Security issue

Again, the hackers probably know that vbseo is one of the most common plugins for vbulletin, and thus, hooks/products are enabled, thus giving them access to the global start position to shove their codebit into it. I'm sure there are some sites out there that don't run vbseo, like the drupal and joomla sites I mentioned earlier. Since these people are using this as a redirect from search engines, their obvious target is the better ranked sites, thus, the ones using vbseo.

HOW it's getting in there is the issue. If you haven't already submitted any logs from your exposure, please do so. We can't fix what we don't know is broken, and so far no one has been able to show us anything conclusive that an exploit exists in vbseo.

Three weeks my traffic has been down and I have found, I have the same problem as you other guys.
Redirect to the same site. Found it when I clicked on a google search tonight and then on Alexa

Whats the cure in easy to understand terms.
Right now Im having kittens because my traffic has been down so much and thought it was a google penalty.

Thanks in advance for any help guys. I'm sat here having kittens at present, as you can understand.

Mega stressed to say the least.

Originally Posted by DieselMinded

Is there any sort of php code that we can put after
that will ignore anything placed after it ?

Like this
because the code is being placed at the end of the global start

or maybe

I don't believe anything like that will work.


/* will start a comment after for everything, but you would need to stop it at the next plugin.... and i don't believe theres any order to what comes next.

Originally Posted by Lee G

Three weeks my traffic has been down and I have found, I have the same problem as you other guys.
Redirect to the same site. Found it when I clicked on a google search tonight and then on Alexa

Whats the cure in easy to understand terms.
Right now Im having kittens because my traffic has been down so much and thought it was a google penalty.

Thanks in advance for any help guys. I'm sat here having kittens at present, as you can understand.

Mega stressed to say the least.

disable vbseo
re-upload product file with overwrite,
re-enabled vbseo.

is the easiest fix.

And if you have any logs of the exploit (look around the day your traffic died off) please submit them via ticket.

From the logs we, gathered the code looks to be injected manually by editing plugin code. But until now only small number of logs have been supplied to us. If you keep your server access_logs please try creating a support ticket and supplying us the logs so we can investigate. Currently our hands are tied , we investigated vBSEO code 's each single line and trust me we are in contact with vBulletin Team from start to now and we have shared every possible bit of info we have gathered with vBulletin team instantly.

All our resources are currently forwarded to identify this issue. Customers even supplied us info that this happened even when vBSEO is deactivated. vBSEO is a product that is used widely on vBulletin forums that target better SE rankings , thats why it is a wise target for attacker to choose sites that has vBSEO on as his aim is directing most possible links to his site for SEO purposes.

As Brian mentioned a quick google search can show you how many different systems are effected from this problem eval(base64_decode( + hack - Google Search

Unfortunately we still don't have enough data to find out what can cause this.

I also advise everyone to check if you have chmod 777 directories on your server and if yes please make sure you create an .htaccess with the following content in chmod 777 directories. Chmod 777 directories can be the culprit of the problem as if you didn't correctly set permissions for chmod 777 directories , your server will always be open for compromises.

Code:

<Files ~ "\.(php\d*|cgi|pl|phtml)$">
order allow,deny
deny from all
</Files>

Originally Posted by Lee G

Three weeks my traffic has been down and I have found, I have the same problem as you other guys.
Redirect to the same site. Found it when I clicked on a google search tonight and then on Alexa

Whats the cure in easy to understand terms.
Right now Im having kittens because my traffic has been down so much and thought it was a google penalty.

Thanks in advance for any help guys. I'm sat here having kittens at present, as you can understand.

Mega stressed to say the least.

Go to admin CP then go to Plugins & Products then go to Plugin Manager the scroll down to vbseo and click on the global start template , and remove the eval(base64_decode........ Code from the bottom of it.

hit save , clear your cookies and cache and then re test your Google search result

As for my log files i have the last 6 days so thats no help , as they keep overwriting them selves . how ever i will be monitoring the global start template and when/if the eval(base64_decode comes back i will supply my logs via the support ticket system here

Thats another unplanned 3am touch here for hitting the pit
Thanks for all the help guys. In all honesty I thought it was a google slapped wrist and chanced there might be something wrong.
My traffic has dropped at an appalling rate.
If you guys need access to my server, let me know and you can poke around, see what you can find.

It might be china at fault. I have a lot of hacking attempts come from there on an hourly basis.

As a side note , if any of your staff or you is using IE , you should definately choose another browser. A new major security hole is detected in IE

The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution

I always use Fire Fox but was testing my site with IE to verify this redirection issue , this also will explain why not all the Google results traffic was gone , I thought it was ~50% because people were re clicking the link , but it could of been the % of users using IE browser compared to others.

However i believe i have seen this issue from someone with a MAC and that wouldn't be an IE browser

Originally Posted by DieselMinded

In all cases of this exploit VBSEO was the target.

This is definitly wrong.
We had the exact same malicious code on at least one vBulletin forum that does not have vBSEO installed (it was atached to another global_start hook there).

Sending out an announcement as of now seems pointless as it is not yet known exactly how they got in.

Hello Andreas ,

It is really sad to hear you also get hit by this. Is there any possible logs that you can supply us which can help identify the issue. You can supply the logs for non vBSEO'd forum as well so we can also check those and help everyone identify the issue.

This gives some idea of the hit on my own traffic



The flat line has been like that for more than three weeks now. And gone lower.

I thought I noticed something strange the other day when I googled my place placement on one term I rank high for "Spain forum". Being sad, clicked the link and got diverted to Filestore73.com

I was checking which search engines were hitting my forum last night causing a lot of lag. Googled Alexa and had a look over the traffic stats there. Under clicstream, you get an idea of just how much has been diverted
http://www.alexa.com/siteinfo/thespa...m#trafficstats

And when you look up Filestore73.com
filestore73.com - Site Info from Alexa
You get an idea of just how much traffic they are getting and possible other sites these guys have hit

I cant believe the grief these guys have caused me at present. I was sure I was on a google penalty, going by my sudden traffic drop and I'm sure I'm on one. At one stage I was honestly wondering if I could afford to carry on running the forum

I'm sure these guys also add a lot to the server load as well, since last night, the forum pages load a lot quicker.

So once again, I'm in your debt guys

Any way I can help, let me know, server access etc

Thanks again to everyone who came to my aid at such short notice.

Hello Lee ,

Can you please create a support ticket and supply us your access_logs so we can investigate on them.

Mert, I have no idea if I have access logs or where to even find them.
Would you like access to the server?
I just want this put to bed in all honesty.
Its cost me three weeks of hits etc. And god knows what else I have in the mean time to screw it all up and loose even more.
Let me know how high you want to go in my server.
Going by my nice Little graph, you can see when I must have been hit.
Looking at Alexia, most of the sites which look like they are sending them traffic, have two things in common. VB and VBSEO