vBSEO Security Bulletin - vBSEO 3.3.2 Released

Thanks for the response. I know patching is not optional. I'll try to patch if we have problems I'll do a full upgrade on that particular site.

One other question. Does patching put branding back on brand free sites? (I have no idea whether branding removal is done in the core PHP or elsewhere such as plugin)

Originally Posted by eksodos

Thanks for the response. I know patching is not optional. I'll try to patch if we have problems I'll do a full upgrade on that particular site.

One other question. Does patching put branding back on brand free sites? (I have no idea whether branding removal is done in the core PHP or elsewhere such as plugin)

Hello,

It will not affect it. The branding free is in your vbseo key.

Sadly my site was compromised; as I was out of town, I didnt see this until today.

They got in on the 19th using vbseo.php; planted a couple php scripts in my customprofilepics, albums and customavatars directories.

I have yet to determine what they may have done in the process - so far nothing seems damaged, although they did manage to do something I am curious just how they managed.

The scripts were also executed on the 20th and 22nd for short bursts.

EDIT: They were able to install a rootkit and get root access. Changed my root password (costing me a service call to reboot and change my root password. Running rkhunter and cleaning up some stuff.

Removed text so I don't freak anyone out.

Hi Danny,

It is more probable that someone planted a backdoor onto your server before you patched and has waited until now to activate it. There are a number of suggestions in this thread in detecting and removing these files but they are normally very well hidden.

Ceri

Hi Ceri - I found a backdoor that had been installed. I edited my post so that I don't cause any hysteria.

Latest to get hit by the centiyo iframe all over the place. I have now upgraded vbseo to 3.2.2 and removed the shell from profile pics directory.

PS: A user registered at my site, uploaded a GIF file that had this executable php code in it and ran it through vbseo.php - If your board was compromised, watch out for a similar GIF/JPEG file in your server's writabe directories.

Thanks vbseo!

I have this problem centiyo ifram 4 tiems already
I just upgrade to 3.2.2
let's see itiwill happen again

Make sure you've cleared the php script in the uploaded directory and have changed all of your admin account and server account passwords.

already upgraded 3.2.2 and changed server password adn all admin password
and removed all .php from upload dir
Infect again today

any way to protect this ?

Please open a ticket with a copy of your access log showing the exploit. It will help us determine what was accessed and how, or if it was already on your server.

Where can i get access log from ?
which access log ?

if it's apache access log i didn't enable it.

Yes, the access_log from apache.

I highly suggest enabling it as it will help you pinpoint intrusions such as this. Without the log file, there's really no way to find out how they got in.

We have had NO reports of people being hacked since the 2nd 3.3.2 patch and a clean(ed) system.

Thank you
I wil enable apache logfile now
if it happen again i will open ticket

I fond some one have pproblem

Originally Posted by ekool

Just happened to a site of ours here, we are running 3.8.4pl1 and vBSEO 3.3.2 -- both the latest versions. Any other ideas?

Iframe MYSQL Injection (http://centiyo.com/in.cgi?default)