Someone hacked my VBulletin
-
hackindave
- forum buddy
- Posts: 15
- Joined: 03 Apr 2007, 16:00
- 17
Someone hacked my VBulletin
What they did was went into my database and changed my name and password to a "regular user" and replaced the admin slot with theirs. I am sure this is a sql injection. Does anyone know how this is done? I would like to put a safeguard in place so it doesn't happen again
vbulletin exploits
vBulletin forumdisplay.php Command Execution Vulnerability
http://www.securiteam.com/unixfocus/5GP0C20EUK.html
vBulletin 3.5.4 (install_path) ExploitBugtraq: vbulletin Exploit Tool Box
http://seclists.org/bugtraq/2006/Oct/0242.html
Details:
Dump SQL DB named user then u have access at all md5 users passwords...
It looks like you want to be sure that you have the latest versions. Tech support for vbulletin also says they'll view your code and help fix it.
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
well if your on shared hosting they may have "jumped on to your domain with a shell"
this can be done by finding the /etc/passwd file
they then look for things like this in it
/home/user/public_html/
they then use a shell like c99 or a shell that has open or change directory function on it and put in /home/user/public_html/
idk how to explain it but here goes
i like doing this on shhared hosting to find sql dumps and config files etc
they will only have read access to your files and directories
also they can only go through files and directories in the public_html
they cant go any higher than public_html
they cant deface anything or upload anything
they can only read
but yeah there you are
i doubt they gained root on the server though cus then they would probably mass deface domains
anyway this is just an alternative to sql injections
this can be done by finding the /etc/passwd file
they then look for things like this in it
/home/user/public_html/
they then use a shell like c99 or a shell that has open or change directory function on it and put in /home/user/public_html/
idk how to explain it but here goes
i like doing this on shhared hosting to find sql dumps and config files etc
they will only have read access to your files and directories
also they can only go through files and directories in the public_html
they cant go any higher than public_html
they cant deface anything or upload anything
they can only read
but yeah there you are
i doubt they gained root on the server though cus then they would probably mass deface domains
anyway this is just an alternative to sql injections
-
CommonStray
- Forum Assassin
- Posts: 1215
- Joined: 20 Aug 2005, 16:00
- 18
its likely it happened because of a previous version of vBulletin, a plugin, or by alternative means as rhysh described...as far as I can tell vBulletins current version (3.6.8?) hasnt been exploited, or the exploit released publically, so im not totally ruling out the possibility that it the newest version has been exploited...
there is a localized exploit for the new version that only works in a localized installation from what I have been able to find.
there is a localized exploit for the new version that only works in a localized installation from what I have been able to find.
-
bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
is the site on webspace or on your own server? if it's on webspace is mod_rewrite available? if you don't know the latter one check it by uploading a phpinfo(); file or ask your host.
if you have an own server and the site runs on Apache the mod_security module is the thing to get, you can filter requests with it...you could filter the =http:// string for example which is used for remote file inclusions (RFI), strings used for XSS and MySQL injections can be filtered too.
if you just have webspace you could use mod_rewrite to redirect requests that contain malicious strings, for phpnuke/phpbb-sites phpbb_root_path is such a string.
but of course keeping your site up to date and get the newest patches as soon as possible is inevitable....but this can be not enough when using 3rd party plugins for example.
if you have an own server and the site runs on Apache the mod_security module is the thing to get, you can filter requests with it...you could filter the =http:// string for example which is used for remote file inclusions (RFI), strings used for XSS and MySQL injections can be filtered too.
if you just have webspace you could use mod_rewrite to redirect requests that contain malicious strings, for phpnuke/phpbb-sites phpbb_root_path is such a string.
but of course keeping your site up to date and get the newest patches as soon as possible is inevitable....but this can be not enough when using 3rd party plugins for example.
well did they deface it or hack the forum
if it was the forum,most likely sql inject or domain jumping
perhaps xss for cookie stealing(unlikely)
or they may have uped a shell
look in avartars for things like
avartar44.php.gif
also they may have used rfi and uploaded a shell
read this
http://forums.digitalpoint.com/showthread.php?t=575793
if it was the forum,most likely sql inject or domain jumping
perhaps xss for cookie stealing(unlikely)
or they may have uped a shell
look in avartars for things like
avartar44.php.gif
also they may have used rfi and uploaded a shell
read this
http://forums.digitalpoint.com/showthread.php?t=575793