» Site Navigation | | » Recent Threads | | | 1999 M3 Swap 09-07-2023 10:10 PM 06-01-2024 03:04 PM 7 Replies, 428,733 Views | | | | | | 11-17-2012, 10:43 PM | #1 | Senior Member Join Date: Jun 2003 Location: Greenville, SC Posts: 9,356 | Hacked 11/13/2012 The database was hacked on 11/13/2012. So far the only thing I noticed was that a plugin was installed adding 3 banner ads in the header using their pub id. And one file was edited. I haven't noticed anything else odd. Doubt they where looking to do anything else other than to generate some revenue. If anyone notices anything odd, please let me know. __________________ ...steven BMW CCA #146825 1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i www.bmwcca.org | | | 11-18-2012, 02:32 AM | #2 | NOBODY F's with the Jesus Join Date: Oct 2006 Location: Ventura California Posts: 7,824 | uh oh... | | | 11-18-2012, 03:34 AM | #3 | Senior Member Join Date: Jul 2007 Location: norcal - 94590 Posts: 3,186 | That's a bummer, hope it all works out. I'm not seeing anything out of the ordinary. Should we change our access passwords or something like that as a precaution? __________________ James 95 active w/leather interior and sport interior conversion, Vaders, full M-Tech exterior conversion. Now m50 swapped* Eibach sway bars, D2 Coilovers, Depo's w/AE's, blacked-out sides and grills, LeatherZ console and door armrests, 1 series starter button mod, and custom finished Style 5's <--- in this color! Named "Roddy": *M50 6 cyl. swap with fan delete, S50 cams and chip, AFE stage 2 intake, M3 clutch and 11.5 lb Fidanza flywheel, 3.15LSD, battery relocated to rear and complete custom exhaust. Sweet! 97 318ti sport, Alaska Blue, Contours, coilovers, Dove Vaders and custom black/grey interior named "Max" 95 318ti Active in Cosmos, S50 swap in progress... named "Pit" SUPPORT 318ti.org! CLICK THE LINK ABOVE! Hosting a forum like this is not free. 318ti.org is one of the best BMW forums on the web because it is member supported, not vendor supported. The cost to become a Supporter is a nominal $10.00... A YEAR! DO IT! NOW! | | | 11-18-2012, 03:48 AM | #4 | Senior Member Join Date: Jun 2003 Location: Greenville, SC Posts: 9,356 | Quote: Originally Posted by wolferj That's a bummer, hope it all works out. I'm not seeing anything out of the ordinary. Should we change our access passwords or something like that as a precaution? | I wouldn't worry about passwords. They are encrypted. The hacker inserted his own adsense publisher code for the banner ads. Even if I'd edit the template a cron job would change it back every 5 minutes. I've managed to extract 1 row of a table from a backup earlier in the week. Its a table that keeps track of plugins. I haven't added anything so it shouldn't have changed in several months. The banner hasn't changed yet. There is a dot to the right of the banners to tell me that nothing has changed. There is just one more thing I need to hunt down. When I revert a template it reinserts the hackers code in the template. __________________ ...steven BMW CCA #146825 1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i www.bmwcca.org | | | 11-18-2012, 04:04 AM | #5 | Senior Member Join Date: Jun 2003 Location: Greenville, SC Posts: 9,356 | The site may be down for a little while while php is updated. Hopefully is doesn't break anything. __________________ ...steven BMW CCA #146825 1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i www.bmwcca.org | | | 11-18-2012, 06:19 AM | #6 | Senior Member Join Date: Apr 2006 Location: San Diego Posts: 231 | It is very important to look for the backdoor! Look thru the logs for a POST to an odd-named file. The datestamp on the altered PHP files will help you find it in the raw logfile also, htaccess ban the offending IP ranges | | | 11-18-2012, 12:16 PM | #7 | Senior Member Join Date: Jun 2003 Location: Greenville, SC Posts: 9,356 | Quote: Originally Posted by bmvw It is very important to look for the backdoor! Look thru the logs for a POST to an odd-named file. The datestamp on the altered PHP files will help you find it in the raw logfile also, htaccess ban the offending IP ranges | My logs are only for 24 hrs. __________________ ...steven BMW CCA #146825 1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i www.bmwcca.org | | | 11-19-2012, 03:01 AM | #8 | Senior Member Join Date: Apr 2006 Location: San Diego Posts: 231 | Monitor your site with changedetection.com. make a 0-byte php file in your main directory and monitor it. You'll get the alert within 24 hours and track them down. | | | 11-19-2012, 07:20 PM | #9 | Senior Member Join Date: Jun 2003 Location: Greenville, SC Posts: 9,356 | Quote: Originally Posted by bmvw Monitor your site with changedetection.com. make a 0-byte php file in your main directory and monitor it. You'll get the alert within 24 hours and track them down. | Don't see how that will help. The hacker may have used the garage to gain access to the database. It's still troubling that one of the vBulletin files was edited. __________________ ...steven BMW CCA #146825 1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i www.bmwcca.org | | | 11-19-2012, 09:05 PM | #10 | Senior Member Join Date: Apr 2006 Location: San Diego Posts: 231 | The hack originally came thru SQL injection. The attacker got complete shell control of the account and altered all the php files with a script. The revised php files deliver ads, enhance the attacker's site's pagerank, etc. The hacker also leaves a backdoor because the halflife of the hack is not usually that long and he may want to come back. You probably uploaded replacement files by now. The backdoor provides him shell access to your site, without having to look for another sql injection vulnerability in vbulletin. By creating a dummy php file and monitoring it, you can detect if he tries it again. The first thing he will do is run a script that alters all the php scripts on the site with his code. Most hackers are inept "script kiddies" who Google for sites displaying markers to scripts with known vulnerabilities and run attacks that someone else discovered. They are looking to 1) deface your site for underground fame and glory (pretty rare actually) or more commonly 2) subtly undermine your site while leaving main functionality for personal gain. Unlikely he is going after cash or passwords as there is no advantage to taking them on a non ecommerce site. Google automatically monitors sites, and the search results for compromised pages will display the link "this site may harm your computer". A lot of webmasters find out about the hack that way. | | | 11-19-2012, 10:51 PM | #11 | Senior Member Join Date: Jun 2003 Location: Greenville, SC Posts: 9,356 | If he replaced the single banner ad I never would have noticed until next month. There doesn't seem to be any other files that changed. __________________ ...steven BMW CCA #146825 1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i www.bmwcca.org | | | 11-20-2012, 01:06 PM | #13 | Senior Member Join Date: Jun 2003 Location: Greenville, SC Posts: 9,356 | Quote: Originally Posted by bmvw | I already did but I used the feedback form. I'll use this one too. Thanks! I've been going through all my files to see if any have been added or changed on 11/13. __________________ ...steven BMW CCA #146825 1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i www.bmwcca.org | | | 11-20-2012, 04:44 PM | #14 | Senior Member Join Date: Dec 2010 Location: Fiji Posts: 169 | Sounds like a standard database inject. Find the exploit and lock it up for future attacks. But i would say site admins are doing a wonderful job ad keeping this forum alive this long with all the bad people out there with itchy fingers. | | | 11-20-2012, 05:27 PM | #15 | Senior Member Join Date: Jun 2003 Location: Greenville, SC Posts: 9,356 | Quote: Originally Posted by anthony318ti Sounds like a standard database inject. Find the exploit and lock it up for future attacks. But i would say site admins are doing a wonderful job ad keeping this forum alive this long with all the bad people out there with itchy fingers. | Admins. It's just me. I have one mod that restricts registrations from spammers. There are attempts every minute of the day. Literally. __________________ ...steven BMW CCA #146825 1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i www.bmwcca.org | | | | Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | | Posting Rules | You may not post new threads You may not post replies You may not post attachments You may not edit your posts HTML code is Off | | | |