Two Sites Hacked on March 5


#1

I was hacked through CB somehow on two different websites. Happened on the same day. I noticed it because I was looking in my error and visitor files in Cpanel. It would be nice to know exactly how they got in but I did lock up the photo upload scripts and directories as some logs indicated there was use of that.

A new directory had been created in the actions directory with a php file called karihanpolicija, and before that a temporary numbered php file had existed and then been deleted or maybe renamed after uploading.

Origins show an IP number beginning with 77.28 that had direct write access to my actions directory, and the other hack from 141.101 which was using the photo uploader php file.

I just noticed that my site is unable to do uploads right now. I do not know if that is related or not. The mass uploader works but not user uploads. I guess I will try replace some complete directories from the backups.

Keep an eye on your log files friends and block IPs that annoy you.


#2

guess all cb installation was hacked they supposed to fixed with lates v4 files guess they get access by viewchannel files.


#3

I just checked again today. No uploading available. Grrrr.
I am going to do a reinstall from my backup. I hope I did not make too many visual changes since then. I do not want to upgrade to v4 because I purchased the upgrade package a few years ago and now that packages is much more expensive. Oh well, life is too short to waste time doing this forever.


#4

Were the site’s on the latest source?

There were a lot of security fixes applied in V 4.0 Stable release:


#5

There is still security hole in cb.
We do not use photos part, we have even removed photo uploading php files.
Vulnerability type: XSS (Cross Site Scripting)
Must config server to use CSP (Content Security Policy)


#6

No, I do not have php 7.0 on my server.
HOWEVER, I DO NOT have uploading enabled for visitors and I have removed much of the code. I DO NOT have users except for myself. I DO NOT use photos. I am the only uploader and visitors can only view the videos and leave comments.


#7

Anyone have any clue what to fix so this isnt happeing on 2.8.3? except just update to new version?


#8

2.8.3 Does that version still use PHP 5.4? Anyone know where I can download a copy of v3?


#9

You can download V 2.8.3 from here:


#10

OK now I downloaded the one labeled as 2.8.3 and is build 4829 which I will try again. I will let you know.


#11

Hej,

To only install 2.8.3 wont work for you. Please read the post here: https://discourse.clipbucket.com/t/clipbucket-4-0-0-release-4902-command-injection-file-upload-sql-injection/2817


#12

The Vulnerabilities are public and the sites can be infiltrated very easily, Any version below V 4.0 is vulnerable so we don’t recommend using V 2.8.3


#13

Not only did they attack us via CB
They have taken control of the site and saturated the server with massive emails

To Whom It May Concern:

I am writing from the MarkMonitor Anti-Fraud Operations Center
contacting you on behalf of PayPal. It has come to our
attention that your website has been compromised (hacked) and is
hosting a fraudulent Phish Redirector that is attempting to steal
account information from customers of PayPal.

The URL(s) of the fraudulent site:

hxxp://videosxxxxx.org/actions/CB_BEATS_UPLOAD_DIR/pp.php

At this moment there are 67,000 emails queued

Hosting IP address: X.XXX.XXX.56

Please remove these files from your site in order to disable the Phish Redirector.
If possible, we request that you send us a copy of any files you remove for analysis.

We also suggest that you follow up and work with your web hosting
provider to prevent future compromises of this kind.

Should you have any questions, please call us at +1-240-618-1300.

Thank you,

Security Operations Center
MarkMonitor


#14

Same on my site, too. I got an email from someone at Lufthansa.
My site was used for Amazon.co.jp phishing.

I ended up setting up the server from the scratch. After so many vulnerables in the last years I’m sick of CB.
I’m switching to youPHPTube. The developer updates the script every day!


#15

I have read the detailed bug descriptions from Exploit Database about command injection and can see that is where the culprits entered. However saying that you don’t recommend anything below CB 4 is a poor fix. The Exploit people describe that even CB 4 has not been fixed.

Then all promotion is still promoting CB 2.8.3 at best. It is very confusing to anyone wanting to run a video website. The CB site, github, the top message on this page and likely more internet locations are all promoting 2.8.3. The ones I listed could be changed quickly by the CB people and are not some unavailable links on web.

I would be willing to upgrade to CB4 but I saw somewhere it said that it requires a huge jump in PHP requirements for my server. It seems it will also require a new purchase of my paid add-on package which includes website branding.


#16

Sorry for your exp. We too have had issues. If I may kindly suggest: https://www.fiverr.com/king_of_kings

Has fixed our site and corrected such issues.

Best,
K


#17

i am on V 4.0 and my site just got hacked again.


#18

Do you have the security updates? 4.0 stable?


#19

i am using the 4.0 stable. downloaded it last week. my site was hacked. got a mail from rbc about phishing attacks. secondly my site now shows as chinese/japanese in google search results


#20

its not only clipbucket !!!

you must protect you’re site , if you not not wanna be hacked !!!

I use bitninja,

bitninja, HTTPS, MySQL, PHP, protection, serversecurity, SQL injection, vulnerability, WAF, and much more :slight_smile: