vBSEO Security Bulletin - vBSEO 3.3.2 Released

A lot of people thought they had the latest update but did not. There were actually 2 different 3.3.2 releases.
Release date: October 27, 2009
Last Updated: November 17, 2009

The user you mention above last downloaded 3.3.2 on (2009-10-27). 10 days elapsed before he was patched. In those 10 days, the upload/exploit could have happened, just never executed until later. That is usually how they work.


ALWAYS patch as soon as possible.

When he says both the latest, he might not have patched the most recent time to 3.3.2.

Infect again today
i change place before i was in headder

now it infect 2 files are
vbulletin_global.js
and yahoo-dom-event.js

i will submit ticket to investigate

It sounds like they have left a backdoor behind that you have not found and so not deleting.

You said you enabled Apache access logs though and this is a good thing as we should be able to determine from these what the hackers are accessing to alter your site code and in doing so find the backdoor.

Please do open a ticket with root FTP access.

I open ticket
and I don't enable .htacess for forum
I put direct in apache httpd.conf
for not allow request php file in upload dir such cust* attatmentss

Nothing found vbseoembed or vbseo.php in access_log

Use this on linux to find backdoor file

Code:

 find . -regex '.*\.php$' -exec grep FilesMan {} \;

 find . -regex '.*\.php$' -exec grep ZaCo {} \;

if found have to delete it

better code

this one will tell where is file locate

-------------------

Code:

find . -regex '.*\.php$' -exec grep FilesMan {} \; -printf %p\\n
find . -regex '.*\.php$' -exec grep ZaCo {} \;-printf %p\\n

it will print file name

Originally Posted by Brian Cummiskey

A lot of people thought they had the latest update but did not. There were actually 2 different 3.3.2 releases.
Release date: October 27, 2009
Last Updated: November 17, 2009

It would be better to have a new version such as 3.3.2 patch 1.

I upgraded to 3.3.2 immediately after I got the email for the first 3.3.2. Not sure if I got the update email for the 2nd 3.3.2, maybe I neglected it.

My forum not infect any more after scan all files and delete them.

Originally Posted by hurricane_sh

It would be better to have a new version such as 3.3.2 patch 1.

I upgraded to 3.3.2 immediately after I got the email for the first 3.3.2. Not sure if I got the update email for the 2nd 3.3.2, maybe I neglected it.

As it was the same bug (but used in a slightly different way) that we were fixing, it did not fulfill the requirements for a new version however in future we will work on releasing these sort of updates as patch releases - (PL1 or PL2 etc).

In 5 years that we have been running this was the first exploit that has ever been discovered. We did send out a second email on the 17th of November advising that the files had been updated and the original announcement on our site was also updated. We believed this would have been sufficient notification.

As advised though we have learned from this experience and in the unlikely case another exploit is found in vBSEO I can assure you that we will release a new version or at least a Patch Level release.

Ceri

hello, is this current version (3.3.2) currently functional with 4.0 vbulletin gold ?

please advice.

thx.

Hello Mike,

No it is not, 3.5 will support vBulletin 4. We are in an early RC stage with 3.5.

I have done everything I can that's suggested on this thread to get rid of all malicious code and patched my files, however, my vbulletin_global.js keeps getting injected with the same malicious code others have posted on here. I sent a support ticket already but all I was told is that there's no security holes in vbseo and to check my other scripts. The thing is that people are getting the same problem with their vbulletin_global.js here so I thought it first began with vbseo.

Can anyone at least help me any further?

Originally Posted by dai-kun

I have done everything I can that's suggested on this thread to get rid of all malicious code and patched my files, however, my vbulletin_global.js keeps getting injected with the same malicious code others have posted on here. I sent a support ticket already but all I was told is that there's no security holes in vbseo and to check my other scripts. The thing is that people are getting the same problem with their vbulletin_global.js here so I thought it first began with vbseo.

Can anyone at least help me any further?

Maybe it's not vBSEO... maybe it's an unpatched version ov vBulletin itself. You say that it's "vbulletin_global.js" that "keeps getting injected".

What version of vBulletin are you running?