Register Members List Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools
  #1  
Old 05 Sep 2013, 12:37
lapiervb lapiervb is offline
 
Join Date: Mar 2010
Th3H4ck hacked hundreds of VB forums over the last two days.

Th3H4ck Has hacked hundreds of VB forums over the last few days, what is the exploit and are we working on a fix???

Just google Th3H4ck
  #2  
Old 05 Sep 2013, 13:08
BlkBullitt BlkBullitt is offline
 
Join Date: Jun 2012
Yeah I saw he joined today and used my Spam-O-Matic features to get rid of him but I would really like to know how he signed up as an Admin?
  #3  
Old 05 Sep 2013, 13:13
lapiervb lapiervb is offline
 
Join Date: Mar 2010
Originally Posted by BlkBullitt View Post
Yeah I saw he joined today and used my Spam-O-Matic features to get rid of him but I would really like to know how he signed up as an Admin?
Did you get an IP or any information as to what he is doing once he's in.
  #4  
Old 05 Sep 2013, 13:42
kinkdink kinkdink is offline
 
Join Date: Mar 2002
Looks like a bot attack to me.

It relates to this article
http://www.vbulletin.com/forum/forum...-1-vbulletin-5

Apache Log below:
178.33.229.22 - - [05/Sep/2013:10:10:37 +0100] "GET /forum/core/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:38 +0100] "GET /forum/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:39 +0100] "GET /forums/core/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:39 +0100] "GET /forums/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:40 +0100] "GET /core/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:41 +0100] "GET /install/upgrade.php HTTP/1.1" 200 13394 "-" "-"
66.96.183.79 - - [05/Sep/2013:10:10:45 +0100] "POST /install/upgrade.php HTTP/1.1" 200 279 "-" "-"
  #5  
Old 05 Sep 2013, 14:05
lapiervb lapiervb is offline
 
Join Date: Mar 2010
Do we just delete the entire install folder?
  #6  
Old 05 Sep 2013, 14:07
nhawk nhawk is offline
 
Join Date: Jan 2011
Originally Posted by lapiervb View Post
Do we just delete the entire install folder?
That's what it says.
__________________

vB 4 Modification System
  #7  
Old 05 Sep 2013, 15:14
CareyG CareyG is offline
 
Join Date: Jan 2008
Originally Posted by BlkBullitt View Post
Yeah I saw he joined today and used my Spam-O-Matic features to get rid of him but I would really like to know how he signed up as an Admin?
He signed up twice on my forum as admin. I have deleted the install folder. I dont know what else to do or what if anything he did to my forum.

Last edited by CareyG : 05 Sep 2013 at 15:24.
  #8  
Old 05 Sep 2013, 16:53
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Real name: Lynne
If you want to see what he did on your site, go to Admincp > Statistics & Logs > Control Panel Log. You will see if he added a plugin or accessed the templates, etc.

DELETE YOUR INSTALL DIRECTORY!!!
__________________
Try a search before posting for help. Many users won't, and don't, help if the question has been answered several times before.
W3Schools -
Online vBulletin Manual
If I post some CSS and don't say where it goes, put it in the additional.css template.
I will NOT help via PM (you will be directed to post in the forums for help.)
  #9  
Old 05 Sep 2013, 17:18
dawges dawges is offline
 
Join Date: May 2007
I was a victim of this also. Check my thread. If you guys haven't already you need to check the database and your templates. On my forum they put iframes in the footer of all my templates.

I had 8 Administrators in the admin group with the same name. However, one admin account was just a "."
  #10  
Old 05 Sep 2013, 19:06
BlkBullitt BlkBullitt is offline
 
Join Date: Jun 2012
Originally Posted by lapiervb View Post
Did you get an IP or any information as to what he is doing once he's in.
IP addy 180.216.122.253 and I checked my Control Panel and I don't see anything logged for the user so it looks like he just signed up and that was it. I am almost 100% certain I deleted my install folder after the initial install a year ago.
  #11  
Old 06 Sep 2013, 00:12
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Yeah we went through this with another member yesterday, http://www.vbulletin.org/forum/showthread.php?t=301892
  #12  
Old 06 Sep 2013, 07:26
owning_y0u owning_y0u is offline
 
Join Date: Dec 2008
a lot of vb clients don't even know he is on there forum as administrator. it's kinda sad that people despite of the warnings to remove there install directory still have that on there server(s).
  #13  
Old 06 Sep 2013, 08:47
cellarius's Avatar
cellarius cellarius is online now
 
Join Date: Aug 2005
Real name: Sven
Well, it's kind of sad it took IB a week to send out security bulletins by mail. Not everyone checks their admincp or the announcement forum on vb.com every day (the latter can't even be subscribed, since that - surprise - does not work in vB5). It's probably not the fault of the support staff, but I imagine they need to get approval from the IB high command to send out such things.
__________________
Please note that there will be no further updates to my addons, especially they will not be upgraded for vB5. I'm leaving vB, since IB choose to go the banana-way yet again.

http://www.roma-antiqua.de
  #14  
Old 06 Sep 2013, 11:19
RickyH RickyH is offline
 
Join Date: Dec 2011
Despite who reads things on the announcements, it shouldn't matter. People are urged to delete install folders on their server after a successful install, therefore it's their own fault if they've been hacked. It does state that leaving precious files and folders on the server can cause people to "hack" or "attack" the forum.
  #15  
Old 06 Sep 2013, 12:22
cellarius's Avatar
cellarius cellarius is online now
 
Join Date: Aug 2005
Real name: Sven
Originally Posted by RickyH View Post
People are urged to delete install folders on their server after a successful install, therefore it's their own fault if they've been hacked.
No, this is wrong. People were told to remove install.php from the server, not the install folder. Just the opposite: People who asked have explicitly been told to leave the install folder on the server, because it contains files like the style or language xml files that can be useful when troubleshooting. This is why you can't access AdminCP after install/upgrade when install.php is present, but you can access AdminCP perfectly when the install folder is present.

You should at least get your facts straight before you tell people it's their own fault.
__________________
Please note that there will be no further updates to my addons, especially they will not be upgraded for vB5. I'm leaving vB, since IB choose to go the banana-way yet again.

http://www.roma-antiqua.de
Closed Thread


Currently Active Users Viewing This Thread: 2 (0 members and 2 guests)
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
Forum Jump


New To Site? Need Help?

All times are GMT. The time now is 07:24.

Layout Options | Width: Wide Color: