Url123 Redirect. Tried everything, I am at wits end.

Originally Posted by bforum

So why would the hackers limit themselves to targeting vBSEO-sites if they could just as easily attack all VB-sites?

Hello,

By saying that vBSEO has been targeted due to its popularity, I did not necessarily mean that vBulletin itself has been marked as a non-expoitable resource for hackers. Several patch level versions of vBulletin have rolled out over the last 8 months due to this fact.

The issue has been always tied to third-party mods, and we've narrowed down that the common vector among the forums that were effected by this is the "register_globals" directive. The mentioned setting does represent a security issue for any PHP-powered website, no matter whether it is running vBulletin or not.

As a matter of fact, thousands of websites that have never run vBulletin were hacked as well. And many of vB-customers reported the same issue without having vBSEO installed on their sites:

https://www.vbulletin.com/forum/show...=1#post2066918
https://www.vbulletin.com/forum/show...=1#post2168506
https://www.vbulletin.com/forum/show...=1#post2183384
https://www.vbulletin.com/forum/show...=1#post2198971
https://www.vbulletin.com/forum/show...=1#post2164527
https://www.vbulletin.com/forum/show...=1#post2280347
https://www.vbulletin.com/forum/show...=1#post2284228 (they disabled vBSEO, and the issue never went away)
https://www.vbulletin.com/forum/show...=1#post2176042 (they disabled vBSEO, and the issue did not go away)
https://www.vbulletin.com/forum/show...=1#post2282471 (vBSEO hasn't been mentioned here)
https://www.vbulletin.com/forum/show...=1#post2312732 (vBSEO hasn't been mentioned here - however the removal of the wildcard "%" [posted by djbaxter here] from remote databases setting in cPanel did the trick for them)
https://www.vbulletin.com/forum/show...(please-help!)


The issue can be exploited in many different ways as you can see. Another source: vBulletin Redirect Exploit - Admin Zone Forums

Originally Posted by bforum

And if this is a VB problem then why hasn't VB issued a warning urging their customers to turn off register_globals?

It's been 2-3 days since we performed our investigations and came up with what we've explained so far, so that we are currently undergoing through a testing phase prior sending out any sort of notifications/warnings to vBulletin users (be that vBSEO customers or not). I emphasize on the "testing phase", but an eventual notification will roll out as soon as we consider it convenient.

Thank-you for your continued feedback, bforum, it's greatly appreciated. I hope that is clear now.

If you still have any questions, don't hesitate to let us know!

Andrés,

Thanks for actually providing useful information instead of just ranting like Mert did. I am, however, still somewhat sceptical.

As I understand it having register_globals on is not a security problem in itself - it just makes it easier to write insecure code. So you will need insecure code AND register_globals = on in order to carry out an attack like the one many vB/vBSEO-users have seen lately. So the real question is: Where is the insecure code? In vBSEO or in vB itself?

The links you have provided do no answer that question. Many of them are related to previous issues that have been patched a long time ago. Others seem to point to vBSEO and other 3rd party addons. And your reference to a user saying that he has disabled vBSEO doesn't make much sense as he doesn't seem to have cleaned up his site following the first infection and is also using a very old version (3.8.3) with a lot of other vulnerabilities that could have been used to infect his site.

As stated by vB staff in many of the threads you are linking to: There are no real indications that sites without addons have been attacked. And that is my point: If the insecure code is in vB then thousands of vB sites would be targeted these days. But while a large number of vBSEO sites have been targeted there is no credible information that an attack (let alone a large scale attack) is beeing carried out against vB sites that are not using vBSEO or a few other addons. Even in the threads you are linking to there are only a few people claiming not to use any addons and as mentioned above even those few claims seem to be useless.

As I see it there is very strong circumstantial evidence pointing to vBSEO as the culprit here. Security experts, like Sucuri, also seem to label this as vBSEO related. And to me it simply doesn't make sense that the hackers would show such restraint that they did not use what would be a very easy way to attack vB sites. Why would they limit themselves to vBSEO sites if the insecure code is actually in vB? And as I mentioned in my previous post: If all vB sites with register_globals on are vulnerable then why hasn't vB/vBulletin Solutions issued a warning? To them it would be a disaster if such a large number of sites was attacked.

It's simple:

-ONLY vbseo problem and NOT our server security/configuration: incorrect
(I already said sorry for saying that)
-NOT vbseo problem and ONLY our server security/configuration: incorrect
(... no one said nothing.... its ok, it doesn't matter, the problem is gone and I'm happy)

The problem its with "a lot" of things all TOGETHER, and not ONLY one of them:
-register_globals
-directory and archives perms
-passwords
-forum software problem (IPB have the problem too)
-plugins problem (VBSEO is one of them)
-etc...

Originally Posted by Andrés Durán Hewitt

Hello,

By saying that vBSEO has been targeted due to its popularity, I did not necessarily mean that vBulletin itself has been marked as a non-expoitable resource for hackers. Several patch level versions of vBulletin have rolled out over the last 8 months due to this fact.

The issue has been always tied to third-party mods, and we've narrowed down that the common vector among the forums that were effected by this is the "register_globals" directive. The mentioned setting does represent a security issue for any PHP-powered website, no matter whether it is running vBulletin or not.

As a matter of fact, thousands of websites that have never run vBulletin were hacked as well. And many of vB-customers reported the same issue without having vBSEO installed on their sites:

https://www.vbulletin.com/forum/show...=1#post2066918
https://www.vbulletin.com/forum/show...=1#post2168506
https://www.vbulletin.com/forum/show...=1#post2183384
https://www.vbulletin.com/forum/show...=1#post2198971
https://www.vbulletin.com/forum/show...=1#post2164527
https://www.vbulletin.com/forum/show...=1#post2280347
https://www.vbulletin.com/forum/show...=1#post2284228 (they disabled vBSEO, and the issue never went away)
https://www.vbulletin.com/forum/show...=1#post2176042 (they disabled vBSEO, and the issue did not go away)
https://www.vbulletin.com/forum/show...=1#post2282471 (vBSEO hasn't been mentioned here)
https://www.vbulletin.com/forum/show...=1#post2312732 (vBSEO hasn't been mentioned here - however the removal of the wildcard "%" [posted by djbaxter here] from remote databases setting in cPanel did the trick for them)
https://www.vbulletin.com/forum/show...(please-help!)


The issue can be exploited in many different ways as you can see. Another source: vBulletin Redirect Exploit - Admin Zone Forums




It's been 2-3 days since we performed our investigations and came up with what we've explained so far, so that we are currently undergoing through a testing phase prior sending out any sort of notifications/warnings to vBulletin users (be that vBSEO customers or not). I emphasize on the "testing phase", but an eventual notification will roll out as soon as we consider it convenient.

Thank-you for your continued feedback, bforum, it's greatly appreciated. I hope that is clear now.

If you still have any questions, don't hesitate to let us know!

Thank you very much andres">Andres for detailed information. Actually I think most of us (vbseo customers) did not convince because of we only hear from vbseo webmaster its not related with us. It was not enough description. This time there is no doubt about it.

Originally Posted by bforum

So the real question is: Where is the insecure code? In vBSEO or in vB itself?

Hello,

At this point in time, it is hard (at least for me) to point our fingers to a specific script (say vBSEO, vBulletin or any other third-party mod [note that I haven't stated yet that vB itself has an undiscovered security hole, neither have said the same about vBSEO or any other mods/plugins available out there, I'm not coder]), as several websites have been compromised and we do not have access to all of them as to make a public statement. In the same way, reviewing each of the vBulletin files is quite a hard task to perform, if my maths do not fail, vBulletin 4 Publishing Suite itself has over 3000 files. However, with limited access and help from third-parties we've found the common vector among most of the websites that were hit by this and it relies over the register_globals' shoulders.

We are still determining if there's a security issue on our software, and you can be sure that you'll be informed ASAP about the outcome of such investigations. Improving the security levels of our source code is an ongoing task with every new release.

That said, I do agree with you that in ANY scenario there shouldn't be insecure code, however I do understand that no human being is perfect in any aspect. If it turns out to be a bad coding issue, I'm sure that the fix will come up from whatever the source is

Originally Posted by bforum

The links you have provided do no answer that question.

I know, but with those links I was not intending to answer that specific question. My intention was to demonstrate that many other non-vBSEO customers were being hit by this.

Originally Posted by bforum

As stated by vB staff in many of the threads you are linking to: There are no real indications that sites without addons have been attacked.

I'm not sure about that, as I'm not related to vBulletin at all. And of course that may be true, no one knows their code better than them

What we know is that the issue can come from anywhere, can be exploited in many different ways.

Originally Posted by bforum

As I see it there is very strong circumstantial evidence pointing to vBSEO as the culprit here. Security experts, like Sucuri, also seem to label this as vBSEO related. And to me it simply doesn't make sense that the hackers would show such restraint that they did not use what would be a very easy way to attack vB sites. Why would they limit themselves to vBSEO sites if the insecure code is actually in vB? And as I mentioned in my previous post: If all vB sites with register_globals on are vulnerable then why hasn't vB/vBulletin Solutions issued a warning? To them it would be a disaster if such a large number of sites was attacked.

We cannot trust a statement from a third party (Sucuri, in this case). As a personal point of view, if they are vast knowledgeable in security aspects, they'd have isolated the issue and would have come up with our same result (yes, I know I'm annoying with this ), rather than pointing their fingers directly to vBSEO without performing a formal investigation, or copying/pasting our own asseverations.

Again, saying that the issue resides on vBulletin code base is something that we can't affirm, nor haven't stated anywhere. We will get in touch with them and will let them know about the feedback we've gathered so far.

There's commitment from us. And I know you are aware of that fact.

i thought the issue was gone, my host fixed it last time, not sure what they did, here is my redirect MyFilestore.com - Your File Hosting This sucks, it appears it hit my site july 2nd 2012. my google analytics dropped sugnifacantly the 2nd. i really wish this issue was resolved, this is the second time. i was clean for a few months.

Hi Tom,

Did you try this?: Introduction to Security Basics: 123filestore and url123 redirection issues, what caused it and how to prevent it. - Blogs - vBulletin SEO Forums

Originally Posted by Andrés Durán Hewitt

Hi Tom,

Did you try this?: Introduction to Security Basics: 123filestore and url123 redirection issues, what caused it and how to prevent it. - Blogs - vBulletin SEO Forums

I have not. I will contact my host immediately to have them shut it off. Will this effect my site at all, if so how? Is this anything to do with member registration? By the way it is on, should I do anything afterwards to remove the issue?

Thanks,

Tom

Well, as desired, i upgraded vbulletin to 3.8.7 PL2 and vbseo to 3.6.0 on July 13, 2012 and also shut the register_globals off in my dedicated server and the malware has not shown up since than and my search engine traffic has also returned back.

However, today is the fifth day... let us see if the malware strikes again to haunt my forums or not.

Originally Posted by Andrés Durán Hewitt

We are still determining if there's a security issue on our software, and you can be sure that you'll be informed ASAP about the outcome of such investigations.

This was actually the statement I was looking for.

What really scared me was the numerous claims by Mert Gökçeimam that "vBSEO has no security hole". That would indicate that vBSEO had already concluded that this is not a vBSEO problem (in spite of the strong circumstantial evidence saying otherwise) and that vBSEO was not investigating the issue further.

Setting register_globals to off seems to stop the current attacks, but I think that many of your customers need to know what really caused the attacks. So it is good news that you are actually investigating the issue and not just sticking to one-liniers like "vBSEO has no security hole". So thumbs up.

Originally Posted by Andrés Durán Hewitt

I know, but with those links I was not intending to answer that specific question. My intention was to demonstrate that many other non-vBSEO customers were being hit by this.

But as I mentioned in my previous post many of the links have nothing to do with the current attacks. Injecting this redirect code to the datastore table has been used with many previous vulnerabilities in both vBSEO and vB (and other scripts have also had vulnerabilities exploited this way).

Originally Posted by Andrés Durán Hewitt

We cannot trust a statement from a third party (Sucuri, in this case). As a personal point of view, if they are vast knowledgeable in security aspects, they'd have isolated the issue and would have come up with our same result (yes, I know I'm annoying with this ), rather than pointing their fingers directly to vBSEO without performing a formal investigation, or copying/pasting our own asseverations.

That is a bit unfair. Suruci is just letting their customers know what they are seeing. And they are seeing the same as the rest of us: That the sites being hit are vB/vBSEO sites. I wouldn't expect them to be able to identify the problem faster than the company that actually wrote the code in question (vBSEO...)

Originally Posted by tommydamic68

I have not. I will contact my host immediately to have them shut it off. Will this effect my site at all, if so how? Is this anything to do with member registration? By the way it is on, should I do anything afterwards to remove the issue?

Thanks,

Tom

Hi Tom,

You need to make sure that your datastore has been cleaned up from any malware once you disable register_globals. You can try our testing utility: http://www.vbseo.com/f5/faqs-rogue-p...62/#post326304

Originally Posted by Neutral Singh

Well, as desired, i upgraded vbulletin to 3.8.7 PL2 and vbseo to 3.6.0 on July 13, 2012 and also shut the register_globals off in my dedicated server and the malware has not shown up since than and my search engine traffic has also returned back.

However, today is the fifth day... let us see if the malware strikes again to haunt my forums or not.

The issue shouldn't return.

I have my host turning off the register_globals now and I will run the exploit. I think I have it installed already. Is this the datastore plugin script? with that being said, I did get an exploit on the day that I think I was attacked again, july 2nd my Google Analytics dropped drastically. Here is the plugin mismatch info and google snap shot, maybe you can make something of this.


Google analytics



Datastore pluginlist mismatch!

Check your "Bounce Rate" in Google Analytics. Or please post a screenshot of it, there you can see the effect better.

Originally Posted by ehd

Check your "Bounce Rate" in Google Analytics. Or please post a screenshot of it, there you can see the effect better.

Bounce rate



It looks like the 27th of June it took a dive to the bottom - wow! I checked the emails that day, no plugin mismatch warning. Still unclear what the heck happened. My host has confirmed turning of register_globals though.