Looks like there may be some sort of exploitable code soemwhere in part of vBAdvanced. Just had my portal defaced had to come through the web server, no record in a remote ftp log and no obvious tampering with any other files... just the index.php was defaced... Whoever the hell "Bradon" is I'll wring his scrawny little neck...but according to google he's been busy defacing boards.

Just throwing this up as a warning as no response from the vBA team to validate/invalidate my suspiscions. But plowing through the log files now trying to sort out what and when, at least I only have a 3-4 hour window to look through, great members.... think I was called within minutes of the page being trashed.

This is the first I have heard of such a possible exploit.

Same here... tired of digging through log files so I tossed the same vBA index.php back up just as it was and now working on a perl script to run via cron every 10 mins or so that will run a diff against the index.php and a known file and page me if it changes, if the script kiddie comes back I'll have a much narrower timeframe to look at more closely.

I kinda gave up digging through apache's log... didn't see anything glaring at me.
Once I was able to verify that neither the SFTP nor shell access had been compromised I felt a lot better.

Just for grins if anyone wants the perl I cobbled together to run the checksums, page me, and repair the index should it be defaced again I wrote it up on one of my blogs @ http://blog.captivereefing.com/2006/04/26/protect-your-web-pages-automagically-with-perl/.

Now if you want to clean up my code, please do! (Note; I've never claimed to be a coder of any ranks, sometimes I just screw up and get things to work) For now it works, until I can find the hole to plug it up.

Without seeing the "bad" index.php and the output from it, I'd be hard pressed to explain the problem or track it down.

I would be interested in anything you can provide me to help assertain what happened in the interest of all vBa users.

Also, what modules were you running? One of them could have been the source.

The index.php is the same now as it was before being exploited...the stock vBa one. the one that was put in it's place is now named crackedindex.php (all from the root of captivereefing.com)

Modules: Site Nav, Buddy List, Recent Threads, News, and Current Poll. The only custom is the Welcome module, but that is just a link to an image.

It's now just a wait and see game, if the donkey makes another pass at trying to break it, or until I can more thoroughly ananlyze the log file and hopefully find something useful in it to pass along.

My first thought, and IM not as informed about these things as I would like to be, is that he had to get into your server to alter a PHP file.

yeah, but to stop there is wierd. But lucky if that was the case.