Security: Redirction to file2store.info
Collapse
X
-
-
Coming in from Google would redirect offsite to file2store.info:
It'd set a "vpsp" cookie that would make it a one-time action. Running upgrade.php and saving a usergroup (all of which cleared the datastore) resolved the issue, but I'm not sure how the hack started in the first place. Running the latest vB and vBSEO.FinalGear.com Forums -- Top Gear and general automotive forumsComment
-
-
I've been hit by this @#?ing hack five times now and I'm really sick of it. I thought I fixed it last week when I updated vbSEO and vbSEO Sitemap Generator to the latest versions. Today I did a search in Chrome incognito window that would show me my forums, and the damn script is back!
If I disable vbSEO and the sitemap generator, I don't get the re-direct.
When I enabled Sitemap Generator, I don't get the re-direct.
When I enabled vbSEO, I don't get the re-direct.
So is there some file that is generated when vbSEO and the Sitemap generator are turned on and that file is getting hacked?
This entire thing baffles me - I've never had such a persistent problem like this before!
Unfortunately it looks to me like this problem will keep coming back until the guys at vbSEO fix the exploit these hackers are using. The guys at vBulletin can't do anything about that.Comment
-
I've been hit by this @#?ing hack five times now and I'm really sick of it. I thought I fixed it last week when I updated vbSEO and vbSEO Sitemap Generator to the latest versions. Today I did a search in Chrome incognito window that would show me my forums, and the damn script is back!
If I disable vbSEO and the sitemap generator, I don't get the re-direct.
When I enabled Sitemap Generator, I don't get the re-direct.
When I enabled vbSEO, I don't get the re-direct.
So is there some file that is generated when vbSEO and the Sitemap generator are turned on and that file is getting hacked?
This entire thing baffles me - I've never had such a persistent problem like this before!
Unfortunately it looks to me like this problem will keep coming back until the guys at vbSEO fix the exploit these hackers are using. The guys at vBulletin can't do anything about that.
I thought it was a server issue having to do with permissions but tightened all those up and it returned on one 3.x forum too.
To remove it temporarily, do this:
1. Disable one of the plugins (doesn't matter which one) and then re-enable it. This will flush the datastore and get rid of the redirect. The problem is, that seems to be only a temporary fix.
2. Try this suggestion (this is the next step for me as well):
Remove any evil .gif files off your server
To do this, ssh to your server and run this command:
Code:find /home/main -regex '.*\.gif$' -exec grep php {} \;
It may be that the redirect came back on the forum I'm associated with because we didn't remove the original exec disguised as a gif? If so, it's not in the regular customavatars or customprofilepics folders because those are protected by .htaccess from running executables.
The truth is, I don't think anyone yet knows how this exploit is being accomplished and until we do there doesn't seem to be any sure way to eradicate it forever.Comment
-
Comment
-
-
I would suggest you go into the AdminCP > Products & Plugins > Plugin Manager, choose any plugin, check its active box, save, and re-check its active box and save again (disable and enable it). This will fix the issue now, but won't prevent it from being defaced again in the future.Comment
-
I actually did this yesterday, so it looks like this is going to be a daily thing until we have a fix.
I would suggest you go into the AdminCP > Products & Plugins > Plugin Manager, choose any plugin, check its active box, save, and re-check its active box and save again (disable and enable it). This will fix the issue now, but won't prevent it from being defaced again in the future.Comment
-
👍 1
Comment
-
Thanks for the clarification. This is all above my IQ-grade, so I'm like a blind man walking a tightrope. Thankfully my mondo-smart server admin guys are on it and are going to wait and watch for the exploit to come back and hopefully figure out how to stop it once and for all. If they do, I'll certainly share it here.Comment
-
Comment
-
Comment
Related Topics
Collapse
-
by MrSquidI worked on my site (which uses 5.0.5) yesterday and everything was working fine. Today, Site Builder is greyed out on my Forum & Blog - and any pages relating to those (like reading any posts or...
-
Channel: Support Issues & Questions
-
Comment