Forum exploit? forcefully resetting password issue.

محروم.كوم · #1 01-21-2013, 10:40 PM

Hi

I cannot 100% pinpoint the location or the method but I had an email saying I requested to reset my password then i had another saying it was successfully changed despite not clicking it. I checked my mail history and its not been accessed since it requires mobile access to login. Now, I checked the logs for the IP and found the following;

Code:
root@dmca [/home/domain/access-logs]# cat forum.domain.com | grep 91.236.116.142

91.236.116.142 - - [21/Jan/201313:46 +0000] "GET / HTTP/1.1" 200 11488 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201314:22 +0000] "GET /register.php HTTP/1.1" 200 10000 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201314:28 +0000] "GET /clientscript/vbulletin_css/style00115l/register.css?d=1358021545 HTTP/1.1" 200 338 "http://forum.domain.com/register.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201314:34 +0000] "GET /login.php HTTP/1.1" 303 26 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201314:39 +0000] "GET /index.php HTTP/1.1" 200 11494 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201314:45 +0000] "GET /f71/ HTTP/1.1" 200 13247 "http://forum.domain.com/index.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201314:50 +0000] "GET /f71/forum-rules-101410/ HTTP/1.1" 200 12843 "http://forum.domain.com/f71/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201314:50 +0000] "GET /f71/forum-rules-101410/images/styles/AnimatedArena/style_blue/loginButton.gif HTTP/1.1" 404 40 "http://forum.domain.com/f71/forum-rules-101410/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201314:50 +0000] "GET /f71/forum-rules-101410/images/styles/AnimatedArena/style_blue/footerLogo.png HTTP/1.1" 404 40 "http://forum.domain.com/f71/forum-rules-101410/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201314:51 +0000] "GET /f71/forum-rules-101410/images/styles/AnimatedArena/style/logo_blue.png HTTP/1.1" 404 40 "http://forum.domain.com/f71/forum-rules-101410/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201314:59 +0000] "GET /usercp.php HTTP/1.1" 200 6749 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201315:07 +0000] "POST /login.php?do=login HTTP/1.1" 200 6594 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201315:12 +0000] "GET /login.php?do=lostpw HTTP/1.1" 200 6619 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201330:02 +0000] "GET /usercp.php HTTP/1.1" 200 6782 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201330:04 +0000] "GET /cron.php?rand=1358789402 HTTP/1.1" 200 43 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201330:37 +0000] "POST /login.php?do=login HTTP/1.1" 200 2365 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201330:41 +0000] "GET /usercp.php HTTP/1.1" 200 6868 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201331:01 +0000] "GET / HTTP/1.1" 200 6398 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201332:39 +0000] "GET / HTTP/1.1" 200 11489 "http://forum.domain.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/201332:49 +0000] "GET /usercp.php HTTP/1.1" 200 6749 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201333:06 +0000] "POST /login.php?do=login HTTP/1.1" 200 6244 "http://forum.domain.com/usercp.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201333:14 +0000] "GET / HTTP/1.1" 200 11488 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201333:08 +0000] "GET /login.php?do=lostpw HTTP/1.1" 200 6618 "http://forum.domain.com/login.php?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201334:17 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 666 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
91.236.116.142 - - [21/Jan/201334:17 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 623 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
91.236.116.142 - - [21/Jan/201334:24 +0000] "POST /login.php?do=emailpassword HTTP/1.1" 200 2403 "http://forum.domain.com/login.php?do=lostpw" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"

91.236.116.142 - - [21/Jan/201334:27 +0000] "GET /login.php?do=login HTTP/1.1" 303 26 "http://forum.domain.com/login.php?do=emailpassword" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201334:27 +0000] "GET /index.php HTTP/1.1" 200 11494 "http://forum.domain.com/login.php?do=emailpassword" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201336:13 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 665 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
91.236.116.142 - - [21/Jan/201336:13 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 659 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
91.236.116.142 - - [21/Jan/201336:18 +0000] "GET /login.php?do=resetpassword&u=1&i=8e3849c72ee420c42 6fea00f50947f226aabf1f6 HTTP/1.1" 200 6381 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
91.236.116.142 - - [21/Jan/201336:46 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 667 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
91.236.116.142 - - [21/Jan/201336:46 +0000] "GET /arcade.php?do=pnFStoreScore HTTP/1.1" 200 648 "http://forum.domain.com/arcade.php?do=pnFStoreScore" "Mozilla/5.0"
What I find interesting is the browser identity string. Most are normal but some contain no valid header so it appears to be some sort of script coming from arcade.php? But no injection code is actually being displayed. What do you suggest?

Regards. __DEFINE_LIKE_SHARE__

المواضيع المتشابهه
الموضوع	كاتب الموضوع	المنتدى	مشاركات	آخر مشاركة
Forum admincp password protection issue	محروم.كوم	منتدى أخبار المواقع والمنتديات العربية والأجنبية	0	01-09-2013 12:10 AM
Forum resetting the PM Count	محروم.كوم	منتدى أخبار المواقع والمنتديات العربية والأجنبية	0	09-24-2010 08:11 PM
Forum Resetting User Count	محروم.كوم	منتدى أخبار المواقع والمنتديات العربية والأجنبية	0	09-15-2010 11:49 AM
Forum Login issue password is shown	محروم.كوم	منتدى أخبار المواقع والمنتديات العربية والأجنبية	0	07-21-2010 12:00 PM
Forum Password issue	محروم.كوم	منتدى أخبار المواقع والمنتديات العربية والأجنبية	0	04-13-2009 03:20 AM