register_globals = Off to prevent url123.info or file2store.info does not work

in order to replay to the last comment of the closed thread: http://www.vbseo.com/f3/hacked-url123-info-53045/

The solution is disabling Register Global on your server More on register_globals: PHP: Using Register Globals - Manual

We strongly advise everyone to contact your host and make sure to disable Register Global within PHP urgently

I have the redirection to file2store.info for the last 6 month and try to delete it.
My register_globals = Off for the last years.

So this cannot be the resolution.


But today I deactivatet "vBSEO :: Suspicious Activity Tracker" in my ACP plugin list and the base64 entry in datastore / plugin list
was gone.
I did not deleted it ... !!

Originally Posted by Mark.S

But today I deactivatet "vBSEO :: Suspicious Activity Tracker" in my ACP plugin list and the base64 entry in datastore / plugin list
was gone.
I did not deleted it ... !!

This is interesnting considering the dialog I reported 2 days ago:

Waraxe: How about plugins, do you have plugin management privileges?

Forum user: Yes i have plugin management privileges, but I've tried to upload a shell through the plugins option and I get an error, I also tried using the option of styles, templates, language, etc.. and I always get the same result.

Waraxe: Plugins basically are giving you php level access already.
If you try to use c99 or some other similar php shell, then there can be interference from IPS (mod_security, etc).
You don't always need special tools, things can be done manually or with custom written light-weight scripts.

http://www.vbseo.com/f3/hacked-url12...45/index6.html

Maybe Waraxe has management privileges of a few plugins

Disabling a plugin resets the datastore it is not related to the tracking plugin.

TopAs but the "question" is that he doesn't have register_globals on and had the same problem as us.

register_globals is not the only way they attack your site. Register_globals was the case on Topas's instance. It had nothing to do with vBSEO or vBulletin.

Ways they attack servers :

Chmod 777 folders
Wrong permissions
File injections ( gif's as regular files )
Register_global

Securing these and many other are all your responsibilities. Unfortunately there is not much we can do expect advising you guys to secure your server.

If your server blames vBSEO or vBulletin , it means that host has paid it's time and you should move on to a serious host that is specialized on Security.

Originally Posted by Mert Gökçeimam

It had nothing to do with vBSEO.

Contact your developers - this is wrong. In my case the exploit code was executed because of a design flaw in vbseo. I did not turn register globals to off but fixed it within the vbseo.php code. Properly designed code has no problems with globals turned on ! (like vbulletin).

I am one of the developers and sorry Topas i have 0 desire to argue with you as it is clear you already set your mind and nothing will change it. Good luck

Originally Posted by Mert Gökçeimam

I am one of the developers and sorry Topas i have 0 desire to argue with you as it is clear you already set your mind and nothing will change it. Good luck

Ok - if you were right the exploit would be successfull even if vbseo is not installed. Is this the case ?
No !

the PHP manual describes :
"Of course, simply turning off register_globals does not mean your code is secure. For every piece of data that is submitted, it should also be checked in other ways. Always validate your user data and initialize your variables!"

Topas did you ever check around to see how many non vBSEO website is effected by this ? I bet no , Juan send a bunch of them to you by PM but you seem not to care anything. Unfortunately i am seeing the most common thing around internet. When someone believes in one thing , he defends that with his life even it is wrong. That's why there is no point of arguing. You may believe what ever you believe Topas.

Juan does not send me these pages - but I am aware that there are many other pages affected. But you did not answer my question ....
"If you were right the exploit would be successfull even if vbseo is not installed. Is this the case ? "

They don't need vBSEO installed to handle their attack ToPas

After adding some lines of code to the vbseo.php the exploit could not execute php commands anymore.
I am hosting my site since 1998 - this was the first critical exploit I had ....

Originally Posted by Mert Gökçeimam

It had nothing to do with vBSEO.

You mean just like the Rogue Plugins Exploit had nothing to do with vBSEO until one of your customers located the problem on your server?

You may be right that the attacks are not caused by vBSEO itself. But if vBSEO cannot run securely on servers with a common setting like "register_globals = on" then the problem does have a lot to do with vBSEO!

Our site was attacked a number of times. At the end we uninstalled vBSEO and removed all traces of the product from our server. Since then we have not had any problems.

For all, take a look at this:

Introduction to Security Basics: 123filestore and url123 redirection issues, what caused it and how to prevent it. - Blogs - vBulletin SEO Forums

and why vbseo don't investigate the changes that TopAs made on vbseo archives and make it official in a new vbseo version or patch?