vBSEO Security Bulletin - vBSEO 3.3.2 Released

What do you mean?

Copy and Paste it over the original (now old?) key?

Thanks!

Yes. also make sure your config file is chmod 666 or 777 (so its writable). and put back to 644 after for security.

Thanks.

Worked like a charm.

Glad you got it working.

A variation of the security vulnerability reported in this announcement was detected (and fixed) today. It affects *only* forums that use the file system to store attachments, avatars or profile pics. An updated Security Bulletin has been emailed to all vBSEO license holders.

In addition, the patches linked from within the first post have been updated to link to the newest patch versions.

Our apologies for the two consecutive updates.

Did you fix it from a support ticket from user maxicep ?
we were both infected today trying to find a solution.

This really bugged me so much i could not sleep whole night.
The problem is i really think many of your customers are infected because the hacking process seems completely auto
the auto client registers. uploads a certain file
makes database changes
make a php backdoor file

you should warn people on how to find and fix their backdoor phps
they are mostly on attachments, avatars or profile folder

+ database changes will make people's life hell to fix

you really shall make a tutorial

How to check if your server is compromised:

• Scan the following folders for any non-image files. There should be a blank index.html in them to block directory browsing, but otherwise should contain all images.
  
  • customavatars/
  • customavatars/thumbs/
  • customprofilepics/
  • your attachments folder (non-standard name). Note: These are not image extensions, but rather .attach and .thumb extensions. There are likely many folders and subfolders to sort through.
• If you don't see anything rogue in any of these places, you are likely ok.
• If you do see some rogue non-image files in any of these folders, you should contact your host immediately and try to trace error logs and access logs to see what may have been compromised. Unfortunately, there's no way we can tell what was done as anything could have been accessed or changed and only your server logs will tell you what to look at.
  If your templates have been defaced, there's a .org script available for 3.8 to help repair: http://www.vbulletin.org/forum/showthread.php?t=220967

Just to confirm; I got the new patch email dated Nov 17 and just upgraded from 3.3.1 to 3.3.2, and that 3.3.2 that I just downloaded from the site already has the new November 17 patch incorporated into it so I don't need to do anything else correct?

Hi David,

Totally 100% correct.

nm, sending a PM.

you should warn people on how to find and fix their backdoor phps
they are mostly on attachments, avatars or profile folder

Also, if you have a writable folder (attachments, customprofilepic, etc), I would recommend to create an .htaccess file in each of these folders that will block script requests from those folders:

Code:

<Files ~ "\.(php\d*|cgi|pl|phtml)$">
   order allow,deny
   deny from all
</Files>

Originally Posted by Brian Cummiskey

How to check if your server is compromised:

• 
  
  • your attachments folder (non-standard name). Note: These are not image extensions, but rather .attach and .thumb extensions. There are likely many folders and subfolders to sort through.

and check all these folders?

204.638 files, 8.201 folders

You can search via ssh very easily

Code:

find /path/to/your/attachmentsfolder -name *.php

Originally Posted by foro3d

and check all these folders?

204.638 files, 8.201 folders

You must check your entire filesystem, for PHP files hidden in gifs, jpgs, etc if you want to make sure you are secure.

The exploit is not limited to only attachment and/or avatar or profilepic folders. Any folder / directory can can be written to by the web server is vulnerable, especially if the .htaccess file is writable by the web server user id.

Downloaded the patch, workin' on installin' right nao.