Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 16 Nov 2014, 20:24
XGC Viper XI XGC Viper XI is offline
 
Join Date: Sep 2007
Angry ibProArcade 2.7.2Hacked

Recently ibProArcade 2.7.2+ was hacked where the hacker was able to insert the root file into the arcade/tar folder. This was confirmed with the webmaster once this was identified based on the file that was inserted. The only file that should be in that folder is the index.html.

As it has been a while since ibProArcade was updated, has there been any updates or fixes that addresses this issue?
Reply With Quote
Comments
  #2  
Old 16 Nov 2014, 20:28
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
Then you need to report the modification from the modifications thread, so it will be handled correctly.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #3  
Old 16 Nov 2014, 20:32
blind-eddie's Avatar
blind-eddie blind-eddie is offline
 
Join Date: Apr 2006
Real name: Tim McGraw
What was done to your site from being hacked and how was it confirmed the hacker entered through ibProArcade?
__________________
LONG LIVE 3.8 SERIES
National Arcade Competition Club- NACC
Check out my heavily modified ibproarcade with over 45,000 games for you, free of charge!
Exclusive arcade addons, edits and skins were made by stangger5 owner of Next Level Arcade
Reply With Quote
  #4  
Old 16 Nov 2014, 21:06
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
As far as I can see, the only place where the tar module is being used which uses the arcade/tar/ folder, is in the adminCP.

Either someone accessed your ACP through an other vulnerability or the hacker just uploaded a malicious file to that folder because it has public read/write access on it. (0777 chmodded)
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #5  
Old 16 Nov 2014, 21:09
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
That's what I kinda figured Dave, and I know you would be able to spot a vulnerability pretty quick.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #6  
Old 17 Nov 2014, 08:00
XGC Viper XI XGC Viper XI is offline
 
Join Date: Sep 2007
No, the arcade/tar folder is in the root based on the installation files and the folder has 755 permission to include the arcade folder. This was pin pointed by the webmaster who had been troubleshooting this issue before I made him aware of it where a file was inserted that began the root of the problem. The only part of our site that uses that folder structure is the ibProArcade.

After the site was hit with the root file, it pathed to change all the main files of vBulletin and almost all index.html page to insert code in to the files.
Reply With Quote
  #7  
Old 17 Nov 2014, 11:13
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
But that still does not prove it was the arcade mod that allowed them to do this.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #8  
Old 20 Nov 2014, 00:13
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
I was working on someones site last night, who had DB Tech's arcade installed... I only mention that mod because of what I'm about to tell you to check.

- Check the game folders, anywhere it stores the game itself, either the specific folder OR any /temp folders.

Why? Sometimes the games you install/import can have malware and malicious files.

How do I know? This is one of the few games I've ran into where the files would not transfer to my pc when running a backup so I knew something was up.

Is the game Bobsled GC installed?
I found this in a sub-folder:

/forums/dbtech/vbarcade/import/temp/bobsledGC/gamedata/

Now in any arcade if a game has a folder /gamedata/ it can be legit. However these are the files I noticed that seemed odd in that gamedata folder:

loader.swf
game.swf
game_7.swf
game_66.swf
comm.swf
shell.xml


Now normally a game.swf would be ok but as I noticed my pc did not even allow that one to come through - couple that with the fact there's variants and one that stood out more than others was shell and comm files. Needless to say these had to be removed using the root user as nothing we did from normal accounts allowed us to delete the files basically permission denied every time.

So like I said above, I only mention DB Tech arcade because of what I recently ran into last night with those iffy game files. The owner of the site logged in as root, delete those files and uninstalled the game from the arcade. What I'm trying to convey is that, the arcade COULD have an unknown exploit OR one of your games does - Be Careful where you download games from.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman - Custom vBulletin Modifications, Styles, and Services.
Need a Host? I recommend URLJet.

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!

Last edited by TheLastSuperman; 20 Nov 2014 at 00:15. Reason: omgawd the spelling mistakes - I try lol!
Reply With Quote
  #9  
Old 25 Nov 2014, 04:11
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Originally Posted by XGC Viper XI View Post
After the site was hit with the root file, it pathed to change all the main files of vBulletin and almost all index.html page to insert code in to the files.
I imagine this was base64_decode? If you found out anything else regarding this since time of the above post please let us know.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman - Custom vBulletin Modifications, Styles, and Services.
Need a Host? I recommend URLJet.

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #10  
Old 15 Mar 2015, 20:36
XGC Viper XI XGC Viper XI is offline
 
Join Date: Sep 2007
Sorry it took so long to answer. The file name was hb2ymtdn.php and it had the base64_decode inside it.

What does that mean?
Reply With Quote
  #11  
Old 16 Mar 2015, 14:49
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
When there's base64 encoded stuff in it, it's usually like that to hide a backdoor. Most PHP backdoors have scripts to execute system commands on the server.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #12  
Old 20 May 2015, 10:23
ChiNa ChiNa is offline
 
Join Date: Jul 2012
Real name: CM
Its a late reply, but since I have been using IBPro Arcade for almost 4 years wanted to give my feedback.

We have been using IBProArcade for 3-4 years. And yes till this day today we are still using IBProArcade + 2.7.2. And since we started there has been more than 25 hacking attempts weekly on our forum for the past 3-4 years. But they never succeed.

Just because the files were discovered within its folder it doesnt mean IBProArcade was the cause of why the forum was hacked. Like Ozzy47 Replied. That doesnt prove it was the IBProArcade. I just want others to know that this is definitely not an IBProArcade issue.
__________________
I am having a little break from vB Developing. I am trying to finish my PHP and MYSQL courses for now. I will answer all my PM's if anyone needed help for my products, but only when I can be online on vB.org. Its great to see new and old developers keeping vB.org alive! Thank you all for your support!CM

Last edited by ChiNa; 20 May 2015 at 10:31. Reason: Typos
Reply With Quote
  #13  
Old 15 Nov 2015, 14:11
MrZeropage's Avatar
MrZeropage MrZeropage is offline
 
Join Date: Nov 2003
Real name: Marcel
Thanks for this final statement.

ibProArcade v2.7.3+ (10 years anniversary release) in on the track, but there were still no security-issues to be fixed, just internal improvements ect.
__________________
Get the most installed modification for your vBulletin (more than 8400 installations and 144.000 downloads!):
ibProArcade 2.7.3+ download here | Click here to enter the ibProArcade-Support-Section
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


New To Site? Need Help?

All times are GMT. The time now is 21:58.

Layout Options | Width: Wide Color: