Possible Exploit

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • punchbowl
    Senior Member
    • Nov 2006
    • 3903
    • 4.0.x

    #31
    This being in the 3.8 forum would be the first clue.

    I've 3.8, no vbseo and don't have it. I hope!

    Comment

    • Jafo
      Senior Member
      • Apr 2004
      • 278

      #32
      Originally posted by Talaturen
      Nope, you are wrong. I've checked backups on the _abstract file from around 5 days ago (and the file hasn't been changed since I updated to 3.6.0). The same patch they are telling us to apply is already applied on that file, and other users on vBSEO forum has confirmed this too.
      I downloaded 3.6.0 TODAY and it was not there. I opened a ticket with vbseo and they stated:

      Hello,

      thank you for details. Indeed, this line was not updated in the vBSEO package for some reason, although it's updated in the code repository. We are investigating why did that happen (the package in downloads area is now updated).
      So check again..

      Comment

      • Talaturen
        New Member
        • Dec 2005
        • 12
        • 3.8.x

        #33
        Originally posted by Wayne Luke
        You're posting in the 3.8X forum.
        My bad, a friend sent me the link to this thread, I had no idea it was for 3.8.

        Originally posted by Jafo
        I downloaded 3.6.0 TODAY and it was not there. I opened a ticket with vbseo and they stated:



        So check again..
        The one I downloaded when 3.6.0 was released already had the patch applied, and I also downloaded a copy today to diff it to the files I have installed and there was no difference in that function (it's possible I downloaded after they updated the package though). Either way, my point is that my forum was running with this patch when the backdoor plugin was added.

        Comment

        • Jafo
          Senior Member
          • Apr 2004
          • 278

          #34


          Looks like it is a combination.. Apparently the javascript was infected on THEIR site, so when you went into vbseocp.php, it called the infected javascript, which then ran against the bad function. If you upgraded and you didn't have the updated abstract file, it infected you. Wow, pretty ingenious..

          Comment

          • Wayne Luke
            vBulletin Technical Support Lead
            • Aug 2000
            • 73981

            #35
            At least it is contained now.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API

            Comment

            • Jafo
              Senior Member
              • Apr 2004
              • 278

              #36
              Originally posted by Talaturen
              Nope, you are wrong. I've checked backups on the _abstract file from around 5 days ago (and the file hasn't been changed since I updated to 3.6.0). The same patch they are telling us to apply is already applied on that file, and other users on vBSEO forum have confirmed this too.
              We actually may both be right here.. You said since you updated to 3.6.0? When was that? I am wondering if the package has been compromised since.. Since it appears vbseo.com itself was hacked, it is not a stretch to say the hackers rolled back the abstract php file so this very exploit would work... It seems to be too much of a coincidence that this patch, added over a year ago to their repo, is not in the package today, when that very patch is required to have the hack on vbseo.com actually work..

              Comment

              • Jafo
                Senior Member
                • Apr 2004
                • 278

                #37
                Originally posted by Wayne Luke
                At least it is contained now.
                From what I see, they don't even know how vbseo.com was compromised.. Contained as in, we know where the problem is, but we have no idea how deep.

                Comment

                • The Rocketeer
                  Senior Member
                  • Jun 2010
                  • 140

                  #38
                  Thanks to Wayne for pointing me out to this thread, This has also been happening to me actually. It has happened twice in the past two months(I was running 4.1.8), First my members were telling me that the site has viruses / malware according to Avast then many of the features stopped working properly, it was some kind of a javascript infection, then I also got this report from AVG that says the site is still compromised.

                  Wayne had a look for me earlier and I have upgraded to 4.1.0 since and will also be updating the functions_vbseocp_abstract.php patch, But I am still not sure if my site is infection free or not.
                  Jafo - If you dont mind, I would like to send you some details of my site, maybe that will help you in your investigation to further to nail down this issue and if it is only being caused by vBSEO or if there is something else related, aswell as getting rid of any leftover infections from my site.
                  Last edited by The Rocketeer; Mon 23 Jan '12, 4:22pm.

                  Comment

                  • Jafo
                    Senior Member
                    • Apr 2004
                    • 278

                    #39
                    I am not really available for any other side work at this time. Should I see anything else of note on this, I will be sure to update this thread.

                    Comment

                    • The Rocketeer
                      Senior Member
                      • Jun 2010
                      • 140

                      #40
                      Originally posted by Jafo
                      I am not really available for any other side work at this time. Should I see anything else of note on this, I will be sure to update this thread.
                      no no, i wasn't asking for side work. I just thought you might want to have a look at my setup and files, since we are having similar issues maybe that would bring a few more things to light thats all.

                      Comment

                      • The Rocketeer
                        Senior Member
                        • Jun 2010
                        • 140

                        #41
                        unfortunately I have some updates regarding this issue. I was just contacted by someone from AVG and according to them the infection caused by this exploit goes further down and infects some other vbseo files such as the script files, perhaps as a back door. reason why I offered earlier to have a look through my site / server / files.

                        Hi,

                        The detection is correct.

                        If you are affiliated with this site, you need to check all pages and
                        script files for script injections similar to the one seen:

                        http://tomorrowsgaming.com/vbseo/resources/scripts/vbseo_ui.js?v=a4

                        at the very end of the file, that starts:

                        var _0x4470=["\x39\x3D\x31\x2E\x64\x28\x27\x35\x27\x29\x3B[...]

                        Further, you should perform a full and thorough security audit of the
                        site and the server(s) hosting it to ascertain how these (presumably)
                        illicit code injections were achieved. Rectifying all issues that such
                        an audit uncovers will be necessary to prevent the site being similarly
                        compromised again in the future.
                        Earlier I have applied the fix simply by replacing the file, but for this I am not sure what I need to do; I have never done any vbulletin / vbseo work. Should I just upload and overwrite the files and run something or do I have to completely uninstall and re install vBSeo and lose all my settings?

                        Comment

                        • Wayne Luke
                          vBulletin Technical Support Lead
                          • Aug 2000
                          • 73981

                          #42
                          Originally posted by The Rocketeer
                          unfortunately I have some updates regarding this issue. I was just contacted by someone from AVG and according to them the infection caused by this exploit goes further down and infects some other vbseo files such as the script files, perhaps as a back door. reason why I offered earlier to have a look through my site / server / files.



                          Earlier I have applied the fix simply by replacing the file, but for this I am not sure what I need to do; I have never done any vbulletin / vbseo work. Should I just upload and overwrite the files and run something or do I have to completely uninstall and re install vBSeo and lose all my settings?
                          You should ask about this over at the vBSEO website. This is a different issue than what is outlined in this thread.
                          Translations provided by Google.

                          Wayne Luke
                          The Rabid Badger - a vBulletin Cloud demonstration site.
                          vBulletin 5 API

                          Comment

                          • The Rocketeer
                            Senior Member
                            • Jun 2010
                            • 140

                            #43
                            Originally posted by Wayne Luke
                            You should ask about this over at the vBSEO website. This is a different issue than what is outlined in this thread.
                            Not entirely true.
                            What is outlined in this thread is the exploit, what I have outlined is one of the many effects that are caused by the exploit.
                            It may be slightly different but it is very much related to the matter we are discussing here. This could very well be the case for many users like myself who have just patched the exploit without paying attention to fix the leftover infections / backdoors when they had a look, much like how you didn't notice it when you had a look, Wayne; and I'd rather have other users know about it now than finding out by themselves later.



                            Comment

                            • Wayne Luke
                              vBulletin Technical Support Lead
                              • Aug 2000
                              • 73981

                              #44
                              The exploit in this thread does not involve code at the bottom of Javascript on your site. It involves code at the bottom of a file on the vBSEO site. If you have exploited code on your site in the Javascript uploaded to your server, it is a different issue. They may seem similar but they are not.

                              Regardless, the file you said was exploited is called vbseo/resources/scripts/vbseo_ui.js?v=a4

                              Even if it was the same issue, it is a vBSEO issue and you need to visit vBSEO.com for support with vBSEO issues.
                              Translations provided by Google.

                              Wayne Luke
                              The Rabid Badger - a vBulletin Cloud demonstration site.
                              vBulletin 5 API

                              Comment

                              • The Rocketeer
                                Senior Member
                                • Jun 2010
                                • 140

                                #45
                                I understand that, my point being is simply that due to this vbseo exploit the exploited code on my sites Javascript was entered or uploaded in the first place. They may seem different, and I am not saying that they are similar or the same, I am saying that they are "related". Because of this exploit my setup kept getting compromised in the first place and even after applying the patch there was compromised files / backdoor's left that many users may not be able to detect, you weren't.

                                It isn't just 1 exploited file(vbseo/resources/scripts/vbseo_ui.js?v=a4) there are well over 20 infected files that are mostly vbseo related.
                                And again, I know this is a vBSEO issue, is the exploit also not a vBSEO Issue? Are we not allowed to discuss possible security issues with out plugins? I am not seeking support here, I will be asking vBSEO for that, but for the sake of the argument, whats wrong if a member were to try and support me? This is vital information that I felt like other should know about since we have brought up the topic about the exploit, why not include some issues that have been caused by it since you missed it easily, chances are many others with less computer skills such as myself might as well.

                                They are different, they are not similar or the same, but they are very much related. One happens because of the other one.

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...