hacked by url123.info

**belcamino** · 07-10-2012 07:44 AM

I am having the 100% exact issues as Bmastro amd Ducati1.

Anxiously awaiting help.

Bmastro/Ducati1- can you list the plugins you are using that may help narrow it down if I am using the same ones (maybe).

**Bmastro** · 07-10-2012 08:15 AM

I use only:
Check 4 Hacking
forum_icons
vbseo
vbseo Sitemap Generator
vBSEO :: Suspicious Activity Tracker

**belcamino** · 07-10-2012 08:35 AM

I actually think this whole issue (after looking at logs from vBSEO :: Suspicious Activity Tracker, that we may be suffering from a mysql injection on PHP pages.

Not sure how to stop these (if that is the case).

**Romchik®** · 07-10-2012 08:36 AM

Same here...

vBSEO was updated (second time even

).
With help of "vbseo_checkplugins4" datastore was cleaned.

In 2 hours again problem with forum style (some pages showed without CSS) and "vbseo_checkplugins4" found another shit.

"vBSEO :: Track suspicious activity" installed, but I haven't recieved mail.
I don't see strange plugins.

**belcamino** · 07-10-2012 08:38 AM

Originally Posted by Romchik®

Same here...

vBSEO was updated (second time even

).
With help of "vbseo_checkplugins4" datastore was cleaned.

In 2 hours again problem with forum style (some pages showed without CSS) and "vbseo_checkplugins4" found another shit.

"vBSEO :: Track suspicious activity" installed, but I haven't recieved mail.
I don't see strange plugins.

Make sure you go to Vbulletin Options -> vBSEO :: Track suspicious activity and enter your email.

**belcamino** · 07-10-2012 08:40 AM

Again... from all three of the reports I have gotten show at the end someone appears to be injecting mysql data into a php page.

From the report:

SERVER: array (
'DOCUMENT_ROOT' => '/home/**********/public_html',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'HTTP_ACCEPT' => 'image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*',

**Romchik®** · 07-10-2012 08:55 AM

Originally Posted by belcamino

Make sure you go to Vbulletin Options -> vBSEO :: Track suspicious activity and enter your email.

yep, my addrese was there, this is not cause...

**Sparkiller** · 07-10-2012 10:41 AM

Okay, i now collected 4 log entries that correspond with the warning-mail:

hacked by url123.info - vBulletin SEO Forums

Perhaps the search.php (in cooperation with vbseo?) has some kind of security flaw that allows mysql-inserts?

Edit: Make it five. "Busy" day.

**Ducati1** · 07-10-2012 01:10 PM

I have now disabled vbseo, will see what happens next. I checked vbulletin.com and .org forums, maybe this helps you guys:

https://www.vbulletin.com/forum/entr...s-%28Part-2%29
Fix-it: Template Edition - vBulletin.org Forum

**belcamino** · 07-10-2012 01:35 PM

I have had 3 today... sigh.

I have the code output from the reports if someone smarter than me wants to help me figure it out...

**belcamino** · 07-10-2012 01:38 PM

The report shows the injection bas64 right after the Miserable Users plugin code. I removed that and we will see what happens.

I love that plugin... so I hope that is not root-cause.

**Sparkiller** · 07-10-2012 01:44 PM

Originally Posted by belcamino

The report shows the injection bas64 right after the Miserable Users plugin code. I removed that and we will see what happens.

Could mean nothing. For me it's between vbseo and Photoplog:

if(defined('VBSEO_ENABLED')) vbseo_complete_sec('global_start'); eval(CHR(36).CHR(120).CHR(61).CHR(39).@b89f70ebe458b789f84957bdf8348a6d.CHR(39).CHR(59).@base64_decode(blahblahblah)); ";s:15:"cache_templates";s:3859:"// PhotoPlog if (in_array(THIS_SCRIPT, array('index','member','search','adv_index')))

Btw, according to Alexa the hack had nearly vanished up until the beginning of July:

Url123.info Site Info

620% in 7 days! 11,391 in the world ranking. No wonder, no one wants to admit this screw up.

**Bmastro** · 07-10-2012 02:57 PM

Do you remember that vBSEO :: Suspicious Activity Tracker don't send me any mail?

Well, till a few hours ago Check 4 Hacking sent me white mails (so all OK).
Then, when my website was hacked again, Check 4 Hacking stopped to send me notifications.
So I don't know nothing about the hack.

The hacker has got not only the latest version of VBSeo and VBulletin, but also the plug-ins against the hackers.
He is one of us.

**Bmastro** · 07-10-2012 03:00 PM

Originally Posted by Sparkiller

Url123.info Site Info

620% in 7 days! 11,391 in the world ranking. No wonder, no one wants to admit this screw up.

and myfilestore.com +440% in the last 7 days

**control1110** · 07-10-2012 08:16 PM

I am having the same issue. I have yet to find a solution for this. I have my e-mail entered in the settings for the suspicious activity tracker but have not received a single e-mail.

hacked by url123.info

LinkBack

Thread Tools

Display

Similar Threads

vBulletin 3.x Hacked

hacked??

Posting Permissions