vBulletin Mods

The Official vBulletin Modifications Site
https://www.vbulletin.org/forum/showthread.php?t=325824

Hacker Gave himself Admin privs
by CarolSEL
30 Nov 2017 14:19

A new member registered at our forum, then somehow made himself an Admin. (Obviously, we banned him and his IP.)

How can that happen? What precautions do we need to take?

Dave 30 Nov 2017 14:29

There's a lot of ways this can happen, it's impossible for us to tell you what exactly caused it.
Here's a few guesses:
- Outdated vBulletin forum
- Vulnerable plugins
- Other vulnerable software on your server

You need to find the cause first before you can implement something to prevent it from happening again in the future.

CarolSEL 30 Nov 2017 16:37

Thanks Dave,
We're running on 4.2.4, and since the problem we previously had, have not reinstalled any but necessary (vB) plugins.
Host sent me back this reply (pretty much the same answer, but with specifics):
After reviewing the server and logs it appears that the compromise occurred completely within the VBulletin software and not through any form of malware on the site. This compromise was due to vulnerabilities of the End Of Life version of your software. I determined this by reviewing all access logs from that IP address as well as scanning the account for malware (finding 0 hits). I also scanned for standard CMS versions and this was the result.

==== End-Of-Life CMS Packages ====

vBulletin 4.2.1 /home/mydb
vBulletin 4.2.0.3 /home/mydb/forums
vBulletin 4.2.4 /home/mydb/public_html/forums
vBulletin 4.2.0.3 /home/mydb/public_html/moved pb html



The recommended course of action at this point it to fully update your live software while removing accessibility to any that are not being used at this time. Once updated I would also recommend searching for any sort of security based addon for that software that can help mitigate any future threats.
Aren't the older versions automatically overwritten with upgrades? :confused:

Dave 30 Nov 2017 17:01

Your older forums weren't even in the public_html folder so the statement by your host is crap.
The only thing I can think of is that you had forumrunner enabled whilst not updating it to the latest version, it was vulnerable to something that allowed people to take over your forum.

I recommend upgrading your forum to the latest version and change the password of all administrator accounts.
Of course, it's still entirely possible that the hacker left a backdoor somewhere in your files, plugins or datastore cache.

TheLastSuperman 30 Nov 2017 23:49

Quote:

Originally Posted by CarolSEL (Post 2591323)
A new member registered at our forum, then somehow made himself an Admin. (Obviously, we banned him and his IP.)

How can that happen? What precautions do we need to take?

If the hacker gains access to the database they can alter their membergroup id #, if they have access to ftp (files) they can also assign themselves as a Super-Administrator per the config file - it's easy IF they have access but basically simply FTP access would allow you to also upload a file and interact with the database directly w/o the need for phpmyadmin or similar.

TheLastSuperman 30 Nov 2017 23:52

Quote:

Originally Posted by CarolSEL (Post 2591327)
Aren't the older versions automatically overwritten with upgrades? :confused:

Yes and no.

Forums are typically installed in a folder i.e. on many sites you see /forum/ or /forums/. So with that being said when you upgrade then of course the files are overwritten BUT that does not include older outdated files, so if an older vBulletin file still existed and is no longer used in the newer verison then you would still have an old file present. Furthermore any "extra/spare/old/outdated/backup" copies of the software are never updated unless you do two manual upgrades.

CarolSEL 01 Dec 2017 11:33

Quote:

Originally Posted by TheLastSuperman (Post 2591355)
If the hacker gains access to the database they can alter their membergroup id #, if they have access to ftp (files) they can also assign themselves as a Super-Administrator per the config file - it's easy IF they have access but basically simply FTP access would allow you to also upload a file and interact with the database directly w/o the need for phpmyadmin or similar.

That makes sense, since host notified us about a month back that someone was attempting to access the FTP ports, so they changed the ports.

I did review the config file (and others) and didn't see signs of any changes to them. How would I find a file they uploaded?

--------------- Added 01 Dec 2017 at 11:38 ---------------

Quote:

Originally Posted by Dave (Post 2591330)
Your older forums weren't even in the public_html folder so the statement by your host is crap.
The only thing I can think of is that you had forumrunner enabled whilst not updating it to the latest version, it was vulnerable to something that allowed people to take over your forum.

I recommend upgrading your forum to the latest version and change the password of all administrator accounts.
Of course, it's still entirely possible that the hacker left a backdoor somewhere in your files, plugins or datastore cache.

Thanks. What does forumrunner actually do? I saw that the site owner had reactivated it, so I just turned it off. Will that stop members who use mobile devices from logging in?

Dave 01 Dec 2017 14:58

Quote:

Originally Posted by CarolSEL (Post 2591360)
That makes sense, since host notified us about a month back that someone was attempting to access the FTP ports, so they changed the ports.

I did review the config file (and others) and didn't see signs of any changes to them. How would I find a file they uploaded?

--------------- Added 01 Dec 2017 at 11:38 ---------------



Thanks. What does forumrunner actually do? I saw that the site owner had reactivated it, so I just turned it off. Will that stop members who use mobile devices from logging in?

Forumrunner is an app, so if people actually used that app then they can't use it.
However, you should remove the entire forumrunner folder from your forum if it's outdated, disabling it is not enough.


All times are GMT. The time now is 08:20.

Powered by vBulletin® Version 3.8.14
Copyright © 2022, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.