Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 04 Apr 2009, 05:38
StructuralNet StructuralNet is offline
 
Join Date: Mar 2009
HACKED - Make sure you are secure

Okay guys, I was out to dinner before and came back and loaded my site, http://www.theangryforum.com to see a PHP error syntax on line 1...

I open up my index file and find this:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


This was dumped on a crap load of my files. The file structure was not 777 for these files either, and I do not know how this was injected in. My database was not touched, but I had to delete the installation of VB and install a fresh install and connect to the database.

I did some research on this, and results are slim but its attacking programs as well. Oscommerce for example:

http://forums.oscommerce.com/lofiver...p?t321418.html

Anyone see this before?

I was more in panic to get my site up, now that I DO have a copy of all of my files and backups, if this hits again I will investigate the source further, possibly copy the whole structure and send it to VB or what ever can be done.
Reply With Quote
  #2  
Old 04 Apr 2009, 06:33
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Real name: Hanson
Either a modification has been compromised, or the server has been compromised. Contact your host. Also change your cPanel/FTP passwords.
__________________
Former vBulletin.org Staff Member

View My Modifications
29 Releases and Counting... Latest Modification: dmActivityStream - vBookie Integration (4.x)

Please do not PM me to ask for support - please use the relevant thread or forum.
Reply With Quote
  #3  
Old 04 Apr 2009, 15:41
StructuralNet StructuralNet is offline
 
Join Date: Mar 2009
Originally Posted by Dismounted View Post
Either a modification has been compromised, or the server has been compromised. Contact your host. Also change your cPanel/FTP passwords.
I am contacting my host right now, I am on a VPS and I have been checking the server logs for anything weird, but I think my admin is better to find something if there is something..

I would of thought, though, if they got into the server through a backdoor or something, they would of effected my other accounts. I have VB running on another account for another site, and a few other accounts with various programs that were not touch (and have been on there for a very long time)

Here is the list of my mods,

I have ibProArcade v.2.6.8 which this file structure was changed I noticed.

Here is a list of my other mods:

Admin Log In As User

Cyb - Advanced Permissions Based on Post Account

Fake User (adds a couple guests)

GTSmilieBox

Panic Button

Plus Mood

vB Ad Management

vBadvanced CMPS

vbSEO Site Map

Welcome Headers

--------------- Added 05 Apr 2009 at 07:05 ---------------

Maybe someone can chime in?

This guy is getting FTP access, I have formatted all my pcs to make sure I don't have a virus, and my host is looking through everything as well.

Thing that throw my interest:


Sat Apr 04 17:14:52 2009 0 81.17.252.160 6448 /home/theangry/public_html/arcade/cat_imgs/index.html a _ o r theangry ftp 1 * c
Sat Apr 04 17:14:53 2009 0 81.17.252.160 6699 /home/theangry/public_html/arcade/cat_imgs/index.html a _ i r theangry ftp 1 * c
Sat Apr 04 17:14:54 2009 0 81.17.252.160 22447 /home/theangry/public_html/arcade/functions/dbclass.php a _ o r theangry ftp 1 * c
Sat Apr 04 17:14:55 2009 0 81.17.252.160 24228 /home/theangry/public_html/arcade/functions/dbclass.php a _ i r theangry ftp 1 * c


Why the arcade first? Compromised maybe? I deleted the folder when I did a backup, I also disabled my FTP server...

Last edited by StructuralNet; 05 Apr 2009 at 07:05. Reason: Auto-Merged DoublePost
Reply With Quote
  #4  
Old 05 Apr 2009, 12:28
TECK's Avatar
TECK TECK is offline
 
Join Date: Dec 2001
Real name: Floren Munteanu
It is related to your server administration, you did not do anything wrong neither your products...
In short, it is a base64-encoded fake yahoo counter script that is injected into HTML code. The script looks for files into server’s temporary directory and tries to use them.

Pretty sure the hacker uploaded a simple PHP shell into your insecure server.
Personally, I would change host. It is obvious they don't care about security.
__________________
Floren Munteanu
Axivo Inc.
Axivo Community - Visit the forums to find out more about us
Why Queued - My personal blog
Reply With Quote
  #5  
Old 05 Apr 2009, 20:42
StructuralNet StructuralNet is offline
 
Join Date: Mar 2009
Originally Posted by TECK View Post
It is related to your server administration, you did not do anything wrong neither your products...
In short, it is a base64-encoded fake yahoo counter script that is injected into HTML code. The script looks for files into serverís temporary directory and tries to use them.

Pretty sure the hacker uploaded a simple PHP shell into your insecure server.
Personally, I would change host. It is obvious they don't care about security.
Yea, I agree with you - because I have been going crazy formatting my machines to make sure I had no key loggers on it, etc.

The host has been working around the clock to find the security hole and try to fix it, so I am going to give him a few days to see if he can close up the hole, if not I am off. I can't have this jeopardize not only my websites on the server, but my clients that I host as well.

Considering it is a VPS, I have multiple accounts on there including another site for VB.. why is this guy going on after this site?
Reply With Quote
  #6  
Old 06 Apr 2009, 09:11
TECK's Avatar
TECK TECK is offline
 
Join Date: Dec 2001
Real name: Floren Munteanu
The most common exploit that happens to a dedicated server is a script exploit that gives the hacker non root access to a dedicated server. For example, I could set a file with extension .gif that in fact is this script:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

It is widely used as smilies, that look like broken images when viewed (php script executing).

Then, all I have to do is post the link to your board. If the /tmp folder is not protected, I can upload there all files needed to inject into each page on your site the above code. As I said before, change the host. Is not your fault or vBulletin developers if your host runs unsecured boxes.
__________________
Floren Munteanu
Axivo Inc.
Axivo Community - Visit the forums to find out more about us
Why Queued - My personal blog
Reply With Quote
  #7  
Old 06 Apr 2009, 19:28
StructuralNet StructuralNet is offline
 
Join Date: Mar 2009
Originally Posted by TECK View Post
The most common exploit that happens to a dedicated server is a script exploit that gives the hacker non root access to a dedicated server. For example, I could set a file with extension .gif that in fact is this script:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

It is widely used as smilies, that look like broken images when viewed (php script executing).

Then, all I have to do is post the link to your board. If the /tmp folder is not protected, I can upload there all files needed to inject into each page on your site the above code. As I said before, change the host. Is not your fault or vBulletin developers if your host runs unsecured boxes.
Yea,

I agree - I took your advice and moved - I can't let this sit over my head
Reply With Quote
  #8  
Old 06 Apr 2009, 20:35
BSMedia BSMedia is offline
 
Join Date: Feb 2009
If your on a VPS chances are good, security and management relys on you or your server admin.

Your server security is only as secure as your least secure admin/server manager.
Reply With Quote
  #9  
Old 08 Apr 2009, 12:31
mykes mykes is offline
 
Join Date: Feb 2005
Unfortunately, I don't see how a vb3 site (or many others) can be truly secure at this point.

All a hacker really needs to do is post something like "hey, look at this really awesome thing" with a link to his own server where he controls the HTML and javascripts.

In his HTML there, all he needs is an img tag with src= any url at your vb3 site and he accesses that URL logged in as the unsuspecting user. Stupid browsers send cookies to your site on an img request.

img isn't the only tag, either, script tags work, too, as do css (link) tags, and a few others.
Reply With Quote
  #10  
Old 09 Apr 2009, 05:06
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Real name: Hanson
That's why vBulletin introduced CSRF protection.
__________________
Former vBulletin.org Staff Member

View My Modifications
29 Releases and Counting... Latest Modification: dmActivityStream - vBookie Integration (4.x)

Please do not PM me to ask for support - please use the relevant thread or forum.
Reply With Quote
  #11  
Old 09 Apr 2009, 12:17
mykes mykes is offline
 
Join Date: Feb 2005
Originally Posted by Dismounted View Post
That's why vBulletin introduced CSRF protection.
Indeed. It's a good reason to always keep your vb3 up to date, version-wise (to get these kinds of fixes). Though installed hacks and mods that don't have CSRF built in are giant security holes.

Two mods I'd love to see, but haven't found here are:

1) Allow trusted users (e.g. by user group) to post HTML in forums. Right now, you can turn on HTML in one or more forums, but globally for all users.
2) Fix the HTML posting so it strips out script tags and other potentially malicious things (img with src=something.php?args - get rid of ?args)
Reply With Quote
  #12  
Old 09 Apr 2009, 12:52
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Real name: Hanson
Originally Posted by mykes View Post
img with src=something.php?args - get rid of ?args
vBulletin already allows for this, inside vBulletin Options.
__________________
Former vBulletin.org Staff Member

View My Modifications
29 Releases and Counting... Latest Modification: dmActivityStream - vBookie Integration (4.x)

Please do not PM me to ask for support - please use the relevant thread or forum.
Reply With Quote
  #13  
Old 09 Apr 2009, 19:56
StructuralNet StructuralNet is offline
 
Join Date: Mar 2009
I guess the same would go with this code then? Looks like an

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


I found that in a PNG file on one of my clients accounts, along with a .zip file and a full directory of helpdesk software, along with a new database for that program.
Reply With Quote
  #14  
Old 10 Apr 2009, 04:44
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Real name: Hanson
Anything that looks like that generally isn't good.
__________________
Former vBulletin.org Staff Member

View My Modifications
29 Releases and Counting... Latest Modification: dmActivityStream - vBookie Integration (4.x)

Please do not PM me to ask for support - please use the relevant thread or forum.
Reply With Quote
  #15  
Old 10 Apr 2009, 11:42
StructuralNet StructuralNet is offline
 
Join Date: Mar 2009
Originally Posted by Dismounted View Post
Anything that looks like that generally isn't good.
Yuppp... I found that in a PNG file on two of my clients sites. Their sites have been running well over a year now for no problem, but as soon as I changed hosts it hit the fan. One of the programs installed a helpdesk on their account, even had access to mysql.

What does that code do, pretty much the same as above? Access a file in tmp to great un rooted access?

Dumped that host likes its hot.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 05:08.

Layout Options | Width: Wide Color: