file2store issue is back?

Security issue

What's the final verdict? I followed all the steps in the thread above (secure pw, changed admin dir, CHMOD), but it seems that the problem keeps coming back.

Running vBSEO 3.5.2 and vBulletin 3.8.4 PL2

You need to make sure your file and folder permissions are correctly set. That issue has nothing to do with vBSEO.

Do you have any pointers on where to look?

644 for files, and 755 for folders -- right?

Yes but you also need to search for suspected files on your server as highlighted in the thread you linked. I advise you to read that thread carefully.

Thanks Mert, I will go through the entire thread today and then report back.

Also, just wanted to update those interested on the current behavior: It first redirects to file2store.info, and then it redirects again to smartphonegalaxy.info...

I found _error.php file in customavatars with malicious code, however this directory already had the relevant .htaccess. Deleted.

I also found one directory where I had forgotten to add the .htaccess. Inside, there were 3 core.xxxx files each 11-14 megabytes. They were encrypted, but I could see some commands calling vbseo, so I'm guessing this is malicious too. Deleted all 3 files and added .htaccess.

Hoping that this problem won't come back.

If you're constantly under attack, it may be a wise decision to move all your rules to httpd.conf and then set AllowOverride to No so that htaccess files can't be renamed or re-coded at all.

The problem is back... I'll check permissions again, but I'm positive everything is set up correctly now. In the meantime, is there anything else I can do?

What I've already done:
- Changed admin dir
- Changed all admin passwords so that they are super secure
- CHMOD 644 for files and 755 for folders
- Added the recommended .htaccess in directories with 777 permission
- Scanned via SSH for base64 code and removed malicious files

Edit: Just searched through my MySQL database for "base64" and "file2store" and found nothing.

check your upload directories (all that are writable) for any rogue scripts. usually its easy to find a php file amongst images/etc.

I found some before. Although they were deleted, this still keeps happening. Do you have any further suggestions? :(

My temporary solution is to disable and enable vBSEO, but every time I check (daily), it's back again.

They must be still be able to get into a writable file or directory or you missed one of their previously uploaded scripts. That's really the only way this can still be happening.

Thanks for the help. Through the steps listed above, it seems that something was fixed. It now no longer redirects to smartphonegalaxy.info. Previously, it would first redirect to file2store, and then smartphonegalaxy.info.

I've checked all directories and used different grep searches, so I don't know what I'll do.

Will upgrading to vBulletin 4 fix this?

There were a lot of people with this problem, how did they go about fixing it? Are there those who've succeeded without vB4?

The issue isn't related to vb or vbseo at all. It's from writable files and directories. Upgrading to vb4 won't fix anything.

Originally Posted by Brian Cummiskey

The issue isn't related to vb or vbseo at all.

Google "file2store vbseo" or "file2store vbulletin". Compare results with "file2store phpbb" "file2store invision" or "file2store drupal". How can you say that this isn't related to vB/vBSEO?

Originally Posted by Brian Cummiskey

It's from writable files and directories.

If this is true, can you please check the steps I've done and tell me what I've missed?

We are sure because boards that don't have vBSEO installed faced this issue. If you read the thread i supplied to you , you can also see this.