FAQ's on the Rogue Plugins Exploit (1/23 vBSEO Patch Release)

If you keep getting multiple email notifications, please open a ticket with admincp access to check this.

Yes, I get still get email notifications. Ticket is opened (

8168-WETZ-2177).

regards

Originally Posted by Juan Muriente

Dear Customers and Friends,

We at Crawlability would like to extend our sincerest apologies for the recent round of exploits that surfaced earlier this week. While we have always put relentless focus on the quality and performance of the vBSEO product, it's clear we missed the mark by overlooking key best practices to properly safeguard our own servers. For testing compatibility and other purposes, we had a plethora of out of date add-ons, plugins, and other popular software that many of our customers use. These were often installed, checked for compatibility, and then left neglected without concern. It is to the best of our knowledge that through one of these old softwares, an exploit was able to target our file system which initiated the JS include problem that led to the datastore issues many of you faced.

Although we have removed all outdated/unused software and verified all our current software for holes, moving forward we hope to minimize any issues of similar nature by completely separating our different services and keeping better tabs on installed software and development environments. Our ticket system, forum, and test beds will all be served from non-connected servers in the very near future. This will ensure that if one system is compromised, others will not. Also, the next vBSEO release *will not* use a JS include approach but rather an API mechanism, which is intrinsically more secure. In fact, an API-type exchange will not allow random patterns of code to be injected at all.

Thank you to all the customers who helped us help the community by reporting issues, supplying code, and helping us narrow down the attack vector in a quick fashion. We value your contributions very highly and appreciate the effort set forth.

Once again, we apologize for the inconvenience caused to our customers. Your success is our success, and we value your opinion of us as a company and hope that you still hold us with high regard and trust.

Thank you for your time and consideration.

-The vBSEO Team

I ask for support via a ticket about this problem and the reply is

We are sorry but that redirect thing has nothing to do with vBSEO.
It is directly related to server security

Users who don't use vBSEO are effected with this. You need to contact your host and increase security on your files especially writable files.


Kind regards,
Mert Gökçeimam / Crawlability Inc.
vBSEO Developer

Did I miss the thread that now says ITS UP TO YOU !
thanks for your support vbseo

Hi Ryan,

The exploit explained in these FAQ posts is a whole different thing from the issue you are having with file2store. Our sincerest apologies if we did not explain to you in a clearly manner what the issue is and how to fix it.

Coming back to topic, it looks like that your site got hit by another security issue that has surfaced on 2010 (which also has affected several vBulletin instances without vBSEO). Details about what it does and how to get rid of it can be found in these threads:

https://www.vbulletin.com/forum/show...ile2store-info
http://www.vbseo.com/f77/google-redi...security+issue
Security issue

We've updated our detection plugin (vbseo_checkplugins4.zip) with a few tools that allow you to scan your database for this specific issue as well, so that it can be easier for you to debug which are the rogue plugins and what to do with your datastore. This may have led to confusions, but the exploit Juan has explained in this thread is not the same that affects your site.

I hope that is clear now. If not and you still have any questions, please don't hesitate to let us know.

Originally Posted by Andrés Durán Hewitt

Hi Ryan,

The exploit explained in these FAQ posts is a whole different thing from the issue you are having with file2store. Our sincerest apologies if we did not explain to you in a clearly manner what the issue is and how to fix it.

Coming back to topic, it looks like that your site got hit by another security issue that has surfaced on 2010 (which also has affected several vBulletin instances without vBSEO). Details about what it does and how to get rid of it can be found in these threads:

https://www.vbulletin.com/forum/show...ile2store-info
http://www.vbseo.com/f77/google-redi...security+issue
Security issue

We've updated our detection plugin (vbseo_checkplugins4.zip) with a few tools that allow you to scan your database for this specific issue as well, so that it can be easier for you to debug which are the rogue plugins and what to do with your datastore. This may have led to confusions, but the exploit Juan has explained in this thread is not the same that affects your site.

I hope that is clear now. If not and you still have any questions, please don't hesitate to let us know.

I'm confused... I'm running vbSEO 3.6.0 on two of my sites with vB 4.1.9 and I got hit with the file2store issue on both sites. How is it possible that this is related to an issue from 2010 and not the current vBseo issue? I used the check plugins tool to clear the datastore and patched vbSEO as well as changed all passwords and everything seems okay now. Do I still need to worry and more importantly do I need to waste my time reading 20+ pages of a thread from 2010...

Originally Posted by 365adventure

I'm confused... I'm running vbSEO 3.6.0 on two of my sites with vB 4.1.9 and I got hit with the file2store issue on both sites. How is it possible that this is related to an issue from 2010 and not the current vBseo issue? I used the check plugins tool to clear the datastore and patched vbSEO as well as changed all passwords and everything seems okay now. Do I still need to worry and more importantly do I need to waste my time reading 20+ pages of a thread from 2010...

One hack was to do with folder permissions, the other is vBSEO

The vBSEO hack was only very recent and didn't include the filestore issue.

If you had the filestore issue then you need to foloow the advice in the threads linked to. As more than likely folder permissions are the culprit and not vBSEO

Also, if you have the file2store issue and it keeps reappearing after you flush the datastore, you need to change all your server, MySQL, and admin passwords immediately... you have a back door open.

And, as has been said, this is entirely unrelated to the vBSEO exploit, occurs on forums with or without vBSEO, and first surfaced in 2010 (hence the 2010 reference above). Do a search at vBulletin.com and you'll find several threads on the topic.

Hi, the link to the testing utility does not seem to work anymore.

Is there an updated version?

Thanks

Originally Posted by matressking

Hi, the link to the testing utility does not seem to work anymore.

Is there an updated version?

Thanks

It is only available for vBSEO license owners

Thanks for the reply. I have just started as webmaster on a vBulletin forum that does have a licence. pardon my ignorance but is there something I need to do with my login (similar to the VBulletin support forums) to let me access the file?

We got an anonymous email saying we were effected, however our Systems Admin is unable to locate the issue.

someone hacked a lot of forums lately with URL123.INFO Making long links shorter injection code somewhere in a php file.
yours is affected too

How can we test our site for this issue?

You can try the testing utility from post #3 in this thread: http://www.vbseo.com/f5/faqs-rogue-p...62/#post326304

Originally Posted by matressking

Thanks for the reply. I have just started as webmaster on a vBulletin forum that does have a licence. pardon my ignorance but is there something I need to do with my login (similar to the VBulletin support forums) to let me access the file?

Hello ,

vBSEO is a paid add-on and it require a license to run on your site. It looks like you are running a nulled version of vBSEO.

I have done all the security updates run the plugin check
changed passwords for everything disabled all plugins that are not being used and the ones that I need to run the site I have checked and tested.
I have rest the datastore.


To reset the datastore can it be done after you have run the plugin exploit checker? or is there another way to do this


So I have done everything and still no good

My forum traffic is still bad

It was about 1000+ per day now it is about 70+

I have been working on this for the last 2 weeks everyday, can't get support from anyone but my hosting provider
and they have been great.

I cant see what to do next!

See https://www.vbulletin.com/forum/show...=1#post2185387

With the help of the security people at RealWebHost.net, we have now positively identified the method for injecting this exploit as well as specific vulnerabilities that permitted it on a 3.83, since updated to 3.87 PL2: As it turns out, it was a server configuration and security issue combined with some specific attributes of vBulletin installations which gave the intruder direct access to the MySQL database.

The key is first to check your settings in cPanel for Remote MySQL: Unless you are using a database on a remote server, i.e., NOT on localhost, this setting should say "There are no additional MySQL access hosts configured". If you have a specific database intentionally enabled, that too is okay. What should NEVER be there is the character % - this is a wildcard which allows ALL other servers to connect to the database. If you see the wildcard enabled, DELETE IT.

Then, make sure you change your passwords to strong passwords for both cPanel and MySQL to ensure that no one can change this setting back without your knowledge.

Then, pick any add-on, disable it, then re-enable it to clear the datastore.

Finally, download the file tool_reparse.php from Fix-it: Template Edition - vBulletin.org Forum and let it find discrepancies in your compiled templates and rebuild them. |