MyBroadband admin security issue, code injection in footer

rpm

rpm

Admin
Staff member
Joined
Jul 22, 2003
Messages
66,805
Reaction score
5,057
Location
Johannesburg
Hi folks

MyBroadband’s forum recently experienced a security breach. The person accessed the Admin CP and according to our log files did the following:

  • Insert an iFrame into the footer by changing the copyright text (done easily through the VB options section)
  • Uploaded a plugin for potential later use through admin section
  • Created two admin accounts
Thanks to HavocXphere who alerted us to the issue we removed the iFrame soon afterwards, and removed the plugin and admin accounts.

From the web and VB log files there is no evidence of any other actions by the person, and there is also no evidence that any user accounts were accessed or compromised.

We are currently uncertain how the person accesses the Admin CP, but initial indications point to a weak admin password. We strengthened this system by making a few changes (for security reasons we do not want to give specifics here).

Despite the fact that the problems have been solved and that there is no evidence of accounts being compromised, we would still urge you to monitor the forum and your account for anything strange.

If you see anything strange, please let us know immediately.

We see this is a serious problem, and will continue to look for ways to improve our security.

BTW: We could not find any evidence that this issue is linked to the editing or Tapatalk problem. We continue to monitor that as well.
 
All I found lately is that when you want to "edit" or "reply with quote" the display ( Chrome) would be very slow not updating the page as if it doing something else with cursor flashing yet if I open the edit or quote links in new page it would work most of the times immediately and I could post the reply or edited changes still before the other original page updated. I then rather closed that page as it seems lost but sometimes if left open after quite a while it would recover. Sometimes I will get a chrome window saying the server is not available when posting. Maybe not related but maybe gives you a clue what happening on our sides.
 
Last edited:
You guys probably know best what you are doing, and am not entirely sure how the back end logging occurs on the forum, especially for the creation of admin users but is it possible to track this by the IP address that the changes were made from, and see if anyone posted to the forums at the same time with the same IP address?

I do hope password are not stored in clear text though.

Good luck with your fixes
 
Also experiencing the same issue as @Seriously you cannot "Reply with Quote". This problem occurred about 3 - 5 days ago if not mistaken or even last week sometime on firefox. Also noticed that sometimes my browser keeps on freezing being on this website (not sure if it is the flash content).

Should we also monitor our email for anything suspicious.
 
@RPM - some years ago we experienced a similar issue on vBulletin. The issue was related to the VBSEO plugin which I believe still until recently had the vulnerability. It allowed via SQL injection to modify as you described the footer/theme to inject as you said an IFRAME. The IFRAME was used for ad-click-jacking (the content of the iframe was invisible, but it click-jacked ads what we believe was an attempt to generate ad-revenue). If it was the VBSEO plugin it would have also poisoned rewrite rules and in some instances when clicking via a SEO link result in advertising displayed - this was however not widely experienced.

We did have to clean up the VBulletin DB as this intrusion via the plugin resulted also in code modification and the placement of local php-files. If you do a Google search for "VBSEO iframe" or "VBSEO XSS" you will come across a number of reported incidents. VBulletin was at the time we experienced the issue of no great help either. Hope this helps, otherwise you have my contact details and I can get one of our tech ppl to give you more details.
 
@RPM So If you read something about me taking your car for a spin last night, it wasn't me, it was the hacker :D

DrJohnZoidberg said:
Is it possible that the "intruder" could have gained access to the forums database?
Click to expand...

There's only two ways to gain access to the database: a) via Hetzner's KonsoleH and b)via remote if you manage to get the username and password from the site's config file. I don't know if vBulletin hashes or salts the password, but none of the bulletinboards or WP/Joomla installs I've seen does that. But there's no way you're going to get access to either of those.
 
rpm said:
There is no sign that there was any DB access in the logs.

No - passwords are hashed.
Click to expand...

I changed my password. Edit function works (coincidence?).

Reply with quote still requires a double click to go to the Advanced panel. It also tries to generate a duplicate post.
 
SirFooK'nG said:
Were user contact emails compromised?
Click to expand...
We found no evidence of that. The user section in the Admin CP was not not accessed - looks like he may have focused on injecting the iFrame and creating a system for later use.

We will continue to investigate today, and if we uncover anything else we will let you know.
 
Passwords are probably md5 hashed which is not really a good layer of security :D Anyways, hectic someone got in. Lets hope it was just a weak password.
 
ghoti said:
Passwords are probably md5 hashed which is not really a good layer of security :D Anyways, hectic someone got in. Lets hope it was just a weak password.
Click to expand...

vBulletin says they use a double md5 with a salt.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X