Jump to content
Note to New Members ×

Bomber website down?

grock5

By grock5
in Carving Central

 Share

Recommended Posts

philw Senior Contributor

philw

Posted
Posted

Well of course unless you actually close the hole, it's obviously still there. Whoever runs the systems needs to get onto that. I'm not a php expert but it'll be something pretty obvious or you'd not have been broken by people who are polite enough to let you know. File permissions or easy passwords, or old versions of php or packages on it would be likely targets. You could alternatively chase down the people who did it, as no doubt there's lots of other victims and some of them will tell you what was done.

I'd test it for you from here, but I don't want your police knocking on my door.

Link to comment
Share on other sites
loopback Contributor Plus

loopback

Posted
Posted

The forum runs on vBulletin 4.1.10.

There were known vulnerabilities in vBulletin 4.1.10 and 4.1.x and recently 4.2

https://www.google.ca/search?q=vbulletin+4.1.10+exploit

The current version is vBulletin 5 with 4.2 still officially supported.

The major mistake appears to be not deleting the /install directory after installing or upgrading.

http://www.vbulletin.org/forum/showthread.php?t=301904

This has happened to thousands of sites and was being done by a "bot". It is now being done by multiple "bots" which is why you are seeing a different splash screen as the already "hacked" BoL site gets hacked by another bot. The danger is that it may appear to be only changing the index page but could be adding hidden root/admin level accounts or leaving other backdoors.

You may see some activity here:

Admin CP -> Statistics & Logs

As "philw" mentioned......I'd be happy to poke at it too but travel regularly to the US on biz and cannot afford to risk possible legal issues :nono:.

It's not Bomber specific or targetted and does not appear to be malicious.....yet

My 2 cents.....

//Paul

Link to comment
Share on other sites
Michelle Senior Contributor

Michelle

Posted
Posted

You may see some activity here:

Admin CP -> Statistics & Logs

As "philw" mentioned......I'd be happy to poke at it too but travel regularly to the US on biz and cannot afford to risk possible legal issues :nono:.

It's not Bomber specific or targetted and does not appear to be malicious.....yet

My 2 cents.....

//Paul

Hi Paul

I'm desperate for help. What am I looking for in the Stats & Logs?

Link to comment
Share on other sites
loopback Contributor Plus

loopback

Posted
Posted

Hi Michelle,

Check if there any new accounts that have administrator privileges and have been recently added, if they have control of the server they can create accounts without you getting an email notifying you.

In the stats and logs you would be looking for entries similar to this:

15389 N/A 04:08, 19th Sep 2013 admincalendar.php modify 36.74.252.52

15388 N/A 04:08, 19th Sep 2013 admincalendar.php update 36.74.252.52

15387 N/A 04:07, 19th Sep 2013 admincalendar.php add 36.74.252.52

15386 N/A 04:07, 19th Sep 2013 admincalendar.php modify 36.74.252.52

15385 N/A 04:07, 19th Sep 2013 plugin.php doimport 36.74.252.52

15384 N/A 04:07, 19th Sep 2013 plugin.php files 36.74.252.52

15383 N/A 03:18, 19th Sep 2013 plugin.php 65.49.14.143

15382 N/A 03:18, 19th Sep 2013 plugin.php doimport 65.49.14.143

15381 N/A 03:18, 19th Sep 2013 plugin.php files 65.49.14.143

15392 N/A 04:08, 19th Sep 2013 faq.php insert 36.74.252.52

15391 N/A 04:08, 19th Sep 2013 faq.php add 36.74.252.52

15390 N/A 04:08, 19th Sep 2013 admincalendar.php edit calendar id = 2

This log file snippet is showing that the hacker is adding/modifiying php plugins. What they are basically doing is adding backdoors to the sytem so they can reinfect it.

Look for entries that contain "modify/add/insert/doimport".

In the picture below, the user "polter" is the new admin account created by the hacker. You can see that he has used this account to modify the "template.php" file to include his backdoor

http://i.imgur.com/pJRBdfi.png

The admin CP has a tool to detect if any of the system files have been modified:

> AdminCP > Maintenance > Diagnostics > Suspect File Versions -click submit

In a nutshell

-change your admin passwords

-look for any new admin users

-look in logs for any mods to templates or master style sheets

-look for any new plugins or plugins that you do not recognize. if I remember correctly; vbulletin by default has no plugins installed

-the /install folder MUST be deleted. In previous versions it was only required to delete the install.php file after installing or upgrading. This is what got them in originally.

-if your provider uses a shared vbulletin install among multiple clients then ensure that you are not getting hacked via another customers vbulletin installation.

Hope this helps!

//Paul

Link to comment
Share on other sites
fin Senior Contributor

fin

Posted
Posted

Hey guys, good feedback and yes, we are thinking we need to go to VB5 to at least fix the security issues we currently seem to have.

But then I hear the stories of issues with going to VB5. Can you guys give more details on the issues and problems we might expect?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing


  • Recently Browsing

    • No registered users viewing this page.
×
×
  • Create New...