Announcement

Collapse
No announcement yet.

Please Help - Hacked vBulletin Redirect to filestore72.info

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • stevectaylor
    replied
    Originally posted by donald1234 View Post
    Have you run the suspect file check? maintenance-> diagnostics
    Would be easier if all the blog files don't come up!

    Leave a comment:


  • TheLastSuperman
    commented on 's reply
    There is a shell script in place see my post here for some of the file names but you'll need to go through and take your time, doing a very very good job of cleaning up any new/extra/modified files and be sure you onverwrite all vBulletin files with 100% fresh files and that includes modification files AND any other software files using .php etc as this exploit does not care what the .php file goes to it modifies all of them, if you don't correct this then it writes to the files later on and if you missed one then it does the same and writes to all the files later.

  • TheLastSuperman
    commented on 's reply
    That is more than likely very similar to the plugin seen in my post here as it used .gif extension.. if the file is not an actual .gif i.e. a renamed .exe then that could be an issue, I bet you have shell scripts on your server now, the files are being overwritten w/ the new base64 code at the very top.

  • TheLastSuperman
    commented on 's reply
    I've seen this before too, it could have been related to the /install/ folder exploit... have you removed it yet? If yes well here's another scenario we've been seeing... seems as if they hacked your site while you still had the /install/ folder present, made spare admins accounts and inserted a plugin then did not use that until months later see my post here regarding my line of thinking on that.

  • TheLastSuperman
    commented on 's reply
    vBSEO did release 3.6.2 and one of not two patches I believe the last safe version before they shut down was 3.6.2 however see Zachery's post below, there are new exploits in it (since it's no longer support no one is actively maintaining it or releasing patches respectfully.

  • donald1234
    replied
    Have you run the suspect file check? maintenance-> diagnostics

    Leave a comment:


  • beansbaxter
    replied
    I went through and did everything Lynne recommended and the problem was still happening.

    Even with vBSEO removed, the problem was still occurring.

    I read the following:

    It is worth checking for any files that contain base64 and one of the following (system / curl / exec / eval).
    What does this mean? And how do I check this?

    Leave a comment:


  • stevectaylor
    replied
    As a point we noticed that some images hosted expernally using img code had base64 codes after the .jpg extention. This made me think, can a hack or site be exploited by externally served images?

    Leave a comment:


  • stevectaylor
    replied
    We've been hit and not on VBSEO.

    Leave a comment:


  • donald1234
    replied
    I agree plug ins that deal with redirects are vulnurable to redirect manipulation even if regularly patched and fully supported.

    Leave a comment:


  • Zachery
    replied
    It might, but I've seen continued reports of new security issues with vBSEO. You should find a replacement, or remove it.

    Leave a comment:


  • beansbaxter
    replied
    Thanks for those suggestions. I'll work through them tonight.

    Does this problem only effect vBulletin 4? Generally speaking, is VB version 3 and 5 safe from this?

    And did vBSEO ever release 3.6.2? I thought 3.6.1 was the final release. And if 3.6.2 was released, did this resolve this problem? (assuming this is indeed the problem)

    Thank you.

    Leave a comment:


  • TheLastSuperman
    replied
    Originally posted by beansbaxter View Post
    I did a search on the forums here, and I see there was an issue with this on older versions of vBSEO, however I'm running the latest 3.6.1 version. (assuming this is part of the problem)
    There is no "latest version" since its now DEAD however if there was it would have been 3.6.2 not 3.6.1.

    Do as Lynne listed above but also be sure you remove vBSEO completely OR... I only mention DBSEO by DragonByte Tech because not all know how to redo their site using mod friendly rewrites and redirect their old urls, well that and the vbseo site is down and that info is scattered across the net on other sites so it's sort of hard unless you know what you're doing but converting to DBSEO then removing the old vBSEO files should work fine and help you retain whatever SEO search/ranking you currently have.

    Along with Lynne's info above try reviewing some of these links, some have different info and may help:
    http://www.vbulletin.com/forum/blogs...ve-been-hacked
    http://www.vbulletin.com/forum/blogs...vbulletin-site
    http://www.vbulletin.com/forum/blogs...vbulletin-site

    Leave a comment:


  • Lynne
    replied
    I don't think any version of vbseo is safe. I seem to recall talk that this issue was NOT fixed in the latest version.

    There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.

    Close the hole...
    This has three subparts in this instance.
    1. Delete your install folder
    2. Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
    3. Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.

    Fill the Hole...
    There are seven subparts in this instance.
    1. Review your files for changes. You can do this under Maintenance -> Diagnostics.
    2. Delete any Suspect Files.
    3. Replace any files marked as "Does not contain expected contents"
    4. Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
    5. Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
    6. Update your Addon Products.
    7. Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.

    Secure the Hole
    Parts of this were done by closing the hole but there are still things to do here.
    1. Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
    2. Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
    3. Create a lower permission Administrator for every day use.
    4. Review your permissions in the system.
    5. Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
    6. Move your attachments outside the forum root directory.
    7. Create a complete backup of your site. Make database backups weekly.

    Vigilance
    You need to keep active on the security of the site.
    1. Give out the fewest permissions necessary for anyone to do their job
    2. Make sure your hosting provider updates the software.
    3. Update to the latest vBulletin when it is released.
    4. Make sure your addons are always up to date.

    Leave a comment:


  • Please Help - Hacked vBulletin Redirect to filestore72.info

    I have a vBulletin site that has been hacked and is redirecting people to a malware/virus filestore72.info download

    Running vBulletin 4.2.1. Aside from upgrading to the latest 4.2.2 version, how can I determine what's causing this and remove it completely?

    I did a search on the forums here, and I see there was an issue with this on older versions of vBSEO, however I'm running the latest 3.6.1 version. (assuming this is part of the problem)

    I have tried disabling and re-enabling a plugin, but that didn't resolve the issue.

    If this is a permissions issue, which files and folders should I be checking their permission levels?

    What steps can I take to remove and resolve this problem for good?

    Thanks in advance, appreciate any help and assistance here!

Related Topics

Collapse

Working...
X