• We are now running on a new, and hopefully much-improved, server. In addition we are also on new forum software. Any move entails a lot of technical details and I suspect we will encounter a few issues as the new server goes live. Please be patient with us. It will be worth it! :) Please help by posting all issues here.
  • The forum will be down for about an hour this weekend for maintenance. I apologize for the inconvenience.
  • If you are having trouble seeing the forum then you may need to clear your browser's DNS cache. Click here for instructions on how to do that
  • Please review the Forum Rules frequently as we are constantly trying to improve the forum for our members and visitors.

Keep Your Eyes Open ... We Were Hacked This Morning!

normuser

Regular Member
Joined
Nov 9, 2010
Messages
22
Location
texas
...
5) The user did not have an IP address nor did they appear in the logs.
...
Assuming it was just vbulletin that was compromised and they never had root.
look in /var/log/httpd/access_log and maybe /var/log/messages depending on what all was tried.

with vbulletin compromised its logs were most likely edited, but he still would not be able to change the access_log.
Unfortunately these attacks are usually from zombies, so if you do go through the trouble of finding him he wont even know he was doing it.
in any case he has an ip, and your machine knew it otherwise he couldn't have done anything.
 

Grapeshot

Legendary Warrior
Joined
May 21, 2006
Messages
35,336
Location
Valhalla
The server seems bogged down tonight, too. I don't know if we're under attack, or if John bumped up some settings.
Have had multiple reports of quite slow speed on OCDO including my computer and DoubleTaps too. The other sites that I visit are not so effected, so it isn't just an increase in traffic i.e. holiday and back-to-school.
 

stealthyeliminator

Regular Member
Joined
Dec 29, 2008
Messages
3,100
Location
Texas
Lol. I do not believe that any agent of the government is going to make themselves an administrator account and use the username of H4ck3r and the email address of hack.er. :)

I suspect this was a script kiddie who found a zero-day vBulletin exploit and wanted to show off to his friends that he cracked a vBulletin site. If you google for vBulletin exploits, the YouTube videos and sites are numerous. :(

I do not believe that any information was compromised based upon the fact that, thanks to Grapeshot's quick response, the user was deleted and the server rebooted within minutes of the account being created. The logs showed no further activity by this user. It may have even been a script rather than an individual.

The security consultant I hired is already sweeping the server but so far, it appears that there was no other damage. We have also installed a monitor to let us know of any access to the Admin tool on the forum. The real question is whether or not there is a vBulletin exploit they need to patch. I am waiting on them to respond.


John
Sounds like an inside job to me, nobody's that fast. :) Just kidding. Nice catch. Seriously though, do you just sit on the member list page all day?
 

Grapeshot

Legendary Warrior
Joined
May 21, 2006
Messages
35,336
Location
Valhalla
Sounds like an inside job to me, nobody's that fast. :) Just kidding. Nice catch. Seriously though, do you just sit on the member list page all day?
Doesn't everybody? :cool:

Most of the Bad Guys (spammers) I edit/delete have already been reported by someone else, so my pen isn't the quickest. The integrity of this forum is an effective team effort. You guys do a terrific job!
 

Kromwell

Regular Member
Joined
Jun 30, 2012
Messages
43
Location
Dubuque, Iowa
Help if needed

If your running a Windows based server, and need any assistance, feel free to let me know. I'm a senior Windows SA (Server Administrator) for a rather large and well known computer giant, and I'm willing to offer my assistance if you need any.
 
Last edited:

Logan 5

Regular Member
Joined
Apr 16, 2012
Messages
677
Location
Utah
See what happens when you push the envelope too far with Starbucks?
Next they're gonna dump half a bottle of No Doz in your caffeine-free espresso.
 

Freedom1Man

Regular Member
Joined
Jan 14, 2012
Messages
4,463
Location
Greater Eastside Washington
Troubling indeed.

Was members personal information--e-mails, names, etc--compromised?



Rhetorical questions:

Who would have the expertise to break John's password? And, have no IP address? And, not leave traces in the logs?

Why would someone do it?

Who would finance them?
A pro-hacker will hack a backdoor in such away that he/she accesses security logs first. Depending on the NOS/OS + FS used there is often a way to gain access to the password file. In the case of a double service then the top level will get hacked first generally by creating an account with the main host.

Most modern password files use what's called one-way encryption. So once you have that file you set up a brute force cracking program that keeps running "the numbers" until a password pops. There are some NOSs that can tell the difference between a complex character and a keyboard character even though to the naked eye in text they look the same. Example would be ---> ( <---- ↕that one is a complex character while ----> ( <---- this one was a simple character.

Make sure you have a one-way encrypted password file that recognizes complex characters as being different from simple characters ╩█£δ☻
 

Adam Cook

Regular Member
Joined
Apr 10, 2013
Messages
38
Location
Connecticut, USA
This morning, a new user managed to somehow make themselves an administrator. Thanks to Grapeshot who called me immediately after it happened, I was able to delete the user before (hopefully) he was able to do anything. But I would like for you to keep your eyes open.

I have opened a support ticket with vBulletin about the incident which is troubling for several reasons.

1) We always stay up to date on the latest vBulletin updates.
2) We always stay up to date on the latest server updates.
3) I am the only administrator so theoretically, I am the only one who could add another administrator.
4) My password was long, complex, and used nowhere else on the internet. (It has since been changed to something even more complex)
5) The user did not have an IP address nor did they appear in the logs.

I will let you know what I find out from vBulletin. I am also going to hire a security consultant to review the server as well.

So ... If you see ANYTHING that looks strange. Let me know. I think we dodged a bullet on this one (pun intended) but only by the grace of God and the vigilance of Grapeshot.

Thanks!

PS. By strange I mean more than just spam. If Mike or I start proclaiming our undying love for Janet Reno then that would be a clue as well. :)


John
http://thehackerspost.com/2013/09/vbulletin-4-1-x-5-x-x-0day-exploit-released-1337-hacker.html
 
Last edited:
Top