Url123 Redirect. Tried everything, I am at wits end.

I have changed all pws, checked for ftp accounts, made sure I had no external mysql connections, rebuilt the parsed templates to make sure they had no malicious code. Checked for base64 in both templates and plugins.

CHMOD all folders to 644 unless needed for users (like avatars), those that are 777 write-able have .htaccess files protecting them from executing php.

Checked all plugins (all are known to me). Deleted ones that I didn't use or didn't trust.

Had my host scan for viruses.

VBSEO is 3.5.2, not current version.

And yet... every few hours it comes back.

I am not blaming VBSEO, but their staff has helped in the past, so I am posting here.

Can anyone help?

Bill

Update:

Just updated to vbulletin 3.8.7 patch lvl3

But I am mistaken, I am running VBSEO 3.5.2, will upgrading to 3.6 help?

Hello ,

Url redirect issue is a server security issue. It is not related to vBSEO , however you should always run latest released stable vBSEO versions.

I've heard. Where do you suggest I go to get some support for the server security issue?

Bill

Lastly, the Check cB instance for suspicious plugins (v4) shows this when I am being redirected:

vBSEO - Check vB instance for suspicious plugins (v4)
Checking datastore pluginslist: DETECTED: eval(CHR [Click here to reset datastore]
---------------------
Checking plugins code
---------------------
Done.

Does that help in any way?

Also installed the plugin monitoring tool and verified it is working.

I will send the report it gives me.

(Thanks for your help).

Moved my discussion here to a larger thread (feel free to close this one):

http://www.vbseo.com/f3/hacked-url12...45/index5.html

That thread got locked.

The vbseo developers say there's no correlation between the 123url.info hacking and vbseo.

And yet the vbseo board is flooded with reports of being hacked, but there are only a couple on vbulletin.com - from vbseo owners.

Hard not to conclude there's an exploit somewhere related to vbseo.

Well, still no proof it was VBSEO and frankly I am just glad it is fixed so I can resume normal operations.

belcamino fixed temporary (like before) or malware is gone forever? and how did you fixed? removing "register_globals"?

Disabling register_globals is enough? Without reinstalling all?

Hello Brian ,

The thread is locked as many people are posting wrong information. I can quickly find 20-30 link on vBulletin with the exact same issue. Attackers are targetting vBSEO because they know vBSEO users are having good traffic so they will make money with the attacks.

We investigated the report Topas supplied ( who claimed it was a vBSEO issue ) and it is directly related to register_global on his case.

Hello Mert, what about my question?
If we had problems only with register_global, is enough disabling it without reinstalling VBulletin and Vbseo?
Thanks in advance

Hello David ,

The safest thing to do imo :

1. Search your public dir for any suspicious files
2. Disable register_global
3. Make sure your server has correct user - privillege's set
4. Protect chmod 777 directories
5. Make sure your server doesn't allow wildcard remote MySQL connection
6. Replace all passwords on your ftp , admincp , vbseo cp , db etc... with strong informtion
7. Use custom config.php file

Originally Posted by Mert Gökçeimam

I can quickly find 20-30 link on vBulletin with the exact same issue. Attackers are targetting vBSEO because they know vBSEO users are having good traffic so they will make money with the attacks.

We investigated the report Topas supplied ( who claimed it was a vBSEO issue ) and it is directly related to register_global on his case.

The few examples I've seen on vbulletin have vbseo'd forums in their sig links.

By saying that vbseo is specifically attacked, you seem to be admitting that the vulnerability is specific to vbseo. Or are you saying that the way vb handles plugins in general is the vulnerability?

Either way, I've been 24hours without an attack since having register_globals switched to off - sincerely hoping this is the end of it.