Site Hacked !

[majorj0nny1]

my website www.50klicks.com/index.php.old has been hacked by some naughty people

this seems to be associated with websites using the older vBadvanced CMPS v1.0.1 (version 1 )... though it could be coincidential ?

these are the toe-rags that did it - http://www.mavrahane.com/

there are a number of sites there that they boast to have hacked....

anyway - what can I do now? where would this re-direct have been placed? any suggestions before I update to vbadvanced version 2? and would/should that stop this particular exploit ?

[Izza]

I have been hacked by the very same bunch this morning.

I was running CMPS v1.0.1 as awell

Have you fixed it?

If so how did you do it?

Can anyone help please

[Brian]

What exactly was done to the site, and what leads you to believe that they used the exploited CMPS?

[Izza]

I have no idea!

The homepage no longer opens instead it redirects to their site, that is it did until I redirected it to my forums.

I am not blaming CMPS but asking the question everywhere in the hope that someone can shed some light on the problem.

[majorj0nny1]

OK - Tracked this down to the shoutbox module I was using - disabling that module and seemed to stop the problem.

could there be some kind of post in the shoutbox that would automatically forward to a website ?

I doubt this is a vbadvanced issues really - more a crappy shoutbox exploit ?

[majorj0nny1]

Quote:

Originally Posted by Brian

What exactly was done to the site, and what leads you to believe that they used the exploited CMPS?

no - i now dont think itsa a vbadvanced issue - its the shoutbox Im using - and suspect the same for all involved - it seems theres an entry in it that must force a redirect to their website.

[majorj0nny1]

ps - effected sites will find that they have a new user signed up - called MavraHaNe or similar - on my site they used this to enable them to post a shout.

list of effected sites (from their webpage)

1. http://www.arcadecrazy.com/

2. http://rochvibe.com/

3. http://www.b3playground.com/

4. http://www.c-o-e.de/hopezcom/cmps_index.php

5. http://www.thebig7.com/

6. http://www.assimx.net/

7. http://forums.clan-tlb.com/

8. http://www.vvt-i.net/

9. http://www.trackshare.com/forum/

10. http://www.trackshare.com/

11. http://www.iz-grafix.co.uk/

12. http://www.beginnerbikers.org/

13. http://www.ctd-hq.com/

14. http://www.50klicks.com/

15. http://www.illefx.com/

16. http://www.clansoe.it/

17. http://www.noodlum.com/

18. http://www.hardcoreplayhouse.nl/

19. http://www.530riders.net/

20. http://www.naijaworld.com/

if you are quick enough with the STOP button on ya browsers you will see the last thing that is posted on the shoutboxes is a MavraHaNe shout - soon as it tries to display that shout is re-directs.

[mholtum]

Well if it is / was a shout that causes the re-deirect, I would hardly call that "hacked"

[Brian]

Is this from a shoutbox module that's posted on here? If so, could somebody please link me to it?

[majorj0nny1]

Quote:

Originally Posted by mholtum

Well if it is / was a shout that causes the re-deirect, I would hardly call that "hacked"

no - me neither... an 'exploit' would be more apt.

but on first discovering this I (and im sure others effected) thought the same - the site loads as normal, then suddenly redirects to a large graphic and a message saying "this site has been hacked" then forwards onto their website with a list of all the victims.

quite sad really - but effective and trouble causing all the same.

does anyone know if something in version 2 of vbadvanced would protect agaisnt this? all those in the list seem to be using version 1.

[majorj0nny1]

Quote:

Originally Posted by Brian

Is this from a shoutbox module that's posted on here? If so, could somebody please link me to it?

I muist have got this module from this site .... I remember there was a few to choose from at the time...

i have a shoutbox.php thats starts with

<?php

###########################################################################
## MAJESTIC FORUM SHOUTBOX
###########################################################################

might be this one ? http://www.vbadvanced.com/forum/show...light=shoutbox

noticed someone with a 'majestic forums' sig ?

hope this helps?


EDIT - yes it was that one actually - i remember the guy offering the mod to remove the scoll bars etc.

[Izza]

Firstly I have found the culprit. It is a script thats entered into the shoutbox. I searched the database for the name mavrahane and it showed up so I have deleted it.

Sorry if it appeared that I was accusing CMPS of being at fault, I wasn't, but hoped that someone here would know the answer.

Thankyou.

[Brian]

Quote:

Originally Posted by majorj0nny1

does anyone know if something in version 2 of vbadvanced would protect agaisnt this? all those in the list seem to be using version 1.

I highly doubt it. The exploit is somewhere in the shoutbox.php file, which is included in an iframe in the CMPS module. Looks like they're inserting some javascript when they post the shout, and that's what's redirecting people to their site. My guess would be that HTML characters are not being stripped properly before the shout is inserted into the database, but I haven't really looked at the script so I may be wrong about that.

[Lizard King]

http://www.vbadvanced.com/forum/show...astpost&t=5107
it is not an exploit it is just a simple script.

[vbusers11]

yup.. they're using something like this

PHP Code:

<script>header.location="hackersite"</script> 


I'm on that hacked sites list above

[Sanjiyan]

Spot the illegal 3.0 beta 4 forum they are using tho, anyone with a licence would be using 3.0.6 or .7 due to the security flaws in the older verisons.

Pay back I think, report em, or use the known exploits and do the same to them.

[majorj0nny1]

Quote:

Originally Posted by Brian

I highly doubt it. The exploit is somewhere in the shoutbox.php file, which is included in an iframe in the CMPS module. Looks like they're inserting some javascript when they post the shout, and that's what's redirecting people to their site. My guess would be that HTML characters are not being stripped properly before the shout is inserted into the database, but I haven't really looked at the script so I may be wrong about that.

could i (in theory) say use the swearword feature in the script to stop anything like <script>header. being used? (as in what vbusers11 said) ?

would that work ?

[majorj0nny1]

Quote:

Originally Posted by Izza

Firstly I have found the culprit. It is a script thats entered into the shoutbox. I searched the database for the name mavrahane and it showed up so I have deleted it.

Sorry if it appeared that I was accusing CMPS of being at fault, I wasn't, but hoped that someone here would know the answer.

Thankyou.

cool Izza - would you mind giving instructions on 'searching the database' please? Id like to do the same.

ta.

[vbusers11]

somebody give the exact code if you would... that they used in your DB

[vbusers11]

wow, they're a user on this forum. no wonder.