Help. About IPB v3.0 Forum Upload [Solved]

No explicit questions like "how do I hack xxx.com" please!
Post Reply
User avatar
bnbn1382
forum buddy
forum buddy
Posts: 13
Joined: 15 Aug 2009, 16:00
14

Help. About IPB v3.0 Forum Upload [Solved]

Post by bnbn1382 »

yeah recently, people have hacked my site, and I would want to know how.
They uploaded this php virus, but the thing was.. its pretty impossible to locate the location of the files.

Example:
http://forums.u-no.info/index.php?app=c ... ach_id=174
Is actually
http://forums.u-no.info/uploads/monthly ... 122874.jpg


How did they crack it, and what program? how do you find it out? Please help me.

I want to back trace and where the php is located.

It's IPB 3.0.x

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

how did you noticed the site was compromised?

do you have access to the site logs? like access.log and error.log?

what exact IPB version is it?

are file uploads possible, like user avatars, or links to offsite avatars?

User avatar
bnbn1382
forum buddy
forum buddy
Posts: 13
Joined: 15 Aug 2009, 16:00
14

Post by bnbn1382 »

it was php upload from reply or thread start easy.

I just wanted to know how they traced to a specific link, so they can execute the PHP AKA shell I think it is called.

They used Mulcyber or Mulci or something.

IPB 3.0.3

User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:

Post by ayu »

Do you know where the PHP-script is located? (Might give us some clue as to what was used to upload it).

You say it was uploaded with a reply, or what? Can you be more specific?
"The best place to hide a tree, is in a forest"

User avatar
Gogeta70
^_^
^_^
Posts: 3275
Joined: 25 Jun 2005, 16:00
18

Post by Gogeta70 »

You won't find the php file if it was uploaded by a reply. IPB stores uploaded files in a database.
¯\_(ツ)_/¯ It works on my machine...

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

hmmm.....when it's stored in the database: I am not sure if a RFI can be done with a SQL query as target URL... :-k
but if it is possible it points more to a severe MySQL server misconfiguration than to a flaw in the IPB platform itself, because usually the escape sequences added by MySQL make it impossible to use the "script".

but well, as I said in my 1st post: do you have access to the logs? without them it will be very hard (if not impossible) to find out what happened.

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

well, yeah....but without the logs it's all just speculation.... :wink:

User avatar
IceDane
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 197
Joined: 12 Aug 2009, 16:00
14

Post by IceDane »

Mulciber you say? I would really like some more information on this, if possible. I might know who's behind it, if we're talking about the same person(Likely.. Lame script kiddies with google queries for vulnerable forums. Pretty pathetic.)

User avatar
bnbn1382
forum buddy
forum buddy
Posts: 13
Joined: 15 Aug 2009, 16:00
14

Post by bnbn1382 »

His name was "Trick AKA say what?" -> TRICK AKA SAYWHAT?

I got my site back, but was just wondering how they did it.

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

Post by DNR »

L
O
G
S




No logs? I guess this thread is solved then.
:roll:
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

Post Reply