Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 30 Nov 2017, 15:19
CarolSEL CarolSEL is offline
 
Join Date: Aug 2010
Hacker Gave himself Admin privs

A new member registered at our forum, then somehow made himself an Admin. (Obviously, we banned him and his IP.)

How can that happen? What precautions do we need to take?
Reply With Quote
  #2  
Old 30 Nov 2017, 15:29
Dave Dave is offline
 
Join Date: Jun 2010
There's a lot of ways this can happen, it's impossible for us to tell you what exactly caused it.
Here's a few guesses:
- Outdated vBulletin forum
- Vulnerable plugins
- Other vulnerable software on your server

You need to find the cause first before you can implement something to prevent it from happening again in the future.
Reply With Quote
  #3  
Old 30 Nov 2017, 17:37
CarolSEL CarolSEL is offline
 
Join Date: Aug 2010
Thanks Dave,
We're running on 4.2.4, and since the problem we previously had, have not reinstalled any but necessary (vB) plugins.
Host sent me back this reply (pretty much the same answer, but with specifics):
After reviewing the server and logs it appears that the compromise occurred completely within the VBulletin software and not through any form of malware on the site. This compromise was due to vulnerabilities of the End Of Life version of your software. I determined this by reviewing all access logs from that IP address as well as scanning the account for malware (finding 0 hits). I also scanned for standard CMS versions and this was the result.

==== End-Of-Life CMS Packages ====

vBulletin 4.2.1 /home/mydb
vBulletin 4.2.0.3 /home/mydb/forums
vBulletin 4.2.4 /home/mydb/public_html/forums
vBulletin 4.2.0.3 /home/mydb/public_html/moved pb html



The recommended course of action at this point it to fully update your live software while removing accessibility to any that are not being used at this time. Once updated I would also recommend searching for any sort of security based addon for that software that can help mitigate any future threats.
Aren't the older versions automatically overwritten with upgrades?
Reply With Quote
  #4  
Old 30 Nov 2017, 18:01
Dave Dave is offline
 
Join Date: Jun 2010
Your older forums weren't even in the public_html folder so the statement by your host is crap.
The only thing I can think of is that you had forumrunner enabled whilst not updating it to the latest version, it was vulnerable to something that allowed people to take over your forum.

I recommend upgrading your forum to the latest version and change the password of all administrator accounts.
Of course, it's still entirely possible that the hacker left a backdoor somewhere in your files, plugins or datastore cache.
Reply With Quote
  #5  
Old 01 Dec 2017, 00:49
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Originally Posted by CarolSEL View Post
A new member registered at our forum, then somehow made himself an Admin. (Obviously, we banned him and his IP.)

How can that happen? What precautions do we need to take?
If the hacker gains access to the database they can alter their membergroup id #, if they have access to ftp (files) they can also assign themselves as a Super-Administrator per the config file - it's easy IF they have access but basically simply FTP access would allow you to also upload a file and interact with the database directly w/o the need for phpmyadmin or similar.
__________________
Daddy Does Dios and Figs!

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #6  
Old 01 Dec 2017, 00:52
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Originally Posted by CarolSEL View Post
Aren't the older versions automatically overwritten with upgrades?
Yes and no.

Forums are typically installed in a folder i.e. on many sites you see /forum/ or /forums/. So with that being said when you upgrade then of course the files are overwritten BUT that does not include older outdated files, so if an older vBulletin file still existed and is no longer used in the newer verison then you would still have an old file present. Furthermore any "extra/spare/old/outdated/backup" copies of the software are never updated unless you do two manual upgrades.
__________________
Daddy Does Dios and Figs!

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #7  
Old 01 Dec 2017, 12:33
CarolSEL CarolSEL is offline
 
Join Date: Aug 2010
Originally Posted by TheLastSuperman View Post
If the hacker gains access to the database they can alter their membergroup id #, if they have access to ftp (files) they can also assign themselves as a Super-Administrator per the config file - it's easy IF they have access but basically simply FTP access would allow you to also upload a file and interact with the database directly w/o the need for phpmyadmin or similar.
That makes sense, since host notified us about a month back that someone was attempting to access the FTP ports, so they changed the ports.

I did review the config file (and others) and didn't see signs of any changes to them. How would I find a file they uploaded?

--------------- Added 01 Dec 2017 at 12:38 ---------------

Originally Posted by Dave View Post
Your older forums weren't even in the public_html folder so the statement by your host is crap.
The only thing I can think of is that you had forumrunner enabled whilst not updating it to the latest version, it was vulnerable to something that allowed people to take over your forum.

I recommend upgrading your forum to the latest version and change the password of all administrator accounts.
Of course, it's still entirely possible that the hacker left a backdoor somewhere in your files, plugins or datastore cache.
Thanks. What does forumrunner actually do? I saw that the site owner had reactivated it, so I just turned it off. Will that stop members who use mobile devices from logging in?
Reply With Quote
  #8  
Old 01 Dec 2017, 15:58
Dave Dave is offline
 
Join Date: Jun 2010
Originally Posted by CarolSEL View Post
That makes sense, since host notified us about a month back that someone was attempting to access the FTP ports, so they changed the ports.

I did review the config file (and others) and didn't see signs of any changes to them. How would I find a file they uploaded?

--------------- Added 01 Dec 2017 at 12:38 ---------------



Thanks. What does forumrunner actually do? I saw that the site owner had reactivated it, so I just turned it off. Will that stop members who use mobile devices from logging in?
Forumrunner is an app, so if people actually used that app then they can't use it.
However, you should remove the entire forumrunner folder from your forum if it's outdated, disabling it is not enough.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 21:18.

Layout Options | Width: Wide Color: