Owners of forums on vBulletin - a wave of hacks
Recently , a message was posted on vBulletin.com about the probable exposure of files to exploits in the installation folder.
Since the security requirement of the forum was to delete the install / install.php file, and not the entire install / folder, all the forums of the specified versions (in fact, the freshest) in which this folder was not deleted are at risk of being hacked. In the end, the exploit was released . And hit the playful children's hands.
Yesterday, one of my vBulletin forums was hacked. After about 16 hours from the moment of hacking, a user with administrator rights was found. The user was immediately banned, and I had to answer two questions:
1. What did he manage to do?
2. Who is he and what did he need?
')
In search of an answer to the first question, I looked at the action logs in the admin panel. And (lo and behold, this is the first bell) found traces:
02:10 plug-in installation (no name)
02:17 plugin removal (id = 1030)
In this 7-minute interval, apparently, some manipulations with the forum were carried out. However, diff files and database reconciliation (superficial, as there were many changes in 16 hours) did not produce any results. Perhaps the attacker could not do what he came for, or I just did not find anything.
The search for the answer to the second question led me to Algeria, gave me all the information about the coolacier, including his real IP, email, accounts on youtube and facebook, and the history of his “exploits” (see www.hack-db.com ).
Is that the home address with the phone I do not. But if there were, I can not imagine what actions can be taken in relation to him.
The main conclusion: the owners of the forums on vBulletin - delete the entire install folder ! Maybe I was lucky (or I do not know yet that I was not lucky), but vbulletin.com is just teeming with posts about hacking with the consequences of the most varying severity.
PS I apologize in advance if I wrote a banal or well known information. Just when I came under the distribution of exploits, the first desire is to find out, the second is to tell.
Since the security requirement of the forum was to delete the install / install.php file, and not the entire install / folder, all the forums of the specified versions (in fact, the freshest) in which this folder was not deleted are at risk of being hacked. In the end, the exploit was released . And hit the playful children's hands.
Yesterday, one of my vBulletin forums was hacked. After about 16 hours from the moment of hacking, a user with administrator rights was found. The user was immediately banned, and I had to answer two questions:
1. What did he manage to do?
2. Who is he and what did he need?
')
In search of an answer to the first question, I looked at the action logs in the admin panel. And (lo and behold, this is the first bell) found traces:
02:10 plug-in installation (no name)
02:17 plugin removal (id = 1030)
In this 7-minute interval, apparently, some manipulations with the forum were carried out. However, diff files and database reconciliation (superficial, as there were many changes in 16 hours) did not produce any results. Perhaps the attacker could not do what he came for, or I just did not find anything.
The search for the answer to the second question led me to Algeria, gave me all the information about the coolacier, including his real IP, email, accounts on youtube and facebook, and the history of his “exploits” (see www.hack-db.com ).
Is that the home address with the phone I do not. But if there were, I can not imagine what actions can be taken in relation to him.
The main conclusion: the owners of the forums on vBulletin - delete the entire install folder ! Maybe I was lucky (or I do not know yet that I was not lucky), but vbulletin.com is just teeming with posts about hacking with the consequences of the most varying severity.
PS I apologize in advance if I wrote a banal or well known information. Just when I came under the distribution of exploits, the first desire is to find out, the second is to tell.
Source: https://habr.com/ru/post/194462/
All Articles