
Since when does vB5 support RSS feeds? How do I subscribe to it - genuine question, I wanted to subscribe to it since subscription to a forum does not work either, as far as I know.

so how you missed it ENTIRELY is beyond me I'm literally baffled.
Given that the messaging functions of vB5 do not work, it's not so astonishing, really.
Please bookmark the site and check it daily, as a vBulletin forum owner you need to check the site once daily
Sorry, but you can't be serious about that. People have lives! IB twiddles their thumbs for seven days before sending out an email about a crucial security issue, and you're really of the opinion that customers have to check out the company website daily (which is, once again, running a software that lacks even the most basic subscription features)?
__________________
Please note that there will be no further updates to my addons, especially they will not be upgraded for vB5. I'm leaving vB, since IB choose to go the banana-way yet again.

http://www.roma-antiqua.de
  #89  
Old 18 Sep 2013, 18:52
xenite xenite is offline
 
Join Date: Oct 2005
Originally Posted by loua_oz View Post
Transaction logs shows (2 screens, too big for 1). Does not look like legit thing, see bottom of pic 2:
Sorry. It's the CONTROL PANEL LOG that will tell you anything useful. (ON EDIT: About the IP address they used.)
  #90  
Old 18 Sep 2013, 23:07
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Cool

Originally Posted by cellarius View Post
Thanks for acknowledging that. When I asked why it was send out so late that was not a question well received at vbulletin.com.


Since when does vB5 support RSS feeds? How do I subscribe to it - genuine question, I wanted to subscribe to it since subscription to a forum does not work either, as far as I know.


Given that the messaging functions of vB5 do not work, it's not so astonishing, really.

Sorry, but you can't be serious about that. People have lives! IB twiddles their thumbs for seven days before sending out an email about a crucial security issue, and you're really of the opinion that customers have to check out the company website daily (which is, once again, running a software that lacks even the most basic subscription features)?
Ohh I didn't acknowledge I simply made a logical observation that is was later than a lost teen on prom night - I'm not on staff their anymore so (get ready for this runonramblinglol) no one cares if I acknowledged it or not unless it's for the sake of arguments sake that it was just late lol.

As for the rss feeds... you got me there and the messages you say? Is it obvious I'm not up to par on vB5 Cellarius - Can you imagine why? All I know is if it looks like a Beta Product, Smells like a Beta product, and Acts like a Beta product it surely must be a Beta product... still feels like a Beta product to me as of 9/18/2013.

So of course my arguments are invalid now that I know .
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Closed Thread



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 08:01.

Layout Options | Width: Wide Color: