Announcement

Collapse
No announcement yet.

Possible Exploit

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • The Rocketeer
    replied
    unfortunately I have some updates regarding this issue. I was just contacted by someone from AVG and according to them the infection caused by this exploit goes further down and infects some other vbseo files such as the script files, perhaps as a back door. reason why I offered earlier to have a look through my site / server / files.

    Hi,

    The detection is correct.

    If you are affiliated with this site, you need to check all pages and
    script files for script injections similar to the one seen:

    http://tomorrowsgaming.com/vbseo/resources/scripts/vbseo_ui.js?v=a4

    at the very end of the file, that starts:

    var _0x4470=["\x39\x3D\x31\x2E\x64\x28\x27\x35\x27\x29\x3B[...]

    Further, you should perform a full and thorough security audit of the
    site and the server(s) hosting it to ascertain how these (presumably)
    illicit code injections were achieved. Rectifying all issues that such
    an audit uncovers will be necessary to prevent the site being similarly
    compromised again in the future.
    Earlier I have applied the fix simply by replacing the file, but for this I am not sure what I need to do; I have never done any vbulletin / vbseo work. Should I just upload and overwrite the files and run something or do I have to completely uninstall and re install vBSeo and lose all my settings?

    Leave a comment:


  • The Rocketeer
    replied
    Originally posted by Jafo View Post
    I am not really available for any other side work at this time. Should I see anything else of note on this, I will be sure to update this thread.
    no no, i wasn't asking for side work. I just thought you might want to have a look at my setup and files, since we are having similar issues maybe that would bring a few more things to light thats all.

    Leave a comment:


  • Jafo
    replied
    I am not really available for any other side work at this time. Should I see anything else of note on this, I will be sure to update this thread.

    Leave a comment:


  • The Rocketeer
    replied
    Thanks to Wayne for pointing me out to this thread, This has also been happening to me actually. It has happened twice in the past two months(I was running 4.1.8), First my members were telling me that the site has viruses / malware according to Avast then many of the features stopped working properly, it was some kind of a javascript infection, then I also got this report from AVG that says the site is still compromised.

    Wayne had a look for me earlier and I have upgraded to 4.1.0 since and will also be updating the functions_vbseocp_abstract.php patch, But I am still not sure if my site is infection free or not.
    Jafo - If you dont mind, I would like to send you some details of my site, maybe that will help you in your investigation to further to nail down this issue and if it is only being caused by vBSEO or if there is something else related, aswell as getting rid of any leftover infections from my site.
    Last edited by The Rocketeer; Mon 23 Jan '12, 5:22pm.

    Leave a comment:


  • Jafo
    replied
    Originally posted by Wayne Luke View Post
    At least it is contained now.
    From what I see, they don't even know how vbseo.com was compromised.. Contained as in, we know where the problem is, but we have no idea how deep.

    Leave a comment:


  • Jafo
    replied
    Originally posted by Talaturen View Post
    Nope, you are wrong. I've checked backups on the _abstract file from around 5 days ago (and the file hasn't been changed since I updated to 3.6.0). The same patch they are telling us to apply is already applied on that file, and other users on vBSEO forum have confirmed this too.
    We actually may both be right here.. You said since you updated to 3.6.0? When was that? I am wondering if the package has been compromised since.. Since it appears vbseo.com itself was hacked, it is not a stretch to say the hackers rolled back the abstract php file so this very exploit would work... It seems to be too much of a coincidence that this patch, added over a year ago to their repo, is not in the package today, when that very patch is required to have the hack on vbseo.com actually work..

    Leave a comment:


  • Wayne Luke
    replied
    At least it is contained now.

    Leave a comment:


  • Jafo
    replied
    http://www.vbseo.com/f5/vbseo-securi...83/index9.html

    Looks like it is a combination.. Apparently the javascript was infected on THEIR site, so when you went into vbseocp.php, it called the infected javascript, which then ran against the bad function. If you upgraded and you didn't have the updated abstract file, it infected you. Wow, pretty ingenious..

    Leave a comment:


  • Talaturen
    replied
    Originally posted by Wayne Luke View Post
    You're posting in the 3.8X forum.
    My bad, a friend sent me the link to this thread, I had no idea it was for 3.8.

    Originally posted by Jafo View Post
    I downloaded 3.6.0 TODAY and it was not there. I opened a ticket with vbseo and they stated:



    So check again..
    The one I downloaded when 3.6.0 was released already had the patch applied, and I also downloaded a copy today to diff it to the files I have installed and there was no difference in that function (it's possible I downloaded after they updated the package though). Either way, my point is that my forum was running with this patch when the backdoor plugin was added.

    Leave a comment:


  • Jafo
    replied
    Originally posted by Talaturen View Post
    Nope, you are wrong. I've checked backups on the _abstract file from around 5 days ago (and the file hasn't been changed since I updated to 3.6.0). The same patch they are telling us to apply is already applied on that file, and other users on vBSEO forum has confirmed this too.
    I downloaded 3.6.0 TODAY and it was not there. I opened a ticket with vbseo and they stated:

    Hello,

    thank you for details. Indeed, this line was not updated in the vBSEO package for some reason, although it's updated in the code repository. We are investigating why did that happen (the package in downloads area is now updated).
    So check again..

    Leave a comment:


  • punchbowl
    replied
    This being in the 3.8 forum would be the first clue.

    I've 3.8, no vbseo and don't have it. I hope!

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by Talaturen View Post
    I have no idea if it is in 3.8.X, it happened to me around 4.1.8 (I can't know for sure because all I can see is the plugin id, and it's after I installed a plugin sometime in november, and before I updated to vBulletin 4.1.10). I've always been quick with applying security patches too. I don't think this is an exploit in vBulletin itself, because so far affected users are only people who use vBSEO (from what I have seen, I may be wrong). I don't know much more than that unless it was a vulnerability that was been fixed between 4.1.8 and 4.1.10 of vBulletin, it is very likely to still be active.
    You're posting in the 3.8X forum.

    Leave a comment:


  • Talaturen
    replied
    Originally posted by Jafo View Post
    You are wrong, the patch was NOT in 3.6.0 until we discovered this TODAY. I know, I checked.
    Nope, you are wrong. I've checked backups on the _abstract file from around 5 days ago (and the file hasn't been changed since I updated to 3.6.0). The same patch they are telling us to apply is already applied on that file, and other users on vBSEO forum have confirmed this too.

    Originally posted by Wayne Luke View Post
    It is a pretty old unknown exploit then to be in both 3.8.X and 4.X. There was an issue with group searching in both versions and this was patched before 4.1.4 was released so it could be related to that if people didn't apply both patches or they were exploited before the patched. I haven't seen anything pointing to a new exploit yet though. We've had several potential issues submitted to us but they could not be replicated. If you have additional information than you should share it.
    I have no idea if it is in 3.8.X, it happened to me around 4.1.8 (I can't know for sure because all I can see is the plugin id, and it's after I installed a plugin sometime in november, and before I updated to vBulletin 4.1.10). I've always been quick with applying security patches too. I don't think this is an exploit in vBulletin itself, because so far affected users are only people who use vBSEO (from what I have seen, I may be wrong). I don't know much more than that unless it was a vulnerability that was been fixed between 4.1.8 and 4.1.10 of vBulletin, it is very likely to still be active.

    Leave a comment:


  • Jafo
    replied
    The problem is, the patch was somehow not included in the latest release, so it was NOT patched until later today.

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by Talaturen View Post
    It seems like people believe this latest vBSEO patch fixes this. IT DOES NOT. 3.6.0 of vBSEO had this patch since release (so users of vBSEO 3.6.0 don't have to apply the patch today as it doesn't patch anything) and my forum has been running with it. This exploit plugin has been added while the forums were already running vBSEO 3.6.0! The current code is still vulnerable!
    It is a pretty old unknown exploit then to be in both 3.8.X and 4.X. There was an issue with group searching in both versions and this was patched before 4.1.4 was released so it could be related to that if people didn't apply both patches or they were exploited before the patched. I haven't seen anything pointing to a new exploit yet though. We've had several potential issues submitted to us but they could not be replicated. If you have additional information than you should share it.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X