Houston, we have a problem.

While checking to see why some of the scheduled cleanup functions hadn't been occurring, I found that one of the admincp files had been replaced, like so.

Meaning someone found a backdoor.

 

First off, thank you. You've always been aces in the tech department!

Secondly, is it possible to identify who has been using this backdoor?

 

Negative, it appears to have been there for a while, and I'm not even sure it has been used, so it's likely the logs have been purged since then.

 

Unbelievable!

 

How do these things get there?

 

I'm not quite sure on how it got there, but I would suggest to Lanzman and Order2Chaos that we need to change the server passwords, and if possible start using different passwords for different board functions (ie, a different password for mysql, root access, cpanel, etc.).

On another note, I've changed the default address that e-mails get sent to when there's a database error, previously it was set to send to Kyle, now it will be sent to exceptions.wordforge@gmail.com.

 

Will you be staying on staff again?

 

Yes, so long as my duties to this board do not encroach majorly on my work life, I will do so.

 

Nick, thanks for shouldering all this. Especially since it had the bad grace to happen while I had to be in New York.

That said, where do we stand? What do you need from me aside from changing root passwords?

 

I need the vBulletin 3.8.1 files. I need to reupload one of them which had been replaced by a hacked file..

 

So after some digging, none of the files had been replaced, instead it looks like code that the IRC /me command plugin executes had been hijacked. So far this is the only incidence I've found of it on the server, but I'm going to do a little more digging.

http://pastebin.com/JaP583uw

 

What does it mean? What was the hacking supposed to accomplish?

 

Mostly to fuck with people's stuff. Mass deface, etc.

 

There do not appear to be any other infected files. Good news.

 

Excellent work, Nick. Thank you.

 

[action=The Exception]test[/action]

 

Excellent, the function works after removing the offending code, WOO!

 

[action=Lanzman]approves.[/action]

 

Test

 

Yeah, but under the hood the board is based on PHP, so . . .