18-09-2013, 12:04 PM
Summary
Administrator access was gained through a documented vulnerability in the vBulletin-Facebook/Ajax connect facility. vBulletin had issued a patch but it had't been applied. The site is now running on the latest stable release of v4.2 incorporating all security patches applied to date.
What they did
Privileged access facilitated the creation of 3 new administrator accounts - each using a different IP address. Following a clearly fraudulent application for legitimate membership, one of these accounts was quickly spotted and deleted because of its odd name. The other two were named respectively 'Admin' and 'Administrator' and were active long enough to run at least 2 rogue php scripts. Among other things, the result was the installation of a powerful php pseudo-shell with the same file system privileges as the dedicated Apache web-server user. This enabled the hackers to delete the previous day's backup, but fortunately not before a copy had been saved off-site (the one eventually used to restore the site). They also uploaded their 'trophy' page which confirmed the hack to those who make it their business to monitor the web for such things - for both good and bad reasons.
Also uploaded was a doctored and slightly-renamed vB php script and a whole raft of legitimately named - but illegitimate in content - .gz files replacing the regular ones. It is not clear what the precise capabilities of all these files and scripts are (yet), but its safe to say they are extensive - let your imagination loose on the possibilities.
In any event, the hack became obvious fairly quickly and a global htaccess block was put on the site immediately.
Extensive checking of the latest possible backup database was carried out; it was eventually restored to a newly-created and differently named database with different credentials; The old vBulletin system was deleted in its entirety and a brand new u-t-d one installed.
All this means that there are bound to be glitches in previously taken-for-granted facilities (for example the Facebook connect facility is currently disabled and may remain so as a matter of policy).
Please advise of anything that appears odd or different from what you are used to.
Whilst there can be no guarantees in such matters - other than the inevitability of further hacking attempts - the site seems to be OK again and lessons have been learned.
Administrator access was gained through a documented vulnerability in the vBulletin-Facebook/Ajax connect facility. vBulletin had issued a patch but it had't been applied. The site is now running on the latest stable release of v4.2 incorporating all security patches applied to date.
What they did
Privileged access facilitated the creation of 3 new administrator accounts - each using a different IP address. Following a clearly fraudulent application for legitimate membership, one of these accounts was quickly spotted and deleted because of its odd name. The other two were named respectively 'Admin' and 'Administrator' and were active long enough to run at least 2 rogue php scripts. Among other things, the result was the installation of a powerful php pseudo-shell with the same file system privileges as the dedicated Apache web-server user. This enabled the hackers to delete the previous day's backup, but fortunately not before a copy had been saved off-site (the one eventually used to restore the site). They also uploaded their 'trophy' page which confirmed the hack to those who make it their business to monitor the web for such things - for both good and bad reasons.
Also uploaded was a doctored and slightly-renamed vB php script and a whole raft of legitimately named - but illegitimate in content - .gz files replacing the regular ones. It is not clear what the precise capabilities of all these files and scripts are (yet), but its safe to say they are extensive - let your imagination loose on the possibilities.
In any event, the hack became obvious fairly quickly and a global htaccess block was put on the site immediately.
Extensive checking of the latest possible backup database was carried out; it was eventually restored to a newly-created and differently named database with different credentials; The old vBulletin system was deleted in its entirety and a brand new u-t-d one installed.
All this means that there are bound to be glitches in previously taken-for-granted facilities (for example the Facebook connect facility is currently disabled and may remain so as a matter of policy).
Please advise of anything that appears odd or different from what you are used to.
Whilst there can be no guarantees in such matters - other than the inevitability of further hacking attempts - the site seems to be OK again and lessons have been learned.
Peter Presland
".....there is something far worse than Nazism, and that is the hubris of the Anglo-American fraternities, whose routine is to incite indigenous monsters to war, and steer the pandemonium to further their imperial aims"
Guido Preparata. Preface to 'Conjuring Hitler'[size=12][size=12]
"Never believe anything until it has been officially denied"
Claud Cockburn
[/SIZE][/SIZE]
".....there is something far worse than Nazism, and that is the hubris of the Anglo-American fraternities, whose routine is to incite indigenous monsters to war, and steer the pandemonium to further their imperial aims"
Guido Preparata. Preface to 'Conjuring Hitler'[size=12][size=12]
"Never believe anything until it has been officially denied"
Claud Cockburn
[/SIZE][/SIZE]