Announcement

Collapse
No announcement yet.

Possible Exploit

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ace
    replied
    Originally posted by jerde View Post
    It won't solve the problem. This is a combination of vBSEO and Server hack. See more here... http://www.vbseo.com/blogs/rafael-be...w-prevent-361/
    Did you miss the bit that mentions it's not just sites with vBSEO installed?

    The exploit employed in the 123filestore attack took advantage of the register_globals feature set to “enabled” on the infected host, and manipulated various script files, in some cases vBulletin + vBSEO, in other cases vBulletin + other third party scripts (note that the attack was not exclusive to vB +vBSEO sites).

    Once injected, the modified scripts took users coming from search engines and redirected them to the 23filestore site, in some cases all the traffic was redirected. Again, this attack was not aimed at a particular site (with say, a combination of scripts such as vB+vBSEO), but directed at vB powered forums in general.

    Leave a comment:


  • jerde
    replied
    It won't solve the problem. This is a combination of vBSEO and Server hack. See more here... http://www.vbseo.com/blogs/rafael-be...w-prevent-361/

    I for one am getting rid of vBSEO as it has not shown to be beneficial anymore and is just taxing on the server.

    Leave a comment:


  • Floezen
    replied
    Originally posted by Jafo View Post
    Here it is folks, in functions_vbseocp_abstract.php

    PHP Code:
    public static function proc_deutf($ptxt$tocharset)
    {
    $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')'$ptxt);
    return 
    $ptxt;

    I recommended a patch here over a YEAR ago when we were getting hacked and they said they were going to put it in the latest version.. They did not.. This needs to be:

    PHP Code:
    public static function proc_deutf($ptxt$tocharset)
    {
    $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s =  iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s :  \'$1\').stripslashes(\'$2\')'$ptxt);
    return 
    $ptxt;

    We updated this code in April when we were hacked first.
    Now we have been hacked again orotund July 5th 2012...
    We are running vBulletin 3.8.7 Patch Level 3 and additionally the admincp is password secured.

    We have now updated vBSEO from version 3.6 to 3.6PL2 - but I don't know if this will solve the problem in future...

    Leave a comment:


  • dadoc
    replied
    I did ask is this exploit only happening to vBulletin
    Originally posted by Wayne Luke View Post

    1) doubtful but don't track any other software.
    As if you dont track other forum software! you should
    what about xenforo you track them enough to take them to court

    maybe you should track other forum software, you might stay a step ahead

    Leave a comment:


  • Wayne Luke
    replied
    1) doubtful but don't track any other software.

    2) Have people been exploited yes? Is it the same vector? Can't say.

    3) Have to know what the exploit is before we can answer.

    Frankly you're asking the wrong questions and getting ahead of yourself in looking for answers. Need to determine what the problem is first. The redirects are not the problem, they are a symptom of the problem. You need to fix the problem before the symptoms will go away. The only way to do that is to upgrade to modern versions of the software. Even if we find an exploit in 3.7.0 today, we are not going to fix it.

    Leave a comment:


  • dadoc
    replied
    Originally posted by Wayne Luke View Post
    You need to upgrade your software to a supported version. Once that is done, we can look at your site and help your resolve your issues.
    you could have mentioned this before
    and it does effect the latest stable version of 4x

    There are a few questions that I am looking for that I cant get

    1 Has this redirect exploit only effected vBulletin forums?

    2 Has anyone had the same problem

    3 Has anyone found a tested fix for this?

    I own 2 licenses
    including a version of 4x but have not upgraded because of the amount of problems and bug fixes
    yes I know I can upgrade my version of 3x version but I want to stay with what I have

    Leave a comment:


  • Wayne Luke
    replied
    You need to upgrade your software to a supported version. Once that is done, we can look at your site and help your resolve your issues.

    Leave a comment:


  • dadoc
    replied
    I agree, but the problem is across all versions.

    I was trying to provide information to others with this same problem so that we might be able to provide support to each other
    as I cant seem to see an answer to this problem vbseo, said it was not their problem then they said yes it is our problem and
    apologized sincerely to all their customer, now they say that it is not them. It is a server security issue,
    I have looked into that and like I said they recommended to not allow remote access to database and to remove 1 suspect file which was class_rss.php

    I have done all this but see no change. I provided the analyitics image to show to what extent it has effected my site. Not to help with diagnosis.

    I dont know what I can provide that might help me get support

    There are a few questions that I am looking for that I cant get

    1 Has this redirect exploit only effected vBulletin forums?

    2 Has anyone had the same problem

    3 Has anyone found a tested fix for this?



    This is my problem going back a month ago

    Over the past few week I have gone from 1000 visits a day to 150 per day,

    when I open Google webmaster tools it displays a screenshot of your website, the screenshot that is being displayed is not my site and I have just found out the name the site

    I found the site when I was looking at my indexed pages on Google, because you can now view a large screenshot a page when you mouse over that tab.

    The site is filestore123.info
    after looking through many of my pages on Google I found the majority when clicked on started to load my site then redirect to that site

    this is one of the pages that it is displaying as my website
    I am freaking out a bit and loosing major traffic,


    this is a screenshot of how it is shown via a Google search


    Click image for larger version

Name:	www.google.com screen capture 2012-2-22-18-14-6.jpg
Views:	1
Size:	84.2 KB
ID:	3686783


    If I can help anyone I will if I need to provide any more info I can
    and any help would be great

    Regards
    Ryan

    One last important thing,
    as you can see in that screenshot it shows a showgroup page which is one that does redirect and also member profile pages do the same.

    I have my site set so that Google will not index
    Groups
    Members
    visitor messages and a few others like this

    and these pages are now indexed and do redirect, but the problem is not limited to these pages
    Last edited by dadoc; Tue 28th Feb '12, 10:35pm.

    Leave a comment:


  • Wayne Luke
    replied
    Where is the redirect coming from? Certainly you have experienced the issue on your site. Sorry we can't diagnose your problem based on a Google Analytics image.

    I would suggest you upgrade your vBulletin though. Looking at your site, it says you're using vBulletin 3.7.0 which is over 5 years old and there have been numerous security issues found in it over the years. Some fixed in the later 3.7 series, some in the 3.8 series. A big part of keeping your site secure is making sure you're up to date on the software.

    Leave a comment:


  • dadoc
    replied
    can anyone confirm that they have fixed this redirect problem? and have had return of good stats
    I have done all the appropriate precautions.
    I have edited vbseo files, and also re updated, vbseo say that it was not their problem, then they release an apology and that they will do and have done everything to address this problem - I submit a ticket to them for support- now they say it is nothing to do with them, it is server security
    so my host said that that is not the case. I am rather not impressed.

    These are the problems I have found

    1 inside includes files class_rss.php removed as was created 29/1/12 and I did not do it

    2 remote server access to database found 2 suspect IP's now removed

    I am waiting for stats to indicate success and will post in 48hrs and update

    anyone working on a fix, I would love to know your possition

    this is my stats

    Click image for larger version

Name:	www.google.com screen capture 2012-2-26-8-20-34.jpg
Views:	1
Size:	51.6 KB
ID:	3686781

    adsense reflects the same if I cant fix this I will look at other forum software,
    I only know of vBulletin with this exploit, is this correct?

    Thanks

    Leave a comment:


  • Wayne Luke
    replied
    This is a support forum. Posting in this forum implies that you want support for the issue. If you want to discuss the general safety of addons or potential exploits of them, the best place for this is vBulletin.org or the addon developer's website. If you want to have a more general discussion on security than the Managing Your Community would be the most appropriate place.

    Leave a comment:


  • The Rocketeer
    replied
    I understand that, my point being is simply that due to this vbseo exploit the exploited code on my sites Javascript was entered or uploaded in the first place. They may seem different, and I am not saying that they are similar or the same, I am saying that they are "related". Because of this exploit my setup kept getting compromised in the first place and even after applying the patch there was compromised files / backdoor's left that many users may not be able to detect, you weren't.

    It isn't just 1 exploited file(vbseo/resources/scripts/vbseo_ui.js?v=a4) there are well over 20 infected files that are mostly vbseo related.
    And again, I know this is a vBSEO issue, is the exploit also not a vBSEO Issue? Are we not allowed to discuss possible security issues with out plugins? I am not seeking support here, I will be asking vBSEO for that, but for the sake of the argument, whats wrong if a member were to try and support me? This is vital information that I felt like other should know about since we have brought up the topic about the exploit, why not include some issues that have been caused by it since you missed it easily, chances are many others with less computer skills such as myself might as well.

    They are different, they are not similar or the same, but they are very much related. One happens because of the other one.

    Leave a comment:


  • Wayne Luke
    replied
    The exploit in this thread does not involve code at the bottom of Javascript on your site. It involves code at the bottom of a file on the vBSEO site. If you have exploited code on your site in the Javascript uploaded to your server, it is a different issue. They may seem similar but they are not.

    Regardless, the file you said was exploited is called vbseo/resources/scripts/vbseo_ui.js?v=a4

    Even if it was the same issue, it is a vBSEO issue and you need to visit vBSEO.com for support with vBSEO issues.

    Leave a comment:


  • The Rocketeer
    replied
    Originally posted by Wayne Luke View Post
    You should ask about this over at the vBSEO website. This is a different issue than what is outlined in this thread.
    Not entirely true.
    What is outlined in this thread is the exploit, what I have outlined is one of the many effects that are caused by the exploit.
    It may be slightly different but it is very much related to the matter we are discussing here. This could very well be the case for many users like myself who have just patched the exploit without paying attention to fix the leftover infections / backdoors when they had a look, much like how you didn't notice it when you had a look, Wayne; and I'd rather have other users know about it now than finding out by themselves later.



    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by The Rocketeer View Post
    unfortunately I have some updates regarding this issue. I was just contacted by someone from AVG and according to them the infection caused by this exploit goes further down and infects some other vbseo files such as the script files, perhaps as a back door. reason why I offered earlier to have a look through my site / server / files.



    Earlier I have applied the fix simply by replacing the file, but for this I am not sure what I need to do; I have never done any vbulletin / vbseo work. Should I just upload and overwrite the files and run something or do I have to completely uninstall and re install vBSeo and lose all my settings?
    You should ask about this over at the vBSEO website. This is a different issue than what is outlined in this thread.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X