Security issue

**GGG** · 06-26-2010 01:23 PM

Still the case?

Originally Posted by Brian Cummiskey

No one (vbseo, vbulletin) is 100% sure where or how this is happening. It might have been through the vb exploit that was patched. If you upgraded to 3.8.5, you also needed to update all your passwords to take advantage for the 3 to 30 character password salt. If you don't update them, you'll still be using the 3-char salt. If you were exploited, and since removed the code, htpasswd protected and renamed your admin/mod directories, changed all your admin accounts for vb, as well as your server root/mysql user/passwords, do not allow zip or php/etc attachments, and also use an htaccess file in all chmod 777 directories that stops execution of files (vBSEO Security Bulletin - vBSEO 3.3.2 Released) then you should be pretty safe. But again, we don't know 100% where or how they are getting in. We've yet to see logs that prove or deny anything.

So far, we've had 0 reports of people getting exploited who have followed the above security measures.

**Brian Cummiskey** · 06-26-2010 04:59 PM

Still true. The exploit seems to have been to those with open writable directories.

**GGG** · 06-26-2010 05:35 PM

Another question, what does this mean?

"update all your passwords to take advantage for the 3 to 30 character password salt"

**Brian Cummiskey** · 06-26-2010 05:41 PM

vb changed the way they salt passwords. But its only going into effect after that version update (i forget which version it is now). So, you need to update your password so it gets encrypted siwth higher security. If you don't change the password, it will still use the 3-character salt.

it's like 32bit vs 128 bit SSL... it's more secure against brute-force.

**GGG** · 06-26-2010 05:53 PM

Also, what is Vbulletins stance on this? They deny any possible expolit in their system?

Wait a minute, here is their reply

vBSEO is a third-party add-on than we do not provide or support. You will have to contact them about this.

Also I have no idea how long it takes Google to change your status. ou should contact them.

**GGG** · 06-26-2010 06:00 PM

Whats a rogue code? Any "stanndards"? So it is only the global ones that are the ones that can screw the site up majorly?

Originally Posted by Brian Cummiskey

in your plugin manager, check the global_start hook plugins for rogue code. go back a few pages and theres a screen shot tutorial.

**Brian Cummiskey** · 06-26-2010 06:00 PM

No logs provided any 'fingers' at a hole in software/code on any core (vb) or plugin (vbseo). It appears by all cases to be a raw server exploit in which they were able to upload a script which gereated them user/passwords of admins, and then they freely went to town with whatever they wanted to do, including covering their tracks.

rogue code is that which is not part of default vb or vbseo codebase, generally encrypted in some fashion using base64 decoders. it can be anything.

Global start hooks on EVERY page. it's the easiest hook location to effect the entire site.

**cionfs** · 06-28-2010 09:08 AM

I've the same problem on my forum.

vBseo 3.3.2 and vBulletin 3.8.5.

Hi! I have the problem on my site. I've a redirect to http://myfilestore.cometc
Is the second time that appears.
If you find my site "cionfs" in google and if you click on "forum" from result of google, you'll be redirect in http://myfilestore.com/download.php/
I've reimported my vbseo plugin and I solve it. Appears to be a boring thing to do every time.
How can I solve this problem permanently?
I set the password on admincp by htaccess and htpassword.

Were infected the posts, not plugins.

**cionfs** · 06-28-2010 11:03 AM

I had to reimport vBSEO again. This time it was infected vb_Datastore -> pluginlist

The problem is solved again re-importing vBSEO.

At this point I would not exclude that this is a bug of vBSEO.

Edit:

It happened again....

**Brian Cummiskey** · 06-28-2010 02:56 PM

Have you locked down all your directories as this thread directs?

**thompson** · 06-28-2010 03:07 PM

Originally Posted by cionfs

I've the same problem on my forum.

vBseo 3.3.2 and vBulletin 3.8.5.

Hi! I have the problem on my site. I've a redirect to http://myfilestore.cometc
Is the second time that appears.
If you find my site "cionfs" in google and if you click on "forum" from result of google, you'll be redirect in http://myfilestore.com/download.php/
I've reimported my vbseo plugin and I solve it. Appears to be a boring thing to do every time.
How can I solve this problem permanently?
I set the password on admincp by htaccess and htpassword.

Were infected the posts, not plugins.

same problem with vbseo 3.5 and vb 3.8.5. deactived vbseo and activate again. solved.

htaccess and htpassword protected admincp.

update to 3.5.1 done.

what do you mean with locked down all directories ? brian ?

**Brian Cummiskey** · 06-28-2010 03:16 PM

lock down your admin and mod cp:
Security issue

lock down all chmod writable directories:
Security issue

**cionfs** · 06-28-2010 04:49 PM

Originally Posted by Brian Cummiskey

Have you locked down all your directories as this thread directs?

Of course

**Brian Cummiskey** · 06-28-2010 06:16 PM

If you have any log files that oultline your attack, please submit them via ticket.

Also, if you didn't change EVERY password to EVERY thing after the first exploit, they likely simply re-used the same login as the first time to do it all over again.

**cionfs** · 06-28-2010 06:48 PM

Originally Posted by Brian Cummiskey

If you have any log files that oultline your attack, please submit them via ticket.

Ok.

Originally Posted by Brian Cummiskey

Also, if you didn't change EVERY password to EVERY thing after the first exploit, they likely simply re-used the same login as the first time to do it all over again.

I changed the password several times.
My password has 18 characters. 10 numbers, special characters and 6 letters.

Security issue

LinkBack

Thread Tools

Display

Similar Threads

Security issue with filevbseo_getsitemap.php

Posting Permissions