vBulletin Redirect Exploit

djbaxter

Tazmanian Veteran
Joined
Jun 6, 2006
Messages
10,473
With the help of the security people at RealWebHost.net, we have now positively identified the method for injecting this exploit as well as specific vulnerabilities that permitted it on a 3.83, since updated to 3.87 PL2: As it turns out, it was a server configuration and security issue combined with some specific attributes of vBulletin installations which gave the intruder direct access to the MySQL database.

The key is first to check your settings in cPanel for Remote MySQL: Unless you are using a database on a remote server, i.e., NOT on localhost, this setting should say "There are no additional MySQL access hosts configured". If you have a specific database intentionally enabled, that too is okay. What should NEVER be there is the character % - this is a wildcard which allows ALL other servers to connect to the database. If you see the wildcard enabled, DELETE IT.

Then, make sure you change your passwords to strong passwords for both cPanel and MySQL to ensure that no one can change this setting back without your knowledge.

Then, pick any add-on, disable it, then re-enable it to clear the datastore.

Finally, download the file tool_reparse.php from http://www.vbulletin.org/forum/showthread.php?t=220967 and let it find discrepancies in your compiled templates and rebuild them.
 

goreking

Neophyte
Joined
Dec 16, 2006
Messages
2
I have found a exploited file called
class_rss.php

and found remote access permissions for 2 suspect IP's as I dont allow any

Think this has stopped my redirect drama

hope this my help
 

MySite

Aspirant
Joined
Aug 6, 2009
Messages
10
I have found a exploited file called
class_rss.php

and found remote access permissions for 2 suspect IP's as I dont allow any

Think this has stopped my redirect drama

hope this my help

Where did you find this file? /includes?
 

jerde

Participant
Joined
Mar 14, 2013
Messages
68
Hey fellas, this exploit is back on my site after getting rid of it for awhile. The last time we got rid of it was by updating PHP and setting global register to "disable."

However, the redirect exploit has once again infected my site. Any ideas why? Has anyone else gotten the redirect lately?
 

doubt

Tazmanian
Joined
Feb 25, 2013
Messages
4,869
Hey fellas, this exploit is back on my site after getting rid of it for awhile. The last time we got rid of it was by updating PHP and setting global register to "disable."

However, the redirect exploit has once again infected my site. Any ideas why? Has anyone else gotten the redirect lately?
Some of the scripts on your site is causing this.
Could be a Vbulletin modification.
 

jerde

Participant
Joined
Mar 14, 2013
Messages
68
Some of the scripts on your site is causing this.
Could be a Vbulletin modification.

Thanks for the reply. I don't have a lot of mods. Could it be any of these?...

1. Social Networking in Postbit & Profile

2. Minimum number of posts to post links.

3. DownloadsII

4. vBSEO

That's all the products I have installed. I'm running vB 4.2.0.
 

doubt

Tazmanian
Joined
Feb 25, 2013
Messages
4,869
Thanks for the reply. I don't have a lot of mods. Could it be any of these?...

1. Social Networking in Postbit & Profile

2. Minimum number of posts to post links.

3. DownloadsII

4. vBSEO

That's all the products I have installed. I'm running vB 4.2.0.

Could be any of them.
I would check on the vb.org forum that which one has/had problems.
Check their versions.

First I would suspect an older insecure version of vBSEO.
 
Joined
May 4, 2006
Messages
362
Not seeing any issues or alerts on vb.org. :S
People have been posting them at vBulletin.COM to which vBulletin support has been promptly deleting those posts.

I got his with the myfilestore last week and still have no idea how they got in. And I am NOT running vbSEO.

It is a serious problem... do a good search of Myfilestore redirect an set the search time for the last week. You will see this is a very serious issue and is happening to a lot of vBulletin sites.
 

Paul M

Dr Pepper Addict
Joined
Jun 26, 2006
Messages
3,995
People have been posting them at vBulletin.COM to which vBulletin support has been promptly deleting those posts.
Aside from the fact Jerde said vb.org, not vb.com, on what do you base that accusation ? I can see all deleted threads & posts, and I dont see any. Granted, I havent searched every single thread, so perhaps you could link to a couple - and also, for what reason would they be deleted anyway ?
 

Kevin

Oooh, something shiny!
Joined
Jul 13, 2004
Messages
3,450
Google cache is your friend
Why would they have removed that from public view? (Mind you I know that you personally wouldn't know the answer to that question, it is more of a general thinking out loud question. ;))
 

Joeychgo

TAZ Administrator
Joined
Feb 28, 2004
Messages
6,980
Why would they have removed that from public view? (Mind you I know that you personally wouldn't know the answer to that question, it is more of a general thinking out loud question. ;))


No clue...
 
Top