Announcement

Collapse
No announcement yet.

vBulletin 3.x and 4.x Redirect Security Exploit

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Originally posted by Cbrown View Post
    I'm sure about the php laden gif file. I'm not sure about the getting db info and getting the passwords. But SOMEHOW, a person snagged two of my users admin passwords. Two people with nothing in common and living in different states. Or there is a major hole somewhere in the code.
    Brute force hacking? Once the intruder has one admin password, he can change other passwords.
    Psychlinks Mental Health Support Forum
    Local Search Forum

    Comment


    • Just as a side note... why does anyone NOT have their AdminCP itself globally password protected???

      http://forums.digitalpoint.com/admincp/
      http://www.vbulletin.com/forum/admincp/
      Sphinx Search for vBulletin 4: https://marketplace.digitalpoint.com...tin-4.870/item
      Someone send me a message on Twitter when this site is usable again. https://twitter.com/digitalpoint

      Comment


      • Indeed. Mine has been for years.
        Baby, I was born this way

        Comment


        • Originally posted by digitalpoint View Post
          Just as a side note... why does anyone NOT have their AdminCP itself globally password protected???http://forums.digitalpoint.com/admincp/http://www.vbulletin.com/forum/admincp/
          I know we emphasize that admincp should be behind htaccess
          Adrian

          Comment


          • Guys in light of the 'possibility' of an exploit being possible through the upload of a malicious script embedded in gifs I have followed advice and uploaded the following htaccess file to directories which allow users to upload images to (vBGallery, vBGarage, Customer avatars etc etc)

            Options +FollowSymLinks
            Options All -Indexes<Files ~ "\.(php\d*|cgi|pl|phtml)$">order allow,denydeny from all </Files>
            Now my question is regarding some directories for instance vBGallery and vBproGarage point to a particular writeable folder however it seems like it stores uploads in many many different directories within the /upload/ folder designated for the script. My concern is that the above htaccess file is only protecting /uploads/ and not any subsequent folders the script creates within it's writeable directory.

            How can I force the above htaccess on ALL sub-directories of a particular folder?

            Let me know if that made sense, thank you!

            Originally posted by digitalpoint View Post
            Just as a side note... why does anyone NOT have their AdminCP itself globally password protected???

            http://forums.digitalpoint.com/admincp/
            http://www.vbulletin.com/forum/admincp/
            I deny access to ALL IP's except my home static IP.

            Comment


            • I'm curious, is there anyone out there getting hit by the file2store.info exploit that does NOT have vbSEO installed? It looks like this is 100% on vbSEO to fix, but maybe I'm wrong about that...

              Comment


              • Originally posted by Jason Dunn View Post
                I'm curious, is there anyone out there getting hit by the file2store.info exploit that does NOT have vbSEO installed? It looks like this is 100% on vbSEO to fix, but maybe I'm wrong about that...
                From my response to your other post:

                Originally posted by Jason Dunn View Post
                I've been hit by this @#?ing hack five times now and I'm really sick of it. I thought I fixed it last week when I updated vbSEO and vbSEO Sitemap Generator to the latest versions. Today I did a search in Chrome incognito window that would show me my forums, and the damn script is back!

                If I disable vbSEO and the sitemap generator, I don't get the re-direct.

                When I enabled Sitemap Generator, I don't get the re-direct.

                When I enabled vbSEO, I don't get the re-direct.

                So is there some file that is generated when vbSEO and the Sitemap generator are turned on and that file is getting hacked?

                This entire thing baffles me - I've never had such a persistent problem like this before!

                Unfortunately it looks to me like this problem will keep coming back until the guys at vbSEO fix the exploit these hackers are using. The guys at vBulletin can't do anything about that.
                No. It is NOT vBSEO. It's happening to forums without vBSEO as well.

                I thought it was a server issue having to do with permissions but tightened all those up and it returned on one 3.x forum too.

                To remove it temporarily, do this:

                1. Disable one of the plugins (doesn't matter which one) and then re-enable it. This will flush the datastore and get rid of the redirect. The problem is, that seems to be only a temporary fix.

                2. Try this suggestion (this is the next step for me as well):

                Remove any evil .gif files off your server
                To do this, ssh to your server and run this command:

                Code:
                find /home/main -regex '.*\.gif$' -exec grep php {} \;
                Change the /home/main to fit your main root directory. Delete the matches in those upload directories!! I usually check them first, but remove them.

                It may be that the redirect came back on the forum I'm associated with because we didn't remove the original exec disguised as a gif? If so, it's not in the regular customavatars or customprofilepics folders because those are protected by .htaccess from running executables.

                The truth is, I don't think anyone yet knows how this exploit is being accomplished and until we do there doesn't seem to be any sure way to eradicate it forever.
                Psychlinks Mental Health Support Forum
                Local Search Forum

                Comment


                • Did anyone that got hit have the vbseo site map running and notice any errors in google webmasters tools
                  I have just flat lined on traffic for the last two weeks
                  Followed the steps on editing the class core file
                  Admin area has been htaccess protected since getting hit with the base 64 divert once last year

                  In my google webmasters account on the site map, I have several warnings.
                  This iis one of them

                  URLs not followed
                  When we tested a sample of URLs from your Sitemap, we found that some URLs redirect to other locations. We recommend that your Sitemap contain URLs that point to the final destination (the redirect target) instead of redirecting to another URL

                  HTTP Error: 302
                  URL: http://www.thespainforum.com/f188/ba...azette-239374/
                  http://www.thespainforum.com/f188/ba...azette-239374/
                  Problem detected on: May 8, 2011

                  Just wondered if anyone else experienced the same when they got hit
                  .

                  Comment


                  • There was a exploit in the vbseo site map (vb.org) not long ago, but it has been fixed.
                    .......

                    Comment


                    • Originally posted by Ramsesx View Post
                      There was a exploit in the vbseo site map (vb.org) not long ago, but it has been fixed.
                      Make sure you update to the latest versions of vBulletin, vBSEO, and vBSEO Sitemap. But also make sure that you delete any leftover files from old versions, since they may continue to provide entry points for malware or hacks as long as they are on your server.
                      Psychlinks Mental Health Support Forum
                      Local Search Forum

                      Comment


                      • Originally posted by djbaxter View Post
                        Make sure you update to the latest versions of vBulletin, vBSEO, and vBSEO Sitemap. But also make sure that you delete any leftover files from old versions, since they may continue to provide entry points for malware or hacks as long as they are on your server.
                        My post was just for information purposes, I don't have any issue. But thanks.
                        .......

                        Comment


                        • Originally posted by Ramsesx View Post
                          There was a exploit in the vbseo site map (vb.org) not long ago, but it has been fixed.
                          There was ?
                          Baby, I was born this way

                          Comment


                          • I just went on vbseo to check what the latest version of the site map is and Im up to date on that one.
                            Still shows 3.0 as the current version
                            I also keep site map access to yahoo, bing, msn and google via htaccess ip allow
                            Found the odd normal person / website designer looking at it
                            Plus it locks down another admin area
                            .

                            Comment


                            • Originally posted by Paul M View Post
                              There was ?
                              Yes, you've participated in this thread.
                              Originally posted by Lee G View Post
                              I just went on vbseo to check what the latest version of the site map is and Im up to date on that one.
                              There was a vbseo_sitemap-3-0 PL1.zip released on 05 May 2011, in the add-on description it's still showing 11/11/2010 - Version 3.0 as the last released version in revision history, but that's wrong. So, be sure you have the PL1 installed.
                              .......

                              Comment


                              • Originally posted by Ramsesx View Post
                                Yes, you've participated in this thread.
                                By "participated" you mean I made one post, which was a question. That doesnt mean Im suddenly aware of a sitemap exploit.

                                JFYI, a few posts down, Mert posted "I am sorry but we are talking about vBSEO product not sitemap generator.".
                                Baby, I was born this way

                                Comment

                                Related Topics

                                Collapse

                                Working...
                                X