Page 4 of 4 FirstFirst ... 234
Results 76 to 81 of 81

Thread: Sorry about that

  1. #76
    - - - - -
    Join Date
    Sep 2010
    Posts
    11,530
    Quote Quoting Irish (view post)
    Just out of curiousity, why are there a bunch of trash accounts with admin privileges?

    - qaz001
    - rizky
    - Th3H4ck
    ^ It's this.

    See:

    Imperva said the compromised sites appear to have been hacked by one of two sets of exploit tools that have been released publicly online. The first was apparently used in a mass Website defacement campaign. A Google search for forums with the the rather conspicuously-named administrator account added in that attack (“Th3H4ck”) shows that many of the hack sites also are hosting malware. Among the sites apparently compromised is a support forum for the National Runaway Safeline and a site selling vBulletin add-ons.
    http://krebsonsecurity.com/2013/10/t...bulletin-hole/

    You got caught in a zero day exploit. Most likely because you left /install or /core/install scripts running on the live web server. Because this is a default install & completely unmodified, this site easily shows up in Google searches as a target.

    The only thing you can do now is assume your entire system is compromised (this includes the blog at artboiled.com). Check your log files. See if any new files were added in public facing directories. Check to see if any of vBullentin's .php files were modified in the last month; it's likely that code was appended to a public facing file that is part of the system.

    Roll back the database to a point before November 13th [scratch that -- make it October 13th, before this exploit became known]. Wipe everything. Reinstall the server from the ground up. Notify your webhost. Make sure you're only using SSH to access the server, and that account does not have root access. Move SSH so it runs off a different port than 22. Turn on FTP only when you need it. Shut off everything else.

    Once vBulletin is back up and running, modify all the templates & remove any mention in the HTML output of JelSoft, vBulletin, and softwarw version numbers.

    If you skip any of these steps, you will be dealing with this problem for a long time to come. It won't go away on its own. (You will also eventually get flagged by Google as a malware infected site; this includes your blog, Ary).

    Users should assume bad people have all their private data. They should change their passwords and email addresses, especially if they use the same address, or password/address combo, anywhere else.

    Edit: The shorter solution is to say fuck it, grab a copy of the database from a local store you trust & move this entire site (including artboiled.com) to a different webhost & server entirely, update vBulletin & change the URL in the process.

  2. #77
    Piss off, ghost! number8's Avatar
    Join Date
    Nov 2007
    Location
    Brooklyn
    Posts
    30,529
    I didn't. I deleted the install folder right after installing vb, and I checked the admin accounts when you posted that first post.

    There was exploit code written into the php files. That's why I've been rewriting every vb file with a fresh copy from the installer, and deleted files that weren't supposed to be there.
    Quote Quoting Donald Glover
    I was actually just reading about Matt Damon and he’s like, ‘There’s a culture of outrage.’ I’m like, ‘Well, they have a reason to be outraged.’ I think it’s a lot of dudes just being scared. They’re like, ‘What if I did something and I didn’t realize it?’ I’m like, ‘Deal with it.’
    Movie Theater Diary

  3. #78
    - - - - -
    Join Date
    Sep 2010
    Posts
    11,530
    Those accounts existed for at least a week before I drew attention to them, and when I did that was a full month after this exploit became known. That's plenty of time for the bad guys to do what they need to do.

    You need to assume your entire system is compromised, because usually these guys will try and get shell access as soon as they can. If what Raiders reporterd is at all accurate, your problem extends way beyond vBulletin.

    Edit: Do you still have a copy of that injected code? Any ideas what they were trying to do?

    Edit2: From what I've read, this exploit goes back as far as late August, early September. There's a chance they modified a table in the database. I'd poke around & see if there's anything funny (like a lone table with a single stored procedure in it) & check your mySQL logs.

  4. #79
    Piss off, ghost! number8's Avatar
    Join Date
    Nov 2007
    Location
    Brooklyn
    Posts
    30,529
    Yea, I'm doing that now.

    Aha, found something I didn't before: they installed some startup plugins that inserts the code that gives backdoor access to the root folder. Yikes.
    Quote Quoting Donald Glover
    I was actually just reading about Matt Damon and he’s like, ‘There’s a culture of outrage.’ I’m like, ‘Well, they have a reason to be outraged.’ I think it’s a lot of dudes just being scared. They’re like, ‘What if I did something and I didn’t realize it?’ I’m like, ‘Deal with it.’
    Movie Theater Diary

  5. #80
    Piss off, ghost! number8's Avatar
    Join Date
    Nov 2007
    Location
    Brooklyn
    Posts
    30,529
    Never run your own website, kids.
    Quote Quoting Donald Glover
    I was actually just reading about Matt Damon and he’s like, ‘There’s a culture of outrage.’ I’m like, ‘Well, they have a reason to be outraged.’ I think it’s a lot of dudes just being scared. They’re like, ‘What if I did something and I didn’t realize it?’ I’m like, ‘Deal with it.’
    Movie Theater Diary

  6. #81
    collecting tapes Skitch's Avatar
    Join Date
    Jan 2008
    Location
    Neo-Ohio
    Posts
    16,583
    Quote Quoting number8 (view post)
    Never run your own website, kids.
    And murder any person you meet who claims to be a hacker.

Page 4 of 4 FirstFirst ... 234

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
An forum