Blog Documentation Book a Demo
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 1.1.4 Hacked [RESOLVED - NON-VANILLA ISSUE]

leolaporteleolaporte
edited May 2008 in Vanilla 1.0 Help
My TWiT forums (http://twit.tv/forums) were hacked this evening. Every post and discussion has been replaced by the string "Hacked by Z4i0n - Zer0Day Group" I'm guessing this is a MySQL injection, but I don't know.

Comments

  • WallPhoneWallPhone
    Hello Leo! (A big fan...) If I knew your forums were on Vanilla, I would have signed up long ago... Anyway, from what you describe it does sound like injection and would probably have been an update command, I would try grepping the access logs for 'update' and see what that returns. If it is indeed a Vanilla or extension vulnerability, email myself and Mark so that we can work on getting it patched. Another thing that may help would be to look at the LUM_Comment table, and check the access logs for the time period between the latest replaced comment and any that may have occurred after the injection. Best wishes ::whispers email addresses::
  • MarkMark Vanilla Staff
    edited May 2008
    This is extremely frustrating to hear. Ninety nine times out of a hundred, vulnerabilities are reported to us before they are seen in the wild. I've never heard of this guy or his group before. I found some information about him on a Brazilian "security" forum, but there was no mention of a Vanilla exploit anywhere.

    I've checked your forum for known exploits in previous versions of Vanilla (there are no known exploits in Vanilla 1.1.4 - until now, maybe) and found that you were all patched up as you should be.

    It is possible that the user got in through some method other than a Vanilla exploit - but it would be very strange for them to choose to only manipulate Vanilla's tables and not any other tables if this were the case.

    It would really help us if you could get access to your web logs so we could see what requests were being made around the time of the exploit.
  • MarkMark Vanilla Staff
    After thinking about this for a while, another question that needs to be answered is: What addons / versions do you have installed? It's possible that the exploit was reached through one of these. You might want to whisper the addons list to myself or wallphone instead of making it public.
  • MarkMark Vanilla Staff
    Okay, I did a lot more digging around and I ended up getting in touch with the person who performed the exploit (Z4i0n) and speaking with him personally through the Brazilian security site I mentioned above.

    Here is our entire dialogue:

    Me
    My apologies for writing this in English, I do not speak Portuguese. I'll try a Yahoo Babelfish translation below.

    My name is Mark O'Sullivan (http://markosullivan.ca) and I am the creator of Lussumo Vanilla (http://getvanilla.com). I recently had a report of an installation of Vanilla that was hacked. The hacker somehow managed to replace all discussion topics and messages with: "Hacked by Z4i0n - Zer0Day Group"

    After some googling, I found your profile on this forum. I am wondering if you are the person who hacked my software? If so, I am hoping you can tell me how you did it so I can patch the vulnerability and release a new version. The open-source community around my software would greatly appreciate any assistance you can provide.

    Regards,
    Mark O'Sullivan
    Z4i0n
    Hello,
    I am the Z4i0n and I do not know which website refers that I send me the link so you can see what a failure and you talk if you need something to speak.
    Z4i0n
    Zer0Day Group
    Me
    Hello,

    The site that was originally exploited was: http://twit.tv/forums. The website owner has since erased all affected records from his database, so there is nothing to see anymore. As I said, the exploit replaced all discussions and messages with the text "Hacked by Z4i0n - Zer0Day Group".

    Can you tell me how this exploit worked so I can fix it?

    Regards,
    Mark O'Sullivan
    Z4i0n
    Hello,
    Well the invasion was actually made in (http://www.ultravioletsound.com/) that the same server (http://twit.tv/forums) that was made with a Back-Connect and by poor configuration of the server I had access to the folders that looked Twit.tv and with the Host, User, Password and Database of Twit.tv then realize the connection to the database and realize the changes in the tables.
    To have a greater security would be better when any user create a topic and write up this topic in the database the whole topic was encrypted with the server so badly taking shape and even with server access the database would make it more difficult the invasion.
    Z4i0n - Zer0day Group
    === End of Discussion ===
  • MarkMark Vanilla Staff
    His English is a little difficult to understand, but here's what I think he means:

    He actually got into Leo's site through the website www.ultravioletsound.com, which is on the same server as twit.tv. He then used a backconnect (apparently this is some kind of exploiting technique that I've never heard of) to get access to the twit.tv site. From there he must have stumbled across the database configuration file for Vanilla, where he was able to get the database name, username, and password for the db.

    From there it was a simple matter of connecting to the db directly and running an update script on the discussion and comment tables.

    So, from a Vanilla standpoint, there is really only one thing that could be done. That is to move the database configuration file to some place other than the web root (there is a configuration option available for this type of thing). But that kind of tactic is just obfuscation. If the hacker already has access to your server through avenues other than Vanilla, he can pretty much do whatever he wants to you. I'd say it's time to speak to the server admins and see if they have any answers about vulnerabilities in the ultravioletsound site.
  • fysicsluvrfysicsluvr New
    edited May 2008
    "backconnect" might be a mistranslation of "backdoor"
  • leolaporteleolaporte
    Mark - Thanks so much for taking so much time on this. I truly appreciate you going to so much trouble - I'm amazed you could track the guy down! Your committment to ferreting out the cause is another reason Vanilla is the BEST! I noticed much later that he hacked another web site on my server, http://munchcast.com, so I agree it's a server vulnerability, not a problem with Vanilla. Ultravioletsound.com is not on my server - I have a dedicated server - but it's possible that he is confusing it with another exploit of his. Munchcast runs on Wordpress. It's current now, but I was slow to update it and there was a known WP exploit he might have used. Hmm. I wish he had given us more clues about how he did it. Thanks again! sorry for the false alarm!
This discussion has been closed.