vBulletin 3.x and 4.x Redirect Security Exploit

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • djbaxter
    Senior Member
    • Aug 2006
    • 1418
    • 4.2.5

    Originally posted by Cbrown
    I'm sure about the php laden gif file. I'm not sure about the getting db info and getting the passwords. But SOMEHOW, a person snagged two of my users admin passwords. Two people with nothing in common and living in different states. Or there is a major hole somewhere in the code.
    Brute force hacking? Once the intruder has one admin password, he can change other passwords.
    Psychlinks Web Services Affordable Web Design & Site Management
    Specializing in Small Businesses and vBulletin/Xenforo Forums

    Comment

    • digitalpoint
      Senior Member
      • Mar 2004
      • 2573
      • 4.1.x

      Just as a side note... why does anyone NOT have their AdminCP itself globally password protected???


      Sphinx Search for vBulletin 4: https://marketplace.digitalpoint.com...tin-4.870/item
      Someone send me a message on Twitter when this site is usable again. https://twitter.com/digitalpoint

      Comment

      • Paul M
        Former Lead Developer
        vB.Com & vB.Org
        • Sep 2004
        • 9886

        Indeed. Mine has been for years.
        Baby, I was born this way

        Comment

        • IB Adrian
          Former Senior Operations Manager
          • Jul 2008
          • 1688
          • 3.6.x

          Originally posted by digitalpoint
          Just as a side note... why does anyone NOT have their AdminCP itself globally password protected???http://forums.digitalpoint.com/admincp/http://www.vbulletin.com/forum/admincp/
          I know we emphasize that admincp should be behind htaccess
          Adrian

          Comment

          • SighK
            Member
            • Apr 2009
            • 79
            • 3.8.x

            Guys in light of the 'possibility' of an exploit being possible through the upload of a malicious script embedded in gifs I have followed advice and uploaded the following htaccess file to directories which allow users to upload images to (vBGallery, vBGarage, Customer avatars etc etc)

            Options +FollowSymLinks
            Options All -Indexes<Files ~ "\.(php\d*|cgi|pl|phtml)$">order allow,denydeny from all </Files>
            Now my question is regarding some directories for instance vBGallery and vBproGarage point to a particular writeable folder however it seems like it stores uploads in many many different directories within the /upload/ folder designated for the script. My concern is that the above htaccess file is only protecting /uploads/ and not any subsequent folders the script creates within it's writeable directory.

            How can I force the above htaccess on ALL sub-directories of a particular folder?

            Let me know if that made sense, thank you!

            Originally posted by digitalpoint
            Just as a side note... why does anyone NOT have their AdminCP itself globally password protected???


            http://www.vbulletin.com/forum/admincp/
            I deny access to ALL IP's except my home static IP.

            Comment

            • Jason Dunn
              New Member
              • Jul 2006
              • 29

              I'm curious, is there anyone out there getting hit by the file2store.info exploit that does NOT have vbSEO installed? It looks like this is 100% on vbSEO to fix, but maybe I'm wrong about that...

              Comment

              • djbaxter
                Senior Member
                • Aug 2006
                • 1418
                • 4.2.5

                Originally posted by Jason Dunn
                I'm curious, is there anyone out there getting hit by the file2store.info exploit that does NOT have vbSEO installed? It looks like this is 100% on vbSEO to fix, but maybe I'm wrong about that...
                From my response to your other post:

                Originally posted by Jason Dunn
                I've been hit by this @#?ing hack five times now and I'm really sick of it. I thought I fixed it last week when I updated vbSEO and vbSEO Sitemap Generator to the latest versions. Today I did a search in Chrome incognito window that would show me my forums, and the damn script is back!

                If I disable vbSEO and the sitemap generator, I don't get the re-direct.

                When I enabled Sitemap Generator, I don't get the re-direct.

                When I enabled vbSEO, I don't get the re-direct.

                So is there some file that is generated when vbSEO and the Sitemap generator are turned on and that file is getting hacked?

                This entire thing baffles me - I've never had such a persistent problem like this before!

                Unfortunately it looks to me like this problem will keep coming back until the guys at vbSEO fix the exploit these hackers are using. The guys at vBulletin can't do anything about that.
                No. It is NOT vBSEO. It's happening to forums without vBSEO as well.

                I thought it was a server issue having to do with permissions but tightened all those up and it returned on one 3.x forum too.

                To remove it temporarily, do this:

                1. Disable one of the plugins (doesn't matter which one) and then re-enable it. This will flush the datastore and get rid of the redirect. The problem is, that seems to be only a temporary fix.

                2. Try this suggestion (this is the next step for me as well):

                Remove any evil .gif files off your server
                To do this, ssh to your server and run this command:

                Code:
                find /home/main -regex '.*\.gif$' -exec grep php {} \;
                Change the /home/main to fit your main root directory. Delete the matches in those upload directories!! I usually check them first, but remove them.

                It may be that the redirect came back on the forum I'm associated with because we didn't remove the original exec disguised as a gif? If so, it's not in the regular customavatars or customprofilepics folders because those are protected by .htaccess from running executables.

                The truth is, I don't think anyone yet knows how this exploit is being accomplished and until we do there doesn't seem to be any sure way to eradicate it forever.
                Psychlinks Web Services Affordable Web Design & Site Management
                Specializing in Small Businesses and vBulletin/Xenforo Forums

                Comment

                • Lee G
                  Senior Member
                  • Jun 2006
                  • 290
                  • 3.8.x

                  Did anyone that got hit have the vbseo site map running and notice any errors in google webmasters tools
                  I have just flat lined on traffic for the last two weeks
                  Followed the steps on editing the class core file
                  Admin area has been htaccess protected since getting hit with the base 64 divert once last year

                  In my google webmasters account on the site map, I have several warnings.
                  This iis one of them

                  URLs not followed
                  When we tested a sample of URLs from your Sitemap, we found that some URLs redirect to other locations. We recommend that your Sitemap contain URLs that point to the final destination (the redirect target) instead of redirecting to another URL

                  HTTP Error: 302
                  URL: http://www.thespainforum.com/f188/ba...azette-239374/

                  Problem detected on: May 8, 2011

                  Just wondered if anyone else experienced the same when they got hit
                  .

                  Comment

                  • Ramsesx
                    Senior Member
                    • Aug 2005
                    • 3254
                    • 3.8.x

                    There was a exploit in the vbseo site map (vb.org) not long ago, but it has been fixed.
                    .......

                    Comment

                    • djbaxter
                      Senior Member
                      • Aug 2006
                      • 1418
                      • 4.2.5

                      Originally posted by Ramsesx
                      There was a exploit in the vbseo site map (vb.org) not long ago, but it has been fixed.
                      Make sure you update to the latest versions of vBulletin, vBSEO, and vBSEO Sitemap. But also make sure that you delete any leftover files from old versions, since they may continue to provide entry points for malware or hacks as long as they are on your server.
                      Psychlinks Web Services Affordable Web Design & Site Management
                      Specializing in Small Businesses and vBulletin/Xenforo Forums

                      Comment

                      • Ramsesx
                        Senior Member
                        • Aug 2005
                        • 3254
                        • 3.8.x

                        Originally posted by djbaxter
                        Make sure you update to the latest versions of vBulletin, vBSEO, and vBSEO Sitemap. But also make sure that you delete any leftover files from old versions, since they may continue to provide entry points for malware or hacks as long as they are on your server.
                        My post was just for information purposes, I don't have any issue. But thanks.
                        .......

                        Comment

                        • Paul M
                          Former Lead Developer
                          vB.Com & vB.Org
                          • Sep 2004
                          • 9886

                          Originally posted by Ramsesx
                          There was a exploit in the vbseo site map (vb.org) not long ago, but it has been fixed.
                          There was ?
                          Baby, I was born this way

                          Comment

                          • Lee G
                            Senior Member
                            • Jun 2006
                            • 290
                            • 3.8.x

                            I just went on vbseo to check what the latest version of the site map is and Im up to date on that one.
                            Still shows 3.0 as the current version
                            I also keep site map access to yahoo, bing, msn and google via htaccess ip allow
                            Found the odd normal person / website designer looking at it
                            Plus it locks down another admin area
                            .

                            Comment

                            • Ramsesx
                              Senior Member
                              • Aug 2005
                              • 3254
                              • 3.8.x

                              Originally posted by Paul M
                              There was ?
                              Yes, you've participated in this thread.
                              Originally posted by Lee G
                              I just went on vbseo to check what the latest version of the site map is and Im up to date on that one.
                              There was a vbseo_sitemap-3-0 PL1.zip released on 05 May 2011, in the add-on description it's still showing 11/11/2010 - Version 3.0 as the last released version in revision history, but that's wrong. So, be sure you have the PL1 installed.
                              .......

                              Comment

                              • Paul M
                                Former Lead Developer
                                vB.Com & vB.Org
                                • Sep 2004
                                • 9886

                                Originally posted by Ramsesx
                                Yes, you've participated in this thread.
                                By "participated" you mean I made one post, which was a question. That doesnt mean Im suddenly aware of a sitemap exploit.

                                JFYI, a few posts down, Mert posted "I am sorry but we are talking about vBSEO product not sitemap generator.".
                                Baby, I was born this way

                                Comment

                                Related Topics

                                Collapse

                                Working...