vBulletin Redirect Exploit

[djbaxter]

With the help of the security people at RealWebHost.net, we have now positively identified the method for injecting this exploit as well as specific vulnerabilities that permitted it on a 3.83, since updated to 3.87 PL2: As it turns out, it was a server configuration and security issue combined with some specific attributes of vBulletin installations which gave the intruder direct access to the MySQL database.

The key is first to check your settings in cPanel for Remote MySQL: Unless you are using a database on a remote server, i.e., NOT on localhost, this setting should say "There are no additional MySQL access hosts configured". If you have a specific database intentionally enabled, that too is okay. What should NEVER be there is the character % - this is a wildcard which allows ALL other servers to connect to the database. If you see the wildcard enabled, DELETE IT.

Then, make sure you change your passwords to strong passwords for both cPanel and MySQL to ensure that no one can change this setting back without your knowledge.

Then, pick any add-on, disable it, then re-enable it to clear the datastore.

Finally, download the file tool_reparse.php from http://www.vbulletin.org/forum/showthread.php?t=220967 and let it find discrepancies in your compiled templates and rebuild them.

 

[Jim McClain]

I thank you so much for staying on top of this.

 

[BrandonSheley]

I thank you so much for staying on top of this.

Ditto!

Thanks minstrel


btw.. that tool_reparse.php file, is there a 4.x version as well?

thanks again

 

[goreking]

I have found a exploited file called
class_rss.php

and found remote access permissions for 2 suspect IP's as I dont allow any

Think this has stopped my redirect drama

hope this my help

 

[MySite]

I have found a exploited file called
class_rss.php

and found remote access permissions for 2 suspect IP's as I dont allow any

Think this has stopped my redirect drama

hope this my help

Where did you find this file? /includes?

 

[arabicpoint]

Thank you, just seated it to Google.

 

[jerde]

Hey fellas, this exploit is back on my site after getting rid of it for awhile. The last time we got rid of it was by updating PHP and setting global register to "disable."

However, the redirect exploit has once again infected my site. Any ideas why? Has anyone else gotten the redirect lately?

 

[doubt]

Hey fellas, this exploit is back on my site after getting rid of it for awhile. The last time we got rid of it was by updating PHP and setting global register to "disable."

However, the redirect exploit has once again infected my site. Any ideas why? Has anyone else gotten the redirect lately?

Some of the scripts on your site is causing this.
Could be a Vbulletin modification.

 

[jerde]

Some of the scripts on your site is causing this.
Could be a Vbulletin modification.

Thanks for the reply. I don't have a lot of mods. Could it be any of these?...

1. Social Networking in Postbit & Profile

2. Minimum number of posts to post links.

3. DownloadsII

4. vBSEO

That's all the products I have installed. I'm running vB 4.2.0.

 

[doubt]

Thanks for the reply. I don't have a lot of mods. Could it be any of these?...

1. Social Networking in Postbit & Profile

2. Minimum number of posts to post links.

3. DownloadsII

4. vBSEO

That's all the products I have installed. I'm running vB 4.2.0.

Could be any of them.
I would check on the vb.org forum that which one has/had problems.
Check their versions.

First I would suspect an older insecure version of vBSEO.

 

[jerde]

Not seeing any issues or alerts on vb.org. :S

 

[jerde]

Ok, found a thread on the vBSEO forums that should be helpful for those having this issue... http://www.vbseo.com/f255/filestore-redirect-hack-how-fix-your-forum-55368/#post337773

 

[Scott Greczkowski]

Not seeing any issues or alerts on vb.org. :S

People have been posting them at vBulletin.COM to which vBulletin support has been promptly deleting those posts.

I got his with the myfilestore last week and still have no idea how they got in. And I am NOT running vbSEO.

It is a serious problem... do a good search of Myfilestore redirect an set the search time for the last week. You will see this is a very serious issue and is happening to a lot of vBulletin sites.

 

[Paul M]

People have been posting them at vBulletin.COM to which vBulletin support has been promptly deleting those posts.

Aside from the fact Jerde said vb.org, not vb.com, on what do you base that accusation ? I can see all deleted threads & posts, and I dont see any. Granted, I havent searched every single thread, so perhaps you could link to a couple - and also, for what reason would they be deleted anyway ?

 

[jerde]

He could be referring to this thread which I started and can't access, and users have reported that it can't be accessed... http://www.vbulletin.com/forum/foru...-else-getting-the-redirect-malware-hack-again

 

[Joeychgo]

He could be referring to this thread which I started and can't access, and users have reported that it can't be accessed... http://www.vbulletin.com/forum/foru...-else-getting-the-redirect-malware-hack-again

Google cache is your friend

 

[Kevin]

Google cache is your friend

Why would they have removed that from public view? (Mind you I know that you personally wouldn't know the answer to that question, it is more of a general thinking out loud question. )

 

[Scott Greczkowski]

Google cache is your friend

Bingo thats the one. I also saw someone else mention it as well, and it went *poof*

 

[PacMan]

Bingo thats the one. I also saw someone else mention it as well, and it went *poof*

vb5 bug?

 

[Joeychgo]

Why would they have removed that from public view? (Mind you I know that you personally wouldn't know the answer to that question, it is more of a general thinking out loud question. )

No clue...