my website www.50klicks.com/index.php.old has been hacked by some naughty people :(

this seems to be associated with websites using the older vBadvanced CMPS v1.0.1 (version 1 )... though it could be coincidential ?

these are the toe-rags that did it - http://www.mavrahane.com/

there are a number of sites there that they boast to have hacked....

anyway - what can I do now? where would this re-direct have been placed? any suggestions before I update to vbadvanced version 2? and would/should that stop this particular exploit ?

I have been hacked by the very same bunch this morning.

I was running CMPS v1.0.1 as awell

Have you fixed it?

If so how did you do it?

Can anyone help please

What exactly was done to the site, and what leads you to believe that they used the exploited CMPS?

I have no idea!

The homepage no longer opens instead it redirects to their site, that is it did until I redirected it to my forums.

I am not blaming CMPS but asking the question everywhere in the hope that someone can shed some light on the problem.

OK - Tracked this down to the shoutbox module I was using - disabling that module and seemed to stop the problem.

could there be some kind of post in the shoutbox that would automatically forward to a website ?

I doubt this is a vbadvanced issues really - more a crappy shoutbox exploit ?

What exactly was done to the site, and what leads you to believe that they used the exploited CMPS?


no - i now dont think itsa a vbadvanced issue - its the shoutbox Im using - and suspect the same for all involved - it seems theres an entry in it that must force a redirect to their website.

ps - effected sites will find that they have a new user signed up - called MavraHaNe or similar - on my site they used this to enable them to post a shout.

list of effected sites (from their webpage)

1. http://www.arcadecrazy.com/

2. http://rochvibe.com/

3. http://www.b3playground.com/

4. http://www.c-o-e.de/hopezcom/cmps_index.php

5. http://www.thebig7.com/

6. http://www.assimx.net/

7. http://forums.clan-tlb.com/

8. http://www.vvt-i.net/

9. http://www.trackshare.com/forum/

10. http://www.trackshare.com/

11. http://www.iz-grafix.co.uk/

12. http://www.beginnerbikers.org/

13. http://www.ctd-hq.com/

14. http://www.50klicks.com/

15. http://www.illefx.com/

16. http://www.clansoe.it/

17. http://www.noodlum.com/

18. http://www.hardcoreplayhouse.nl/

19. http://www.530riders.net/

20. http://www.naijaworld.com/

if you are quick enough with the STOP button on ya browsers you will see the last thing that is posted on the shoutboxes is a MavraHaNe shout - soon as it tries to display that shout is re-directs.

Well if it is / was a shout that causes the re-deirect, I would hardly call that "hacked"

Is this from a shoutbox module that's posted on here? If so, could somebody please link me to it?

Well if it is / was a shout that causes the re-deirect, I would hardly call that "hacked"

no - me neither... an 'exploit' would be more apt.

but on first discovering this I (and im sure others effected) thought the same - the site loads as normal, then suddenly redirects to a large graphic and a message saying "this site has been hacked" then forwards onto their website with a list of all the victims.

quite sad really - but effective and trouble causing all the same.

does anyone know if something in version 2 of vbadvanced would protect agaisnt this? all those in the list seem to be using version 1.

Is this from a shoutbox module that's posted on here? If so, could somebody please link me to it?

I muist have got this module from this site .... I remember there was a few to choose from at the time...

i have a shoutbox.php thats starts with

<?php

###########################################################################
## MAJESTIC FORUM SHOUTBOX
###########################################################################

might be this one ? http://www.vbadvanced.com/forum/showthread.php?t=5107&highlight=shoutbox

noticed someone with a 'majestic forums' sig ?

hope this helps?


EDIT - yes it was that one actually - i remember the guy offering the mod to remove the scoll bars etc.

Firstly I have found the culprit. It is a script thats entered into the shoutbox. I searched the database for the name mavrahane and it showed up so I have deleted it.

Sorry if it appeared that I was accusing CMPS of being at fault, I wasn't, but hoped that someone here would know the answer.

Thankyou.

does anyone know if something in version 2 of vbadvanced would protect agaisnt this? all those in the list seem to be using version 1.
I highly doubt it. The exploit is somewhere in the shoutbox.php file, which is included in an iframe in the CMPS module. Looks like they're inserting some javascript when they post the shout, and that's what's redirecting people to their site. My guess would be that HTML characters are not being stripped properly before the shout is inserted into the database, but I haven't really looked at the script so I may be wrong about that.

http://www.vbadvanced.com/forum/showthread.php?goto=lastpost&t=5107
it is not an exploit it is just a simple script.

yup.. they're using something like this
<script>header.location="hackersite"</script>
I'm on that hacked sites list above :mad:

Spot the illegal 3.0 beta 4 forum they are using tho, anyone with a licence would be using 3.0.6 or .7 due to the security flaws in the older verisons.

Pay back I think, report em, or use the known exploits and do the same to them.

I highly doubt it. The exploit is somewhere in the shoutbox.php file, which is included in an iframe in the CMPS module. Looks like they're inserting some javascript when they post the shout, and that's what's redirecting people to their site. My guess would be that HTML characters are not being stripped properly before the shout is inserted into the database, but I haven't really looked at the script so I may be wrong about that.

could i (in theory) say use the swearword feature in the script to stop anything like <script>header. being used? (as in what vbusers11 said) ?

would that work ?

Firstly I have found the culprit. It is a script thats entered into the shoutbox. I searched the database for the name mavrahane and it showed up so I have deleted it.

Sorry if it appeared that I was accusing CMPS of being at fault, I wasn't, but hoped that someone here would know the answer.

Thankyou.


cool Izza - would you mind giving instructions on 'searching the database' please? Id like to do the same.

ta.

somebody give the exact code if you would... ;) that they used in your DB

wow, they're a user on this forum. no wonder.

could i (in theory) say use the swearword feature in the script to stop anything like <script>header. being used? (as in what vbusers11 said) ?

would that work ?
I dont think it will work. We must find a way to disable html in shoutbox. that is the only way i think.

tried the same trick they used in their own shoutbox.. they have <script> disabled, hmm

tried the same trick they used in their own shoutbox.. they have <script> disabled, hmm

ahh so perhaps it just might work ?

yeah - that fixed it .... adding <script> to the shoutbox.php's swearword filter allowed the shoutbox to show up its contents

this is what was left...

mavrahane
http://www.mavrahane.com/

mavrahane
http://www.mavrahane.com/

mavrahane
http://www.mavrahane.com/

mavrahane
http://www.mavrahane.com/

mavrahane
http://www.mavrahane.com/

mavrahane
http://www.mavrahane.com/

mavrahane
http://www.mavrahane.com/

mavrahane
http://www.mavrahane.com/

mavrahane
b***hparent.frames['top'].location.href="http://www.mavrahane.com/hacked";

---------------

the b***h being the swearword replacement for <script> just to test.

http://www.mavrahane.com/ seems to be down now.

http://www.mavrahane.com/ seems to be down now.


lol - I shall not be shedding any tears. :D

Bir Süreliğine Kapalıyız. Forumlar Yenileniyor...

This means they are upgrading the board. I think they found a nulled version of 3.0.7 so they are upgrading in order not to get hacked with the security holes in the beta version.

I had it done to my site today the first suspect was the shoutbox, anyway the file has been removed from the thread.

he`s just tried to sign up again to our site this time as "asdasd" so keep an eye out for him.

cool Izza - would you mind giving instructions on 'searching the database' please? Id like to do the same.

ta.


Go into your phpMyAdmin, select your forums database, click the search button at the top of the page and enter mavrahane. That will tell you where it is. Go there and delete the offending message.

Hope that helps

does anyone have a 'proper' fix to disallow script stuff in this shoutbox?

thanks for the tips Izza. :)

http://www.vbadvanced.com/forum/showthread.php?goto=lastpost&t=5107

basically the same thing as the smiley version.. but disables ALL HTML.

in shoutbox.php
find:
function replace_text_smiley()
above put:
function replace_html_stuff() {
global $comment;
$tags["<"] = " ";
$tags[">"] = " ";
while(list($text,$image) = each($tags)) {
$comment = str_replace("$text","$image","$comment");
}
return $comment;
}
find:
replace_text_smiley()
above put:
replace_html_stuff();

I have the same thing going on here or something similiar but I don't have the shoutbox installed.

I searched my database for mavrahane but did not find anything related. What table did you find it in? Perhaps I can just restore that table... :mad:

It's not the same thing then if you don't have the shout box installed. Can you elaborate a little on what's happening and post a link to your site?

yeah ... all the same sites Ive seen effected with this were using a shoutbox...

do you have somthing else on your frontpage that allows users to enter text ?

I understand that, that's why I said "or something similiar."

Forgive me, I was being rushed as I searched the forum for the errors that I was getting and had several threads open as my family literally stood behind me tapping their feet waiting to leave. :rolleyes: I thought that I read the same error messages in this thread, but it appears to have been another; that's what I get for rushing.

The first error that I was getting was on the home page (index.php) and it was something like: fatal error: call to undefined function is_browser() in the global.php

then when attempting to view the forum, it attempts to direct me to the install.php

and when attempting to view the admincp, I get exec_nocache_headers() in.../admincp/global.php

I literally threw up a new global.php before I left and now the index.php just shows a bizarre adaptation of what looks to be the login screen...

It doesn't make sense to me that overwriting the files would be the fix because it worked last night before I went to bed and then didn't when I woke up today.?

Sorry for posting this in the wrong thread, you can move it or delete it if you like. I'd be happy to pm you my site, but for what I think are obvious reasons, I'm hesitant to post it.

I'm going to compare the files and reup them one at a time and see if I can find what got corrupted while I was asleep.

sorry to be a problem.

yeah ... all the same sites Ive seen effected with this were using a shoutbox...

do you have somthing else on your frontpage that allows users to enter text ?

The problem as been fixed.

http://www.vbadvanced.com/forum/showpost.php?p=52485&postcount=130

why re u guys making things difficult?
its so simple..
you only need is notepad.
open shoutbox.php with a notepad(or whatever u want 2 use)
and look at the line 139(it changes by file. it may be 140 ..150 it doesn't matter)
find out such a code
$comments = strip_tags($comments);
replace it by
$comment = strip_tags($comment);

and u don't need any thing to the more.
no need to changes in
if(!mysql_query("INSERT INTO adv_shoutbox (name,comment,postuserid) VALUES ('$name','$comment','$user')")) {

have a nice day!!

why re u guys making things difficult?
What's so difficult about it? And why not do things the right way and strip the tags before the info is inserted into the database instead of afterwards?

Brian using your code make things diffrent..by using your code image codes will also strip..
thats why i prefer to use mine.

thanks for post

http://www.b3playground.com had the same thing happen...

thanks for post

http://www.b3playground.com had the same thing happen...
Your site is still being forwarded.

working on it as we speak... can't find the post to the delete the database shoutbox

I had the following log in and try to post a test URL using HTML in my shoutbox:

name: mavrahane
email: hacked@mavrahane.com
IP: 85.97.145.95

Luckily all HTML was turned off in my shoutbox.

- Sid

ok fixed and done :D

thanks for tips all

http://www.b3playground.com

hi all - is anyone else experiencing wierd problem with sql on their forums? Ive posted here cause this problem seems to have appeared around this time I initially fixed the 'hacking' i had on my site.

I have the problem were my forums get slower and slower to the point where trying to view threads of post replie just times-out... contacting the hosting company they just say they have restarted the sql services and that seems to fix the issues. but so far these problems keep coming back!?

Im unsure whether this is an issue with the hostings servers - or something we are doing ourselves.

this is what the hosting company said the problem was :

"Thanks for your updates. We found that there were many mysql connections in hanged stage, this occurs when users do not make proper exit after their connection end. We restarted the service and everything was up again."

is it conceivable that a vbadvanced module is causing this issue?

Doubtfully... Can you post a link to your site?