This is a support forum. Posting in this forum implies that you want support for the issue. If you want to discuss the general safety of addons or potential exploits of them, the best place for this is vBulletin.org or the addon developer's website. If you want to have a more general discussion on security than the Managing Your Community would be the most appropriate place.
Possible Exploit
Collapse
X
-
Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 API -
can anyone confirm that they have fixed this redirect problem? and have had return of good stats
I have done all the appropriate precautions.
I have edited vbseo files, and also re updated, vbseo say that it was not their problem, then they release an apology and that they will do and have done everything to address this problem - I submit a ticket to them for support- now they say it is nothing to do with them, it is server security
so my host said that that is not the case. I am rather not impressed.
These are the problems I have found
1 inside includes files class_rss.php removed as was created 29/1/12 and I did not do it
2 remote server access to database found 2 suspect IP's now removed
I am waiting for stats to indicate success and will post in 48hrs and update
anyone working on a fix, I would love to know your possition
this is my stats
adsense reflects the same if I cant fix this I will look at other forum software,
I only know of vBulletin with this exploit, is this correct?
ThanksComment
-
Where is the redirect coming from? Certainly you have experienced the issue on your site. Sorry we can't diagnose your problem based on a Google Analytics image.
I would suggest you upgrade your vBulletin though. Looking at your site, it says you're using vBulletin 3.7.0 which is over 5 years old and there have been numerous security issues found in it over the years. Some fixed in the later 3.7 series, some in the 3.8 series. A big part of keeping your site secure is making sure you're up to date on the software.Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
I agree, but the problem is across all versions.
I was trying to provide information to others with this same problem so that we might be able to provide support to each other
as I cant seem to see an answer to this problem vbseo, said it was not their problem then they said yes it is our problem and
apologized sincerely to all their customer, now they say that it is not them. It is a server security issue,
I have looked into that and like I said they recommended to not allow remote access to database and to remove 1 suspect file which was class_rss.php
I have done all this but see no change. I provided the analyitics image to show to what extent it has effected my site. Not to help with diagnosis.
I dont know what I can provide that might help me get support
There are a few questions that I am looking for that I cant get
1 Has this redirect exploit only effected vBulletin forums?
2 Has anyone had the same problem
3 Has anyone found a tested fix for this?
This is my problem going back a month ago
Over the past few week I have gone from 1000 visits a day to 150 per day,
when I open Google webmaster tools it displays a screenshot of your website, the screenshot that is being displayed is not my site and I have just found out the name the site
I found the site when I was looking at my indexed pages on Google, because you can now view a large screenshot a page when you mouse over that tab.
The site is filestore123.info
after looking through many of my pages on Google I found the majority when clicked on started to load my site then redirect to that site
this is one of the pages that it is displaying as my website
I am freaking out a bit and loosing major traffic,
this is a screenshot of how it is shown via a Google search
If I can help anyone I will if I need to provide any more info I can
and any help would be great
Regards
Ryan
One last important thing,
as you can see in that screenshot it shows a showgroup page which is one that does redirect and also member profile pages do the same.
I have my site set so that Google will not index
Groups
Members
visitor messages and a few others like this
and these pages are now indexed and do redirect, but the problem is not limited to these pagesLast edited by dadoc; Tue 28 Feb '12, 10:35pm.Comment
-
You need to upgrade your software to a supported version. Once that is done, we can look at your site and help your resolve your issues.Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
and it does effect the latest stable version of 4x
There are a few questions that I am looking for that I cant get
1 Has this redirect exploit only effected vBulletin forums?
2 Has anyone had the same problem
3 Has anyone found a tested fix for this?
I own 2 licenses
including a version of 4x but have not upgraded because of the amount of problems and bug fixes
yes I know I can upgrade my version of 3x version but I want to stay with what I haveComment
-
1) doubtful but don't track any other software.
2) Have people been exploited yes? Is it the same vector? Can't say.
3) Have to know what the exploit is before we can answer.
Frankly you're asking the wrong questions and getting ahead of yourself in looking for answers. Need to determine what the problem is first. The redirects are not the problem, they are a symptom of the problem. You need to fix the problem before the symptoms will go away. The only way to do that is to upgrade to modern versions of the software. Even if we find an exploit in 3.7.0 today, we are not going to fix it.Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
I did ask is this exploit only happening to vBulletin
As if you dont track other forum software! you should
what about xenforo you track them enough to take them to court
maybe you should track other forum software, you might stay a step aheadComment
-
Here it is folks, in functions_vbseocp_abstract.php
PHP Code:public static function proc_deutf($ptxt, $tocharset)
{
$ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')', $ptxt);
return $ptxt;
}
PHP Code:public static function proc_deutf($ptxt, $tocharset)
{
$ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s : \'$1\').stripslashes(\'$2\')', $ptxt);
return $ptxt;
}
Now we have been hacked again orotund July 5th 2012...
We are running vBulletin 3.8.7 Patch Level 3 and additionally the admincp is password secured.
We have now updated vBSEO from version 3.6 to 3.6PL2 - but I don't know if this will solve the problem in future...Comment
-
It won't solve the problem. This is a combination of vBSEO and Server hack. See more here... http://www.vbseo.com/blogs/rafael-be...w-prevent-361/
I for one am getting rid of vBSEO as it has not shown to be beneficial anymore and is just taxing on the server.Comment
-
It won't solve the problem. This is a combination of vBSEO and Server hack. See more here... http://www.vbseo.com/blogs/rafael-be...w-prevent-361/
The exploit employed in the 123filestore attack took advantage of the register_globals feature set to “enabled” on the infected host, and manipulated various script files, in some cases vBulletin + vBSEO, in other cases vBulletin + other third party scripts (note that the attack was not exclusive to vB +vBSEO sites).
Once injected, the modified scripts took users coming from search engines and redirected them to the 23filestore site, in some cases all the traffic was redirected. Again, this attack was not aimed at a particular site (with say, a combination of scripts such as vB+vBSEO), but directed at vB powered forums in general.My Live vB5 Site - NZEating.com
vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.Comment
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment