grock5 Posted September 30, 2013 Report Share Posted September 30, 2013 Is it just me, or is the Bomber store website down/hacked? Quote Link to comment Share on other sites More sharing options...
lowrider Posted September 30, 2013 Report Share Posted September 30, 2013 Some Indonesian hacker claims to have shut it down. Black background red lettering ? Is that the same one you encountered? Quote Link to comment Share on other sites More sharing options...
piusthedrcarve Posted September 30, 2013 Report Share Posted September 30, 2013 Some Indonesian hacker claims to have shut it down. Black background red lettering ? Is that the same one you encountered? This? Quote Link to comment Share on other sites More sharing options...
Jack M Posted September 30, 2013 Report Share Posted September 30, 2013 Yep. I've emailed Fin and Michelle, I'm sure they will fix it as soon as the sun rises in Colorado. A quick google suggests the hackers politely just rename your index.php to index2.php. Quote Link to comment Share on other sites More sharing options...
fin Posted September 30, 2013 Report Share Posted September 30, 2013 Fixed! Yea, weird, all they did was change the index file. Left the original there. Back in business but need to find out how to make it more secure. Quote Link to comment Share on other sites More sharing options...
TLN Posted September 30, 2013 Report Share Posted September 30, 2013 I've seen a previous version of a deface. Here's both of them. Looks like some vulnerability in a forum, or something else. Noticed this at 2pm @GMT+6 and this @4pm @GMT+6 Quote Link to comment Share on other sites More sharing options...
BlueB Posted September 30, 2013 Report Share Posted September 30, 2013 It's D-sub! :D Quote Link to comment Share on other sites More sharing options...
Michelle Posted September 30, 2013 Report Share Posted September 30, 2013 I also had a message posted on our FB page - working to get everything more secure. Who would want to hack us? We're so nice..... LOL Quote Link to comment Share on other sites More sharing options...
Jack M Posted October 1, 2013 Report Share Posted October 1, 2013 I've seen a previous version of a deface. Here's both of them. Looks like some vulnerability in a forum, or something else. The forum and the rest of the site was fine, it was just the main index page. Quote Link to comment Share on other sites More sharing options...
jacopodotti Posted October 1, 2013 Report Share Posted October 1, 2013 Back in business but need to find out how to make it more secure. It depends how the website was made. Quote Link to comment Share on other sites More sharing options...
fin Posted October 1, 2013 Report Share Posted October 1, 2013 Made with sugar and spice. Then bring to a boil..... :p Quote Link to comment Share on other sites More sharing options...
jacopodotti Posted October 1, 2013 Report Share Posted October 1, 2013 :) I mean using which platform. Quote Link to comment Share on other sites More sharing options...
Jack M Posted October 4, 2013 Report Share Posted October 4, 2013 Jacopodotti, if you would actually like to help, I suggest you contact Bomber directly. Quote Link to comment Share on other sites More sharing options...
www.oldsnowboards.com Posted October 6, 2013 Report Share Posted October 6, 2013 Hacked index page again tonight. 2:20am Sunday Quote Link to comment Share on other sites More sharing options...
philw Posted October 6, 2013 Report Share Posted October 6, 2013 Well of course unless you actually close the hole, it's obviously still there. Whoever runs the systems needs to get onto that. I'm not a php expert but it'll be something pretty obvious or you'd not have been broken by people who are polite enough to let you know. File permissions or easy passwords, or old versions of php or packages on it would be likely targets. You could alternatively chase down the people who did it, as no doubt there's lots of other victims and some of them will tell you what was done. I'd test it for you from here, but I don't want your police knocking on my door. Quote Link to comment Share on other sites More sharing options...
tex1230 Posted October 7, 2013 Report Share Posted October 7, 2013 I blame the government shutdown. Quote Link to comment Share on other sites More sharing options...
loopback Posted October 7, 2013 Report Share Posted October 7, 2013 The forum runs on vBulletin 4.1.10. There were known vulnerabilities in vBulletin 4.1.10 and 4.1.x and recently 4.2 https://www.google.ca/search?q=vbulletin+4.1.10+exploit The current version is vBulletin 5 with 4.2 still officially supported. The major mistake appears to be not deleting the /install directory after installing or upgrading. http://www.vbulletin.org/forum/showthread.php?t=301904 This has happened to thousands of sites and was being done by a "bot". It is now being done by multiple "bots" which is why you are seeing a different splash screen as the already "hacked" BoL site gets hacked by another bot. The danger is that it may appear to be only changing the index page but could be adding hidden root/admin level accounts or leaving other backdoors. You may see some activity here: Admin CP -> Statistics & Logs As "philw" mentioned......I'd be happy to poke at it too but travel regularly to the US on biz and cannot afford to risk possible legal issues . It's not Bomber specific or targetted and does not appear to be malicious.....yet My 2 cents..... //Paul Quote Link to comment Share on other sites More sharing options...
pokkis Posted October 7, 2013 Report Share Posted October 7, 2013 By clicking on forum pages Forum link you will get error messages, at least i get. Quote Link to comment Share on other sites More sharing options...
Michelle Posted October 7, 2013 Report Share Posted October 7, 2013 You may see some activity here: Admin CP -> Statistics & Logs As "philw" mentioned......I'd be happy to poke at it too but travel regularly to the US on biz and cannot afford to risk possible legal issues . It's not Bomber specific or targetted and does not appear to be malicious.....yet My 2 cents..... //Paul Hi PaulI'm desperate for help. What am I looking for in the Stats & Logs? Quote Link to comment Share on other sites More sharing options...
b.free Posted October 7, 2013 Report Share Posted October 7, 2013 Yep, me too! Quote Link to comment Share on other sites More sharing options...
loopback Posted October 7, 2013 Report Share Posted October 7, 2013 Hi Michelle, Check if there any new accounts that have administrator privileges and have been recently added, if they have control of the server they can create accounts without you getting an email notifying you. In the stats and logs you would be looking for entries similar to this: 15389 N/A 04:08, 19th Sep 2013 admincalendar.php modify 36.74.252.52 15388 N/A 04:08, 19th Sep 2013 admincalendar.php update 36.74.252.52 15387 N/A 04:07, 19th Sep 2013 admincalendar.php add 36.74.252.52 15386 N/A 04:07, 19th Sep 2013 admincalendar.php modify 36.74.252.52 15385 N/A 04:07, 19th Sep 2013 plugin.php doimport 36.74.252.52 15384 N/A 04:07, 19th Sep 2013 plugin.php files 36.74.252.52 15383 N/A 03:18, 19th Sep 2013 plugin.php 65.49.14.143 15382 N/A 03:18, 19th Sep 2013 plugin.php doimport 65.49.14.143 15381 N/A 03:18, 19th Sep 2013 plugin.php files 65.49.14.143 15392 N/A 04:08, 19th Sep 2013 faq.php insert 36.74.252.52 15391 N/A 04:08, 19th Sep 2013 faq.php add 36.74.252.52 15390 N/A 04:08, 19th Sep 2013 admincalendar.php edit calendar id = 2 This log file snippet is showing that the hacker is adding/modifiying php plugins. What they are basically doing is adding backdoors to the sytem so they can reinfect it. Look for entries that contain "modify/add/insert/doimport". In the picture below, the user "polter" is the new admin account created by the hacker. You can see that he has used this account to modify the "template.php" file to include his backdoor http://i.imgur.com/pJRBdfi.png The admin CP has a tool to detect if any of the system files have been modified: > AdminCP > Maintenance > Diagnostics > Suspect File Versions -click submit In a nutshell -change your admin passwords -look for any new admin users -look in logs for any mods to templates or master style sheets -look for any new plugins or plugins that you do not recognize. if I remember correctly; vbulletin by default has no plugins installed -the /install folder MUST be deleted. In previous versions it was only required to delete the install.php file after installing or upgrading. This is what got them in originally. -if your provider uses a shared vbulletin install among multiple clients then ensure that you are not getting hacked via another customers vbulletin installation. Hope this helps! //Paul Quote Link to comment Share on other sites More sharing options...
www.oldsnowboards.com Posted October 7, 2013 Report Share Posted October 7, 2013 (edited) Nice summary Loopback. Time for upgrade sounds like? http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked Edited October 7, 2013 by www.oldsnowboards.com Quote Link to comment Share on other sites More sharing options...
Neil Gendzwill Posted October 7, 2013 Report Share Posted October 7, 2013 We upgraded to 5 over at a forum I moderate on and still having many teething issues. I wasn't involved with the upgrade, but it sure seems like it's a struggle. Quote Link to comment Share on other sites More sharing options...
Bobby Buggs Posted October 7, 2013 Report Share Posted October 7, 2013 VB 5 is awful Quote Link to comment Share on other sites More sharing options...
fin Posted October 8, 2013 Report Share Posted October 8, 2013 Hey guys, good feedback and yes, we are thinking we need to go to VB5 to at least fix the security issues we currently seem to have. But then I hear the stories of issues with going to VB5. Can you guys give more details on the issues and problems we might expect? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.