Possible Exploit

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Wayne Luke
    vBulletin Technical Support Lead
    • Aug 2000
    • 73979

    #46
    This is a support forum. Posting in this forum implies that you want support for the issue. If you want to discuss the general safety of addons or potential exploits of them, the best place for this is vBulletin.org or the addon developer's website. If you want to have a more general discussion on security than the Managing Your Community would be the most appropriate place.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment

    • dadoc
      Member
      • Mar 2008
      • 82

      #47
      can anyone confirm that they have fixed this redirect problem? and have had return of good stats
      I have done all the appropriate precautions.
      I have edited vbseo files, and also re updated, vbseo say that it was not their problem, then they release an apology and that they will do and have done everything to address this problem - I submit a ticket to them for support- now they say it is nothing to do with them, it is server security
      so my host said that that is not the case. I am rather not impressed.

      These are the problems I have found

      1 inside includes files class_rss.php removed as was created 29/1/12 and I did not do it

      2 remote server access to database found 2 suspect IP's now removed

      I am waiting for stats to indicate success and will post in 48hrs and update

      anyone working on a fix, I would love to know your possition

      this is my stats

      Click image for larger version

Name:	www.google.com screen capture 2012-2-26-8-20-34.jpg
Views:	1
Size:	51.6 KB
ID:	3686781

      adsense reflects the same if I cant fix this I will look at other forum software,
      I only know of vBulletin with this exploit, is this correct?

      Thanks
      Crime case files

      Comment

      • Wayne Luke
        vBulletin Technical Support Lead
        • Aug 2000
        • 73979

        #48
        Where is the redirect coming from? Certainly you have experienced the issue on your site. Sorry we can't diagnose your problem based on a Google Analytics image.

        I would suggest you upgrade your vBulletin though. Looking at your site, it says you're using vBulletin 3.7.0 which is over 5 years old and there have been numerous security issues found in it over the years. Some fixed in the later 3.7 series, some in the 3.8 series. A big part of keeping your site secure is making sure you're up to date on the software.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment

        • dadoc
          Member
          • Mar 2008
          • 82

          #49
          I agree, but the problem is across all versions.

          I was trying to provide information to others with this same problem so that we might be able to provide support to each other
          as I cant seem to see an answer to this problem vbseo, said it was not their problem then they said yes it is our problem and
          apologized sincerely to all their customer, now they say that it is not them. It is a server security issue,
          I have looked into that and like I said they recommended to not allow remote access to database and to remove 1 suspect file which was class_rss.php

          I have done all this but see no change. I provided the analyitics image to show to what extent it has effected my site. Not to help with diagnosis.

          I dont know what I can provide that might help me get support

          There are a few questions that I am looking for that I cant get

          1 Has this redirect exploit only effected vBulletin forums?

          2 Has anyone had the same problem

          3 Has anyone found a tested fix for this?



          This is my problem going back a month ago

          Over the past few week I have gone from 1000 visits a day to 150 per day,

          when I open Google webmaster tools it displays a screenshot of your website, the screenshot that is being displayed is not my site and I have just found out the name the site

          I found the site when I was looking at my indexed pages on Google, because you can now view a large screenshot a page when you mouse over that tab.

          The site is filestore123.info
          after looking through many of my pages on Google I found the majority when clicked on started to load my site then redirect to that site

          this is one of the pages that it is displaying as my website
          I am freaking out a bit and loosing major traffic,


          this is a screenshot of how it is shown via a Google search


          Click image for larger version

Name:	www.google.com screen capture 2012-2-22-18-14-6.jpg
Views:	1
Size:	84.2 KB
ID:	3686783


          If I can help anyone I will if I need to provide any more info I can
          and any help would be great

          Regards
          Ryan

          One last important thing,
          as you can see in that screenshot it shows a showgroup page which is one that does redirect and also member profile pages do the same.

          I have my site set so that Google will not index
          Groups
          Members
          visitor messages and a few others like this

          and these pages are now indexed and do redirect, but the problem is not limited to these pages
          Last edited by dadoc; Tue 28 Feb '12, 10:35pm.
          Crime case files

          Comment

          • Wayne Luke
            vBulletin Technical Support Lead
            • Aug 2000
            • 73979

            #50
            You need to upgrade your software to a supported version. Once that is done, we can look at your site and help your resolve your issues.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API

            Comment

            • dadoc
              Member
              • Mar 2008
              • 82

              #51
              Originally posted by Wayne Luke
              You need to upgrade your software to a supported version. Once that is done, we can look at your site and help your resolve your issues.
              you could have mentioned this before
              and it does effect the latest stable version of 4x

              There are a few questions that I am looking for that I cant get

              1 Has this redirect exploit only effected vBulletin forums?

              2 Has anyone had the same problem

              3 Has anyone found a tested fix for this?

              I own 2 licenses
              including a version of 4x but have not upgraded because of the amount of problems and bug fixes
              yes I know I can upgrade my version of 3x version but I want to stay with what I have
              Crime case files

              Comment

              • Wayne Luke
                vBulletin Technical Support Lead
                • Aug 2000
                • 73979

                #52
                1) doubtful but don't track any other software.

                2) Have people been exploited yes? Is it the same vector? Can't say.

                3) Have to know what the exploit is before we can answer.

                Frankly you're asking the wrong questions and getting ahead of yourself in looking for answers. Need to determine what the problem is first. The redirects are not the problem, they are a symptom of the problem. You need to fix the problem before the symptoms will go away. The only way to do that is to upgrade to modern versions of the software. Even if we find an exploit in 3.7.0 today, we are not going to fix it.
                Translations provided by Google.

                Wayne Luke
                The Rabid Badger - a vBulletin Cloud demonstration site.
                vBulletin 5 API

                Comment

                • dadoc
                  Member
                  • Mar 2008
                  • 82

                  #53
                  I did ask is this exploit only happening to vBulletin
                  Originally posted by Wayne Luke

                  1) doubtful but don't track any other software.
                  As if you dont track other forum software! you should
                  what about xenforo you track them enough to take them to court

                  maybe you should track other forum software, you might stay a step ahead
                  Crime case files

                  Comment

                  • Floezen
                    New Member
                    • Oct 2002
                    • 8
                    • 3.6.x

                    #54
                    Originally posted by Jafo
                    Here it is folks, in functions_vbseocp_abstract.php

                    PHP Code:
                    public static function proc_deutf($ptxt$tocharset)
                    {
                    $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')'$ptxt);
                    return 
                    $ptxt;

                    I recommended a patch here over a YEAR ago when we were getting hacked and they said they were going to put it in the latest version.. They did not.. This needs to be:

                    PHP Code:
                    public static function proc_deutf($ptxt$tocharset)
                    {
                    $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s =  iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s :  \'$1\').stripslashes(\'$2\')'$ptxt);
                    return 
                    $ptxt;

                    We updated this code in April when we were hacked first.
                    Now we have been hacked again orotund July 5th 2012...
                    We are running vBulletin 3.8.7 Patch Level 3 and additionally the admincp is password secured.

                    We have now updated vBSEO from version 3.6 to 3.6PL2 - but I don't know if this will solve the problem in future...
                    tektorum.de
                    archinoah.de
                    Visionstudio

                    Comment

                    • jerde
                      Banned
                      • Jun 2010
                      • 193
                      • 4.2.X

                      #55
                      It won't solve the problem. This is a combination of vBSEO and Server hack. See more here... http://www.vbseo.com/blogs/rafael-be...w-prevent-361/

                      I for one am getting rid of vBSEO as it has not shown to be beneficial anymore and is just taxing on the server.

                      Comment

                      • Ace
                        Senior Member
                        • Apr 2004
                        • 4051
                        • 4.2.X

                        #56
                        Originally posted by jerde
                        It won't solve the problem. This is a combination of vBSEO and Server hack. See more here... http://www.vbseo.com/blogs/rafael-be...w-prevent-361/
                        Did you miss the bit that mentions it's not just sites with vBSEO installed?

                        The exploit employed in the 123filestore attack took advantage of the register_globals feature set to “enabled” on the infected host, and manipulated various script files, in some cases vBulletin + vBSEO, in other cases vBulletin + other third party scripts (note that the attack was not exclusive to vB +vBSEO sites).

                        Once injected, the modified scripts took users coming from search engines and redirected them to the 23filestore site, in some cases all the traffic was redirected. Again, this attack was not aimed at a particular site (with say, a combination of scripts such as vB+vBSEO), but directed at vB powered forums in general.
                        My Live vB5 Site - NZEating.com
                        vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

                        Comment

                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...