...

View Full Version : CF was hacked this morning



WA
11-29-2007, 01:44 PM
Early this morning CodingForums was hacked, specifically, the vBulletin software. The hacker added himself as an admin user, and carried out a few tasks such as email all forum members letting them know about it. The user gained entry through a vulnerability in vBulletin, as we weren't using the latest version.

I've been working with our host and believe everything should be back to normal now. The way member passwords are stored, the hacker should not have access to them. FYI having access to an account is different than knowing its password, due to the way vBulletin stores the passwords. Better safe than sorry however, so I urge everyone to go into the USER CP (http://www.codingforums.com/usercp.php) and change their password.
Usually I'm very cautious when it comes to security, but this time laziness got the best of me as I left the vBulletin software unpatched for a while. Sorry about the downtime, and let me know if you experience any problems.

bazz
11-29-2007, 02:02 PM
There's a word for people like that!!

It's working better now but I find that the main index isn't presenting correctly in FF. It's as though the tables of forums needs the clear : all attricute added as the grey adverts immediately above it, push it to the right - off the screen.

XP(1024x768)FF 2.0.0.10

bazz

WA
11-29-2007, 02:08 PM
It's as though the tables of forums needs the clear

That was it exactly, thanks. Yep, real pain in the ***, having to stay awake the entire night to take care of this.

bazz
11-29-2007, 02:28 PM
if your still awake, can you find out why I can't edit a post in the MYSQL forum. maybe a mod can delete it. it's called 5th attempt to post - test.

Whilst i was able to post, I havenlt been able to edit it with a real message.

no rush - sleep is necessary lol.

bazz

WA
11-29-2007, 02:37 PM
Hmm what happens when you try to edit your thread, by clicking on the "Edit" icon? I tried logging in using a test account, and was able to post then edit a test thread.

bazz
11-29-2007, 02:41 PM
I tried again to post a new thread and got this.

[big letters] Not Acceptable [/big letters]

An appropriate representation of the requested resource /newthread.php could not be found on this server.

Apache/1.3.37 Server at www.codingforums.com Port 80

I tried to edit the message and got this:

[Big Letters]Not Acceptable[/Big Letters]
An appropriate representation of the requested resource /editpost.php could not be found on this server.

Apache/1.3.37 Server at www.codingforums.com Port 80



So I can't edit the last 'test' message I wrote.

bazz

Strangely, I can edit this message OK.

Inigoesdr
11-29-2007, 02:50 PM
That explains the login box I got when I tried to load the site this morning. I didn't get the e-mail though. Looks like the mod/admin images are gone.

WA
11-29-2007, 02:50 PM
An appropriate representation of the requested resource /newthread.php could not be found on this server.

Apache/1.3.37 Server at www.codingforums.com Port 80

Ok, that issue should be solved now. :)

_Aerospace_Eng_
11-29-2007, 03:17 PM
The thank user for post buttons appear twice on each post.

real30
11-29-2007, 03:31 PM
hello dear

our group has found a bug on Vbulletin 3.6.x Serries

with this Bug you easily in less than 2 minutes get the Admin Access to a Registered User.

Not even updating Patches will solve this Priv8 exploit. (admin please dont make urself tired ; )

you can easily hack 97 % of Vbulletin forums.

of you want ? send me Email for deal.

Email John.hendrich [at] yahoo [dot] com
Y!M : john.hendrich


- regards

matak
11-29-2007, 03:34 PM
damn hackers.

i will just remind that i also have two "thank you for post" buttons on posts

anyway, sometimes it's good that forum is offlimits, couse i saw sun today, after a long period of time :D (j/k i didn't saw sun, couse other forums were online :) )

@aerospace i think someone edited your sig couse it's big :confused:

real30
11-29-2007, 03:44 PM
damn hackers.

i will just remind that i also have two "thank you for post" buttons on posts

anyway, sometimes it's good that forum is offlimits, couse i saw sun today, after a long period of time :D (j/k i didn't saw sun, couse other forums were online :) )

@aerospace i think someone edited your sig couse it's big :confused:

please be polite

bazz
11-29-2007, 04:02 PM
I agree totally. There is no point in getting annoyed with such inconsequential pieces of pond life who are of absolutely no benefit to anyone.

bazz

funnymoney
11-29-2007, 04:07 PM
you are really a lousy forum admin, you can't even ban people like you are supposed to... ROFL

Inigoesdr
11-29-2007, 04:31 PM
Who was supposed to be banned?

funnymoney
11-29-2007, 04:36 PM
i'm having some serious problems. dunno if it's forums, or is my computer hacked. my original nickname matak is banned.

damn hackers!!! :D

i'm wondering couse this nickname was banned to, but now i can post again...

Philip M
11-29-2007, 04:57 PM
If these guys have got all our email addresses, does this mean that we can expect a torrent of spam?

funnymoney
11-29-2007, 04:58 PM
i have no idea. but i think WM is going to go crazy when he wakes up

Aradon
11-29-2007, 05:26 PM
If these guys have got all our email addresses, does this mean that we can expect a torrent of spam?

They probably didn't harvest the emails, but instead just sent a message to everyone through the administrator controls (which admin's can do)

real30
11-29-2007, 07:41 PM
They probably didn't harvest the emails, but instead just sent a message to everyone through the administrator controls (which admin's can do)

i think there is a misundrestanding here
becasue i dont need your information and email addresses
email addresses can be find in many websites with a simple sql injection

my point is some thing else that it sound u didnt get it.

i think many people like to have admin access in many forums which is on Vbulletin boards

so those people can cantact me to make a deal with them and i teach them how to do this.

VIPStephan
11-29-2007, 08:30 PM
Who is real30 anyway? Never seen him/her before… :confused:

Inigoesdr
11-29-2007, 08:44 PM
The "hacker".

VIPStephan
11-29-2007, 08:53 PM
And why isn’t he burning in hell already? :D
There must be something to ban him forever, no?

Alex Vincent
11-29-2007, 09:01 PM
This particular hacker is probably unaware of the fact that George has used lawyers in the past to protect his forum...

Spookster
11-29-2007, 10:37 PM
The "hacker".

I wouldn't give them that much credit. Most likely a script kiddie who found a script that someone else wrote.

Spookster
11-29-2007, 10:38 PM
This particular hacker is probably unaware of the fact that George has used lawyers in the past to protect his forum...

Yeah he better hope he was hiding behind some serious proxies.

Aradon
11-29-2007, 10:43 PM
Yeah he better hope he was hiding behind some serious proxies.

I'm sure he isn't (This warrants a special smilie) http://www.bucktoof.net/forums/images/smilies/lol.gif

WA
11-30-2007, 02:55 AM
Ok, CF is back. I'm still working with my host to patch whatever caused the 2nd successful intrusion, so this might not be over yet.

masterofollies
11-30-2007, 03:16 AM
Everytime I went to this site, it brought up a login screen. I typed in my info and it said I was not authorized to view the website.

felgall
11-30-2007, 04:04 AM
Everytime I went to this site, it brought up a login screen. I typed in my info and it said I was not authorized to view the website.

That's what this thread is about. They locked the whole thing completely while they patched to to get rid of the script kiddie.


As long as the forum is patched to remove that vulnerability no other script kiddies will be able to use that script for getting in. Probably no way to find whoever discovered that way in to start with as they probably just released the information and left it for idiots to get caught actually using it.

Inigoesdr
11-30-2007, 04:48 AM
I wouldn't give them that much credit. Most likely a script kiddie who found a script that someone else wrote.

Exactly; hence the quotes. ;)

abduraooft
11-30-2007, 06:23 AM
i'm having some serious problems. dunno if it's forums, or is my computer hacked. my original nickname matak is banned.

damn hackers!!! :D

i'm wondering couse this nickname was banned to, but now i can post again...
matak has got one more life :thumbsup: (It was a real shock to see the hack in CF, since all that I know is learned from here and life without this seems to miserable!)

Philip M
11-30-2007, 07:38 AM
This particular hacker is probably unaware of the fact that George has used lawyers in the past to protect his forum...

You can tell that English is not his native language. Russian perhaps?

liorean
11-30-2007, 08:20 AM
You can tell that English is not his native language. Russian perhaps?hack3r was according to IPTOOLS from Guatemala, according to IP2Location from Jordan.

real30 was according to IPTOOLS from Guatemala, according to IP2Location from Iran.

Of course, those IPs may just be proxies.

matak
11-30-2007, 09:01 AM
matak has got one more life :thumbsup:

i'm back! :D yeah!

abduraooft
11-30-2007, 09:25 AM
hack3r was according to IPTOOLS from Guatemala, according to IP2Location from Jordan.

real30 was according to IPTOOLS from Guatemala, according to IP2Location from Iran.

Of course, those IPs may just be proxies.
Then what next ??

Kor
11-30-2007, 03:07 PM
I saw. But for me something else happened. When trying to click my User CP, a javascript prompt opened and asked me to confirm my user/password.

Fortunately for me, I recognized immediately the attack type, so that I have not sent my data through that silly prompt, closed the window cleaned my cookies afterwards. I guess that the hacker managed somehow to insert a malicious javascript attack injection as well, in order to corrupt the users' cookies.

nikos101
11-30-2007, 03:21 PM
So would you recommend that coders learn hacking skills to become better at fighting them off?

Know your enemy

:mad::mad::mad::mad::mad::mad::mad::mad::mad:

Kor
11-30-2007, 03:26 PM
So would you recommend that coders learn hacking skills to become better at fighting them off?

Know your enemy

:mad::mad::mad::mad::mad::mad::mad::mad::mad:
Of course. After all, the Force and the Dark Force use the same weapons, thus any side you will choose to be, you must learn all the tricks... :D

matak
11-30-2007, 03:31 PM
I guess that the hacker managed somehow to insert a malicious javascript attack injection as well, in order to corrupt the users' cookies.

yes he did. i saw some strange cookies on my ffox, that's why i thought i was somehow infected with something.

also i saw in ffox stats bar request for another website (www.webfree--something...) i didn't catch that. i think it was XSS attack, but i'm noob, and i might be talking nonsense :D

Kor
11-30-2007, 03:38 PM
So that probably it would be a wise movement to annouce everybody that, if they followed that javascript prompt, they should immediately change their passwords (if the hacker did not exactly this, so far:rolleyes:)... I guess all the moderators should be warned, though I imagine no moderator has fallen in that cheap trap...:D

bazz
11-30-2007, 07:39 PM
Hi,

Are we sure to have been ridden of Real30 and funnymoney who seem to me to be the same person and who 'hacked' this brilliant forum site?

I base that assumption on posts in this thread (which if he/she isn't gone, may change them) but am prepared to stand corrected.

The reason why I ask is that, with my limited knowledge of MySQL, if we have removed those who would try to wreck the whole thing (ie a community of people willing to help each other) would it be an idea to re-code the forum so that outsiders can't know the architecture to be able to inject malicious code to cause the problems you (and to a smaller extent, we), have experienced lately?

Not a fully competent coder, I would however, like to offer free server hosting on my own dedicated server with probably the best server provider so that security is maintained.

Perhaps my naivety shows in this suggestion but server space backed up with what I think to be a marvellous SLA might be of help?

bazz

oracleguy
11-30-2007, 07:52 PM
The reason why I ask is that, with my limited knowledge of MySQL, if we have removed those who would try to wreck the whole thing (ie a community of people willing to help each other) would it be an idea to re-code the forum so that outsiders can't know the architecture to be able to inject malicious code to cause the problems you (and to a smaller extent, we), have experienced lately?

That is the caveat when you use an off the shelf solution instead of coding your own. The problem with changing the db schema would be that it would make it much harder or impossible to apply new versions when they come out.

bazz
11-30-2007, 07:56 PM
But if it were written for example, with the apparent attitude of those who write FF, but by those here who know what they are doing (I guess WA knows who they are), then updates would be possible and relatively simple, as in making a MySQL Db scaleable?

if worth considering I shall ask my server company to confirm that WA can have server access to his 'space' without my seeing the code (in case someone worries I might nick it) and so that any future issues don't impact on the 'rest' of the server.

I am merely making an offer which I hope is seen as well intended. I will not steal such code and want only to help ensure that WA has safer space. What is in it for me? satisfied ego perhaps and of course the ability to get help with what I need through this brilliant forum without (or with less liklihood of) negative/selfish individuals wrecking it all.

bazz

Kor
11-30-2007, 08:20 PM
I don't know the range of that hacker's penetration, as I am not a member of the Admin stuff. And really, I am far from beeing a specialist in the matter (well, I know some small things, from here, from there :rolleyes: ). I know very well mainly what malicious javascript can do, that is all.

Yet I don't think that hacker (or those hackers) managed to enter everywhere, otherwise he/they would not have tried to put up such a cheap play as a javascript injection, a prompt, in order do find out our user/password data....

Kor
11-30-2007, 08:24 PM
... but I am sure he managed to steal some user/password data and now reads what we are talking about, and he, probably, laughs...:D

WA
11-30-2007, 08:53 PM
Funnymoney=matak. He signed up again using the former name because the later was banned by the hacker. Anyhow, I've gone ahead and deleted the Funnymoney account, considering matak has been unbanned.

Thanks for the hosting offer bazz. I've pmed you on this.

Kor
11-30-2007, 09:15 PM
Funnymoney=matak. He signed up again using the former name because the later was banned by the hacker. Anyhow, I've gone ahead and deleted the Funnymoney account, considering matak has been unbanned.

Thanks for the hosting offer bazz. I've pmed you on this.
Good job. I guess that hack did it by using that javascript method I was telling you about. I would be worried about the fact that he might have captured some moderators' data as well, even, as I said, it was a cheap trick, and I don't think he managed to do that. :) I know you do monitoring all these, good luck :thumbsup:

Kor
12-01-2007, 10:49 AM
is this:
http://www.codingforums.com/showpost.php?p=635371&postcount=26
the real matak?

WA
12-01-2007, 11:43 AM
is this:
http://www.codingforums.com/showpost.php?p=635371&postcount=26
the real matak?

Yep. Is there another matak? I must say I'm a little perplexed why there is all this confusion over matak. lol All that happened with him was that he got banned by the hacker admin, so he re-registered as funnymoney until I could sort things out for him.

abduraooft
12-01-2007, 03:17 PM
Oh.. I thought funnymoney was another account created by the hacker to make fun of matak.(a conclusion by reading the two posts by him :D). Anyway matak is more popular now!.

CFMaBiSmAd
12-01-2007, 04:15 PM
I would say the confusion people are expressing over the funnymoney account is that the statements in most of his posts in this thread where hardly clear and could have easily been interpreted as being from a user that previously got banned and he was the hacker and it was him who had un-banned the funnymoney account (since it previously existed) so that he could post in this thread.

The funnymoney account existed prior to the hack (and after the matak account was started) and was not just a re-signup to post that another account had been banned.

rmedek
12-01-2007, 08:01 PM
I think we should ban both funnymoney and matak just in case either one of them is the hacker. :D

TheShaner
12-03-2007, 01:56 PM
hack3r was according to IPTOOLS from Guatemala, according to IP2Location from Jordan.

real30 was according to IPTOOLS from Guatemala, according to IP2Location from Iran.

Of course, those IPs may just be proxies.
He posted his email as John.hendrich [at] yahoo [dot] com to contact him on "making a deal" to possibly buy his script and have that same ability on vbulletin boards.

Googling his email address, you will find this link: http://johnhendrich.cgsociety.org/about/. Notice that he did spell out the email address exactly with the same capitalization and spacing as on that page and it says he's from Berlin, which would also explain his lack of English grammar. So it is very possible that is him.

-Shane

matak
12-03-2007, 03:00 PM
I think we should ban both funnymoney and matak just in case either one of them is the hacker. :D

hey, i'm not a hacker, darn i'm not even a power user :(

i just wish that spookster doesn't see what you wrote, or both of my nicknames are gonna end up on his list for The Ban Dungeon :eek:

(take a peek)

http://www.bhalu.com/naveen/london-99/images/torture.jpg

edit: i registered as funnymoney long time ago. it was hard for me to accept the fact that i'm stuck with this nickname, and i didn't know that WA allows username changes on demand. now i'm at peace with this crazy nickname (there are some drunk posts all over the net by me :lol: ).

edit: darn that 'acker left me 20 points infraction on this profile http://forum.psihonaut.org/images/smilies/icon_mad.gif

Kor
12-03-2007, 03:30 PM
matak, I've sent you a PM. It could have been a polite gesture of you to give it a replay, whichever... It was a very friendly PM, I bet...:)

matak
12-03-2007, 03:37 PM
i read it 10 times. i will get back to you on that! i didn't know you were in such a hurry, sorry if it was being impolite :o

Kor
12-03-2007, 04:21 PM
i read it 10 times. i will get back to you on that! i didn't know you were in such a hurry, sorry if it was being impolite :o
I am not in any hurry at all. I was just thinking... :)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum