vbulletin hacked by bangladeshi hackers

Anton

Anton

Verified User
Joined
Oct 6, 2010
Messages
102
Location
Iceland
One vbulletin forum was hacked by bangladeshi hackers and after they ruin the forum i have been getting bombarded with this? what would you guys do in this situation

Code: 
13803204610011	199.192.159.93	abc	1	pure-ftpd1	Sep 27 22:20:58 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [abc]
13803204610010	199.192.159.93	2014	1	pure-ftpd1	Sep 27 22:20:50 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [2014]
13803204610009	199.192.159.93	2014cobro	1	pure-ftpd1	Sep 27 22:20:45 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [2014cobro]
13803204610008	199.192.159.93	2013	1	pure-ftpd1	Sep 27 22:20:39 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [2013]
13803204610007	199.192.159.93	2013cobro	1	pure-ftpd1	Sep 27 22:20:34 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [2013cobro]
13803204610006	199.192.159.93	2012cobro	1	pure-ftpd1	Sep 27 22:20:29 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [2012cobro]
13803204610005	199.192.159.93	2011cobro	1	pure-ftpd1	Sep 27 22:20:25 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [2011cobro]
13803204610004	199.192.159.93	abc	1	pure-ftpd1	Sep 27 22:20:21 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [abc]
13803204610003	199.192.159.93	2014	1	pure-ftpd1	Sep 27 22:20:17 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [2014]
13803204610002	199.192.159.93	2013	1	pure-ftpd1	Sep 27 22:20:12 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [2013]
13803204610001	199.192.159.93	2012	1	pure-ftpd1	Sep 27 22:20:08 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [2012]
13803204610000	199.192.159.93	2011	1	pure-ftpd1	Sep 27 22:20:02 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [2011]
13803204010009	199.192.159.93	2010	1	pure-ftpd1	Sep 27 22:19:54 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [2010]
13803204010008	199.192.159.93	111	1	pure-ftpd1	Sep 27 22:19:47 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [111]
13803204010007	199.192.159.93	ws	1	pure-ftpd1	Sep 27 22:19:42 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [ws]
13803204010006	199.192.159.93	cobrows	1	pure-ftpd1	Sep 27 22:19:36 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [cobrows]
13803204010005	199.192.159.93	cobro	1	pure-ftpd1	Sep 27 22:19:30 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [cobro]
13803204010004	199.192.159.93	cobroadmin	1	pure-ftpd1	Sep 27 22:19:24 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [cobroadmin]
13803204010003	199.192.159.93	cobro2014	1	pure-ftpd1	Sep 27 22:19:19 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [cobro2014]
13803204010002	199.192.159.93	cobro2013	1	pure-ftpd1	Sep 27 22:19:13 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [cobro2013]
13803204010001	199.192.159.93	cobro2012	1	pure-ftpd1	Sep 27 22:19:07 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [cobro2012]
13803204010000	199.192.159.93	cobro2011	1	pure-ftpd1	Sep 27 22:19:02 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [cobro2011]
13803203410009	199.192.159.93	cobro2010	1	pure-ftpd1	Sep 27 22:18:57 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [cobro2010]
13803203410008	199.192.159.93	cobro123	1	pure-ftpd1	Sep 27 22:18:50 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [cobro123]
13803203410007	199.192.159.93	cobrows	1	pure-ftpd1	Sep 27 22:18:44 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [cobrows]
13803203410006	199.192.159.93	cobro	1	pure-ftpd1	Sep 27 22:18:39 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [cobro]
13803203410005	199.192.159.93	password1	1	pure-ftpd1	Sep 27 22:18:34 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [password1]
13803203410004	199.192.159.93	mustang	1	pure-ftpd1	Sep 27 22:18:29 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [mustang]
13803203410003	199.192.159.93	ninja	1	pure-ftpd1	Sep 27 22:18:23 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [ninja]
13803203410002	199.192.159.93	michael	1	pure-ftpd1	Sep 27 22:18:13 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [michael]
13803203410001	199.192.159.93	jesus	1	pure-ftpd1	Sep 27 22:18:09 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [jesus]
13803203410000	199.192.159.93	football	1	pure-ftpd1	Sep 27 22:18:04 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [football]
13803202810009	199.192.159.93	shley	1	pure-ftpd1	Sep 27 22:17:56 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [shley]
13803202810008	199.192.159.93	shadow	1	pure-ftpd1	Sep 27 22:17:47 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [shadow]
13803202810007	199.192.159.93	welcome	1	pure-ftpd1	Sep 27 22:17:42 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [welcome]
13803202810006	199.192.159.93	123123	1	pure-ftpd1	Sep 27 22:17:38 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [123123]
13803202810005	199.192.159.93	master	1	pure-ftpd1	Sep 27 22:17:33 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [master]
13803202810004	199.192.159.93	sunshine	1	pure-ftpd1	Sep 27 22:17:28 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [sunshine]
13803202810003	199.192.159.93	1234567	1	pure-ftpd1	Sep 27 22:17:20 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [1234567]
13803202810002	199.192.159.93	trustno1	1	pure-ftpd1	Sep 27 22:17:15 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [trustno1]
13803202810001	199.192.159.93	iloveyou	1	pure-ftpd1	Sep 27 22:17:10 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [iloveyou]
13803202810000	199.192.159.93	baseball	1	pure-ftpd1	Sep 27 22:17:04 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [baseball]
13803202210005	199.192.159.93	111111	1	pure-ftpd1	Sep 27 22:16:58 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [111111]
13803202210004	199.192.159.93	dragon	1	pure-ftpd1	Sep 27 22:16:52 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [dragon]
13803202210003	199.192.159.93	letmein	1	pure-ftpd1	Sep 27 22:16:45 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [letmein]
13803202210002	199.192.159.93	monkey	1	pure-ftpd1	Sep 27 22:16:40 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [monkey]
13803202210001	199.192.159.93	qwerty	1	pure-ftpd1	Sep 27 22:16:20 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [qwerty]
13803202210000	199.192.159.93	bc123	1	pure-ftpd1	Sep 27 22:16:04 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [bc123]
13803201610002	199.192.159.93	12345678	1	pure-ftpd1	Sep 27 22:15:58 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [12345678]
13803201610001	199.192.159.93	password	1	pure-ftpd1	Sep 27 22:15:51 www pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [password]
 
Is the IP# 199.192.159.93 your IP#? If so, then save the vBulletin database somewhere safe, remove and reinstall vBulletin, and rstore the backup (warning, this could cost you a lot of customizations; do so atyour own risk).

If not, block that IP# in your firewall (and I'd still probably recommend the above).

Jeff
 
no this is not my ip

Ip info

Code: 
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> -x 199.192.159.93 +noshort
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42757
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;93.159.192.199.in-addr.arpa.	IN	PTR

;; AUTHORITY SECTION:
199.in-addr.arpa.	7682	IN	SOA	z.arin.net. dns-ops.arin.net. 2013093017 1800 900 691200 10800

;; Query time: 16 msec
;; SERVER: 212.30.200.200#53(212.30.200.200)
;; WHEN: Mon Sep 30 22:20:54 2013
;; MSG SIZE  rcvd: 99
 
Last edited:
In that case I advise the same as Nobaloney.

Next to that, install CSF/LFD as firewall and put a trigger on FTP so ip's will get blocked automatically when somebody tries a wrong ftp password for x times. For the x you can use a value to your likings like 5, 7 or 10 or something.

Edit: Next to that, try to investigate how the hack was done. Could be a leak in vBulletin (upgrade to the latest version, there was a leak in the previous one), and check your installed modifications.
 
If I recall correctly, vBulletin has recently issued an update.

Note that I simplified the thread title so it'll show up bett4er in the index and search commands.

Jeff
 
Thank you very much guys i have change the trigger settings in CSF/LFD and i hope this will keep them away.. And yes they have been talking on another forum that this could have been from a faulty plugin ? or somthing in vbulletin i will have to find out first.. Thank you all for the help hope no one else will be victim of bangladeshi hackers.
 
Just to be sure, remove your /install/ directory from your vbulletin installation. It's a known security flaw for 4.x and 5.x versions of vBulletin.
Next to that it would be wise to only download mods from vbulletin.org and check the option to update mail automatically (under Modinformation, use Edit settings and check "automatic" on the mods you installed.
If there is a known problem detected, you will be emailed automatically and choose to either update, temporary disable or remove the mod.
As I always use to do is protect your admin and modcp directory with .htaccess.
Good luck!
 
You must log in or register to reply here.
Back
Top