It's not vBSEO because it affects forums that have never had vBSEO installed. Lately, it seems vBulletin blames vBSEO every time they can't figure out what's causing the issue. It's getting old.
Everything we have seen points to insecure folder and server security, not software.
Google redirecting to filestore123.info - vBulletin SEO Forums
No offense, but the support for this has been really sad here. I mean, instead of just pointing to a jumbled mess of a thread where people are trying to figure it out. How about a concise thread with all the fixings? I realize it is not vbseo's fault, but since it directly effects vbseo, and all the vbseo customers could potentially have this problem, having a concise thread would be nice.
Anyhow... Here's what I've gathered as I am also having this issue.
THE BUG...
The fact that people can upload custom avatars, custom signature pics, or custom images into the signature line. What is happening is that a PHP file, disguised as a .gif is uploaded and then run remotely. It throws base64 code into vbseo which forces a javascript redirect and cookie. The cookie means the redirect only happens once, but it is annoying, and is a drop in traffic. On a side note, more malicious code COULD be uploaded.
WHAT YOU MIGHT READ...
Many of the yahoos here want you to chmod 755 any writable directory. But what they fail to realize is that your signaturepics and customavatars directory must be 777 for people to upload. I read that far too often in that other thread.
WHAT YOU MUST DO...
STEP 1:
Is add an .htaccess file to every writable directory that someone can upload photos into.
Code:RedirectMatch 404 .*php\.
The other code for .htaccess I've read is this one
Code:[COLOR=#3e3e3e][FONT=Courier New]<Files ~ "\.(php\d*|cgi|pl|phtml)$">[/FONT][/COLOR] [COLOR=#3e3e3e][FONT=Courier New]order allow,deny[/FONT][/COLOR] [COLOR=#3e3e3e][FONT=Courier New]deny from all[/FONT][/COLOR] [COLOR=#3e3e3e][FONT=Courier New]</Files>[/FONT][/COLOR]
Not sure which one is more correct at this point, but both should work. Most folks have been going with the second one.
Thankfully .htaccess has a recursive effect, so if you put it in the offending directories, that should solve the issue.
The directories you need to add this file to is:
STEP 2:
- customavatars
- signaturepics
- customprofilepics
- attachments
Reupload the crawlability_vbseo.xml file as a product. This will clear out the cache and fix your site immediately... As long as nothing else has been compromised.
Step 3:
I would say disallow uploads to your server. At least break it up. Have a different usergroup for premium members, or however you break it out on your site, and allow them to upload files. But keep the uploads only to them, not to the new folks and spammers.
If you're allowing uploads to the new members, you're keeping yourself open to this type of attack.
Step 4:
Remove any evil .gif files off your server
To do this, ssh to your server and run this command:
Code:find /home/main -regex '.*\.gif$' -exec grep php {} \;
Change the /home/main to fit your main root directory. Delete the matches in those upload directories!! I usually check them first, but remove them.
Step 5:
Lastly, if you have been hacked, change your passwords. Just in case.
......................
So that's what I've gathered in a nutshell. Hopefully that will help someone out instead of just being pointed to a ton of threads, with half of them having misinformation
Options +FollowSymLinks
Options All -Indexes
<Files ~ "\.(php\d*|cgi|pl|phtml)$">
order allow,deny
deny from all
</Files>
Do I need to input any other code in the .htaccess file or will that code be all that is required in the htaccess file?Sorry. I posted that in a hurry and it didn't all copy over. I'll edit it in a moment.
This is the version I am using in all writable image folders:
Code:Options +FollowSymLinks Options All -Indexes <Files ~ "\.(php\d*|cgi|pl|phtml)$"> order allow,deny deny from all </Files>
Minstrel what's the go with directories with other sub-directories within them?
For instance
-attachments
--1
--2
--3
--5
--etc
If I put this htaccess file in the attachment directory does the contents of the htaccess file effect all the sub-directories of /attachement/?
Thanks!
So in other words, they're using file extensions rather than actual filetype checking for determining whether a filetype is legit or not?
Is this exploit one of those where when you land on a site, you are immediately redirected to a site that tells you your computer is infected with malware, download some product now?
Sorry. I posted that in a hurry and it didn't all copy over. I'll edit it in a moment.
This is the version I am using in all writable image folders:
Code:Options +FollowSymLinks Options All -Indexes <Files ~ "\.(php\d*|cgi|pl|phtml)$"> order allow,deny deny from all </Files>
Thanks for this!!
We updated the PL last night and I'm checking the site today.
I'll add this "just in case".. It wouldn't mess anything else up on the site I assume, right?
Thanks for this!!
We updated the PL last night and I'm checking the site today.
I'll add this "just in case".. It wouldn't mess anything else up on the site I assume, right?
No it won't.
It basically just stops any php, perl, cgi, or dl files from being executed/run from those folders.
As long as you do not put it in a folder with php, perl, cgi, or dl files (like the includes folder), you will be fine.
With that .htaccess file in each of the upload folders, even if someone managed to upload a php script, they would not be able to execute/run it.