vBulletin 3.x and 4.x Redirect Security Exploit

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • BirdOPrey5
    Senior Member
    • Jul 2008
    • 9613
    • 5.6.3

    Envolve uses base64 encoding to encode usernames, that's why it set off the check 4 hack mod.

    Comment

    • Lee G
      Senior Member
      • Jun 2006
      • 290
      • 3.8.x

      Posted before checking my hard drive, there was a pol1 release with the file in it
      .

      Comment

      • Lee G
        Senior Member
        • Jun 2006
        • 290
        • 3.8.x

        Im going deeper and deeper into the files now

        Found two html files on the server which I cant find any mention of on the net

        PHP Code:
        Phrase"# when back again awoke it came the sounds i and rainedslowly"
        File"ydnGKPFcq.html"
        Url to Check"http://www.thespainforum.com/ydnGKPFcq.html" 
        That file was called ydnGKPFcq.html

        And

        PHP Code:
        Phrase"# spirits but of troop blest a"
        File"ydnA6MIKw.html"
        Url to Check"http://www.thespainforum.com/ydnA6MIKw.html" 
        File called ydnA6MIKw.html

        Both files have been on the server for over year
        12 ‎December ‎2008, ‏‎19:46:24
        ‎07 ‎February ‎2009, ‏‎23:23:20
        .

        Comment

        • djbaxter
          Senior Member
          • Aug 2006
          • 1418
          • 4.2.5

          If this were me, I would:

          1. delete those files immediately; and

          2. change all my server and FTP and database passwords.
          Psychlinks Web Services Affordable Web Design & Site Management
          Specializing in Small Businesses and vBulletin/Xenforo Forums

          Comment

          • Lee G
            Senior Member
            • Jun 2006
            • 290
            • 3.8.x

            It gets better. I have now found a forumdisplay.php file which has April last year as its date
            April last year I had a definite redirect in place
            If there had been need to edit it for a mod, there would normally be a note in there
            Just uploaded the original
            I run the file checker on vb and it never picked up that file
            I dont think any mods from the org have ever required that file to be edited in any way
            I have a copy of the file if anyone wants to look it over
            Looks like another password change is on the way
            .

            Comment

            • BirdOPrey5
              Senior Member
              • Jul 2008
              • 9613
              • 5.6.3

              Originally posted by Lee G
              Im going deeper and deeper into the files now

              Found two html files on the server which I cant find any mention of on the net

              PHP Code:
              Phrase"# when back again awoke it came the sounds i and rainedslowly"
              File"ydnGKPFcq.html"
              Url to Check"http://www.thespainforum.com/ydnGKPFcq.html" 
              That file was called ydnGKPFcq.html

              And

              PHP Code:
              Phrase"# spirits but of troop blest a"
              File"ydnA6MIKw.html"
              Url to Check"http://www.thespainforum.com/ydnA6MIKw.html" 
              File called ydnA6MIKw.html

              Both files have been on the server for over year
              12 ‎December ‎2008, ‏‎19:46:24
              ‎07 ‎February ‎2009, ‏‎23:23:20
              It is possible those are files used to confirm you owned your website... sites like Google Webmaster Tools, Alexa, and others require a webmaster to upload files like that to prove ownership. While I haven't seen this specific format of file before, it was the first thing that came to mind when I saw what you posted. Are you sure you didn't upload such files to "prove" ownership in the past? Is there anyone else with FTP access who may have had reason to do so?

              Comment

              • Lee G
                Senior Member
                • Jun 2006
                • 290
                • 3.8.x

                I found that the forum display edit was something to do with me.
                Found that one edited on my hard drive.
                Had a hard drive take a permanent vacation since that happened.

                The strange thing with the other two files, they were only found on the forums and none of the other websites I own
                Files similar to those would have been in other locations, local websites etc
                Looking at the wording, they look like some kind of hacker tag
                Google, Yahoo and Microsoft are all easy to see who they are for
                Im watching my error logs to see if any hits do show for those files

                The good news on the remote database access on localhost, it has not come back in two weeks
                Last edited by Lee G; Sat 6 Aug '11, 5:49am.
                .

                Comment

                • niteflyer32
                  Member
                  • Nov 2008
                  • 70
                  • 3.7.x

                  We upgraded to 4.1.5 from 4.1.1 and have the Google myfilestore.com redirect. I don't see any funny files on the server. We set the User Remote YUI to Google before the upgrade and that appeared to fix the issue. Now after the upgrade we seem to have the exploit again.

                  We are not running vbSEO

                  Comment

                  • Trevor Hannant
                    vBulletin Support
                    • Aug 2002
                    • 24325
                    • 5.7.X

                    Are you still using the Remote YUI or has it reverted back?
                    Vote for:

                    - Admin Settable Paid Subscription Reminder Timeframe (vB6)
                    - Add Admin ability to auto-subscribe users to specific channel(s) (vB6)

                    Comment

                    • niteflyer32
                      Member
                      • Nov 2008
                      • 70
                      • 3.7.x

                      The Remote YUI is set to Google.

                      Comment

                      • FourTwenty
                        Senior Member
                        • Aug 2005
                        • 637
                        • 4.1.x

                        How do we test to see if we are effected?

                        Comment

                        • Trevor Hannant
                          vBulletin Support
                          • Aug 2002
                          • 24325
                          • 5.7.X

                          To check a site for compromises follow these steps:

                          1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

                          2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

                          3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

                          4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you. See step #7

                          5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

                          6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

                          The following query can be run in phpMyAdmin and will provide results for steps 5 and 6 -
                          SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

                          If you a plugin that you can't read or the code is obfuscated then you should probably contact the addon author. If it is assigned to the vBulletin, vBulletin CMS, vBulletin Blog or Skimlink products, delete it.

                          7) Using PHPMyAdmin run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

                          It checks the templates for compromising code. You will need to review the results from this. If you can't read it or the code is obfuscated then you should revert the template in the Admin CP.

                          8) Check .htaccess to make sure there are no redirects there.

                          9) Check all plugins in reference to cache or cookies. If they are similar to any of the above, delete them.
                          Vote for:

                          - Admin Settable Paid Subscription Reminder Timeframe (vB6)
                          - Add Admin ability to auto-subscribe users to specific channel(s) (vB6)

                          Comment

                          • MikesSite
                            Senior Member
                            • Jan 2009
                            • 173
                            • 3.8.x

                            For anyone using vBCMS that is having this issue, check this out http://www.vbadvanced.com/forum/showthread.php?t=44720

                            Comment

                            • Zachery
                              Former vBulletin Support
                              • Jul 2002
                              • 59097

                              Mikesite, that is not the vbcms. That is vBadvanced.

                              Comment

                              • Wayne Luke
                                vBulletin Technical Support Lead
                                • Aug 2000
                                • 73979

                                This thread is simply too long and too convoluted to provide individual support at this time. If you have an issue that you feel is caused by this or a similar problem, please open your own thread. It is a lot easier to handle support in individual threads instead of large convoluted threads that are a year old.
                                Translations provided by Google.

                                Wayne Luke
                                The Rabid Badger - a vBulletin Cloud demonstration site.
                                vBulletin 5 API

                                Comment

                                Related Topics

                                Collapse

                                Working...