Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 10 Aug 2014, 17:44
ifitsmedia ifitsmedia is offline
 
Join Date: Jul 2010
4.2.1 PL1 hacked, what to look for in logs

Recently I started finding new admin users that appear to be injected into my database. They don't have any associated IP addresses. So far they have not been able to do anything in admincp, presumably because I have the directory password protected. I did an extensive file check and nothing seems to be out of the ordinary.

What can I search for in raw access logs to determine how this is happening?
Reply With Quote
  #2  
Old 10 Aug 2014, 17:48
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #3  
Old 10 Aug 2014, 18:03
ifitsmedia ifitsmedia is offline
 
Join Date: Jul 2010
Thanks ozzy. I'm familiar with those (and also this) but didn't find (or maybe I missed) what to search for in the access logs.

I have already taken all steps in the guide "Fixing your site after you have been hacked" several times, but continue to get admin users injected in my database.

Any help with searching raw access logs to determine how it's being done would be appreciated.
Reply With Quote
  #4  
Old 10 Aug 2014, 18:23
tpearl5's Avatar
tpearl5 tpearl5 is offline
 
Join Date: Nov 2001
Real name: John
It sounds like there is still a backdoor somewhere. Remember that they probably can't access the admincp, but they can still insert data via whatever method they are using to get in. It could be something appended to a plugin or template. I would install the plugin search mod and search plugins and templates for things like base64 and display:none (which is actually used in some templates)

Make sure you look carefully at Maintenance > Diagnostics > Suspect file versions for unexpected contents.

You should update to 4.2.2 pl1.

Also, if you have wordpress installed - I recently restored a hacked vbulletin and found that their WP install even had things inserted into the files/templates. Make sure to take a close look at WP or any other software packages if you have them.

I'm assuming you already removed the install directory...
__________________
John
Reply With Quote
  #5  
Old 10 Aug 2014, 18:40
ifitsmedia ifitsmedia is offline
 
Join Date: Jul 2010
Thanks tpearl5. Yes, install dir was already removed.

I also suspect there is a backdoor somewhere, or a file that is vulnerable to sql injection. I'm wondering if there are some strings I can search my apache raw access logs for to identify the culprit.

I thoroughly checked all files identified in Maintenance > Diagnostics > Suspect file versions. I found and removed a number of files that were left over from previous versions of VB and old/uninstalled mods. All the files left (current mods I am using) seem to be ok, I didn't see anything unusual in them. I replaced all VB core files with freshly downloaded copies.

VB 4.2.1 PL1 is not known to have security vulnerabilities as far as I am aware. I'll probably upgrade to 4.2.2 anyway, but I'm not sure it will fix this.
Reply With Quote
  #6  
Old 10 Aug 2014, 18:43
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
If you have a backdoor somewhere, upgrading will not fix it.

Did you happen to check for any unknown plugins?
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #7  
Old 10 Aug 2014, 18:47
ifitsmedia ifitsmedia is offline
 
Join Date: Jul 2010
I've been keeping an eye on plugins and don't see anything unusual.
Reply With Quote
  #8  
Old 10 Aug 2014, 18:54
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Then it has to be a file in the folders, a vulnerability in a mod, or a security issue on the server.

Do you happen to have vBSEO installed?
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #9  
Old 10 Aug 2014, 18:57
ifitsmedia ifitsmedia is offline
 
Join Date: Jul 2010
I did have VBSEO installed the first time this happened. I suspected it might be the culprit so I switched to DBSEO and removed VBSEO and all it's files. Unfortunately it continued after removing VBSEO.
Reply With Quote
  #10  
Old 10 Aug 2014, 19:00
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Then there might be something lurking around from when you had vBSEO installed.

What other modifications have you got installed?
And are all the modifications from official vB sites?
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #11  
Old 10 Aug 2014, 19:02
ForceHSS's Avatar
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Check admincp/Plugins & Products/Plugin Manager many people don't look in there so its always over loooked
Reply With Quote
  #13  
Old 10 Aug 2014, 19:15
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Hmmm, none of those mods have any issues that I have ever heard of.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #14  
Old 10 Aug 2014, 19:17
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Try installing this mod, and see if it turns up anything, http://www.vbulletin.org/forum/showthread.php?t=304190
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #15  
Old 10 Aug 2014, 19:25
ifitsmedia ifitsmedia is offline
 
Join Date: Jul 2010
Originally Posted by ozzy47 View Post
Try installing this mod, and see if it turns up anything, http://www.vbulletin.org/forum/showthread.php?t=304190
That does turn up a number of warnings, but they are not specific as to why.

It seems to check for anything modified within the past 3 months, which happens to be a lot because I have been doing updates recently.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 18:30.

Layout Options | Width: Wide Color: