No offense, but the support for this has been really sad here. I mean, instead of just pointing to a jumbled mess of a thread where people are trying to figure it out. How about a concise thread with all the fixings? I realize it is not
vbseo's fault, but since it directly effects
vbseo, and all the
vbseo customers could potentially have this problem, having a concise thread would be nice.
Anyhow... Here's what I've gathered as I am also having this issue.
THE BUG...
The fact that people can upload custom avatars, custom signature pics, or custom images into the signature line. What is happening is that a PHP file, disguised as a .gif is uploaded and then run remotely. It throws base64 code into
vbseo which forces a javascript redirect and cookie. The cookie means the redirect only happens once, but it is annoying, and is a drop in traffic. On a side note, more malicious code COULD be uploaded.
WHAT YOU MIGHT READ...
Many of the yahoos here want you to chmod 755 any writable directory. But what they fail to realize is that your signaturepics and customavatars directory must be 777 for people to upload. I read that far too often in that other thread.
WHAT YOU MUST DO...
STEP 1:
Is add an .htaccess file to every writable directory that someone can upload photos into.
Code:
RedirectMatch 404 .*php\.
The other code for .htaccess I've read is this one
Code:
<Files ~ "\.(php\d*|cgi|pl|phtml)$">
order allow,deny
deny from all
</Files>
Not sure which one is more correct at this point, but both should work. Most folks have been going with the second one.
Thankfully .htaccess has a recursive effect, so if you put it in the offending directories, that should solve the issue.
The directories you need to add this file to is:
customavatars
signaturepics
customprofilepics
attachments
STEP 2:
Reupload the crawlability_vbseo.xml file as a product. This will clear out the cache and fix your site immediately... As long as nothing else has been compromised.
Step 3:
I would say disallow uploads to your server. At least break it up. Have a different usergroup for premium members, or however you break it out on your site, and allow them to upload files. But keep the uploads only to them, not to the new folks and spammers.
If you're allowing uploads to the new members, you're keeping yourself open to this type of attack.
Step 4:
Remove any evil .gif files off your server
To do this, ssh to your server and run this command:
Code:
find /home/main -regex '.*\.gif$' -exec grep php {} \;
Change the /home/main to fit your main root directory. Delete the matches in those upload directories!! I usually check them first, but remove them.
Step 5:
Lastly, if you have been hacked, change your passwords. Just in case.
......................
So that's what I've gathered in a nutshell. Hopefully that will help someone out instead of just being pointed to a ton of threads, with half of them having misinformation.
Originally Posted by painthappy
Go to Profile
Mark as Read
