HOW-TO FIX - Vbulletin redirecting to filestore72.info, url123.info, etc - Redirect Google
Results 1 to 1 of 1

Thread: HOW-TO FIX - Vbulletin redirecting to filestore72.info, url123.info, etc - Redirect Google

  1. #1
    Joe Jerde's Avatar
    Joe Jerde is offline Owner | President Follow Joe Jerde On Twitter Add Joe Jerde on Facebook Add Joe Jerde on Google+ Add Joe Jerde on Linkedin Visit Joe Jerde's Youtube Channel
    Join Date
    Feb 2009
    Location
    Phoenix, AZ
    Device
    BlackBerry Z10
    OS
    10.0.9.2743
    Carrier
    Verizon
    Posts
    7,833
    Liked
    1502 times

    HOW-TO FIX - Vbulletin redirecting to filestore72.info, url123.info, etc - Redirect Google

    Re-posting this from another website for those in need of help....


    Hello everyone,


    Just for any forum runners out there, I've spent about a week sorting out this latest hack. Looks like I'm not alone and it is very widespread through vbulletin forums with or without VBSEO installed.
    This page will tell you how to fix the google/yahoo/SE traffic redirect hack effecting lots of people using Vbulletin and/or VBSEO.

    So here are all the things I did that have resolved it mostly I found these lying around the internet but some cunning bits elsewhere too.

    This hack mostly redirects your google/yahoo/SE traffic to a malware page such as filestore72.info, url123.info.
    It sets a cookie so it will only do it on the first go, clearing your cookies will see it happen again. Fortunatly it is not logging IP's or things would be harder.
    It seems they can get in fairly easilly given the number of forums reporting issues so these steps may be worth doing even if you are NOT effected.

    Some reported redirect urls are;
    myfilestore.com
    filestore72.info
    file2store.info
    url2short.info
    filestore123.info
    url123.info
    dollarade.com


    The hack looks to exploit various methods that obtain passwords for admins to login to the admincp where they then install their code in the data store mysql table.
    It is not a dodgy upload from the looks of it at all.

    Step 1:
    Rename your admincp and modcp folders to something random and secure of your choosing.
    Then in your includes/config.php change the following to read the correct locations;

    Code:
    $config['Misc']['admincpdir'] = 'youradmincpdir';
    $config['Misc']['modcpdir'] = 'yourmodcpdir';


    Step 2:

    Change all your admin passwords and delete any old admin accounts that are unused (or at least change them to normal users).

    Step 3:
    Add a htaccess password to the admincp directory. This gives a great second defense if they find your new admincp.
    Put this in a .htaccess file in the admincp and modcp directory you have now moved.

    Code:
    AuthType Basic
    AuthName "restricted area"
    AuthUserFile /directory/blah/.htpasswd
    require valid-user


    Then create the password file to allow people to login at the location specified.

    This site comes up in google for password file generation : Dynamic Drive: .htaccess password generator
    And finally ensure that the password file has the right permissions for your webserver.

    Code:
    chown apache:apache /directory/blah/.htpasswd


    Step 3b:

    Make sure your footer template for vbulletin does not include a link to your admincp! Most forums have this so you need to remove it from the footer template.
    Find and delete these bits in the template.

    PHP Code:
    Code:
    <vb:if condition="$show['admincplink']"><li><a href="{vb:raw admincpdir}/index.php{vb:raw session.sessionurl_q}">{vb:rawphrase admin}</a></li></vb:if> 
      <vb:if condition="$show['modcplink']"><li><a href="{vb:raw modcpdir}/index.php{vb:raw session.sessionurl_q}">{vb:rawphrase mod}</a></li></vb:if>  
    

    Step 4:
    Make sure that 'Register Globals' is off on your server.

    Go to your AdminCp and then scroll down to Maintenance, then click on View PHP Info then look for 'Register Globals' if it says off then you are safe.
    If it says 'on' then you need to disable it, ask your host to do this for you or if you are in charge of your servers edit the /etc/php.ini file (this may be somewhere else of course).
    Add or change this line in the file;

    Code:
    register_globals = 0


    And then reload your webserver.


    Step 5:
    If you have vbseo installed add this to the top of vbseo.php in your forum root directory.

    Code:
    if (strpos($_SERVER["QUERY_STRING"],'%00'))
        die;


    Step 6:

    Also with VBSEO make sure that your config file is not writable! You should only make it writable when you need to edit it.
    The file is located in vbseo/resources/xml/config.xml

    Code:
    Chmod 444 vbseo/resources/xml/config.xml


    Step 7:
    Check all your folder permissions are correct! You should only have write permissions enabled for the following folders;

    Code:
    attachments/
     customavatars/
     customgroupicons/
     customprofilepics/
     signaturepics/


    I set all the other folders to chmod 544.


    Step 8:
    This was advised to put a .htaccess file with the following contents;

    PHP Code:
    Code:
    <Files ~ "\.(php\d*|cgi|pl|phtml)$"> 
    order allow,deny 
    deny from all 
    </Files>  
    

    In all your upload folders (see Step 7 above). You may have other upload folders on your site of course.
    While to me this seems like a minor step it is probably worth doing given the number of people who have advised doing it.

    Step 9:
    In your vbulletin admincp, go to options --> Server Settings and Optimization Options.
    Find the "Use Remote YUI" , and set this to Google. Do not use none or Yahoo.

    Step 10:
    Update and change all your mysql passwords for your websites.
    You will need to update your includes/config.php file with the new password.

    Step 11:
    Ensure that you have no remote access errors in your mysql users.
    You do not want people outside of your server / or network to be able to connect to your mysql server directly to install code.
    Make sure all users are tied to localhost, or a specific ip/network being able to access them.

    If you use phpmyadmin, login to that and then click on Privileges.
    Look down the "HOST" column for any users where the host is "%" or any users that you do not recognise!
    These all need to be changed or removed.

    Step 12:
    VBSEO users.
    Change this file /forums/vbseo/functions_vbseo_hook.php

    Edit...

    Code:
    vbseo_ping_proc($vbseo_ref, $_GET['vbseourl'] ?  
    $vbulletin->options['bburl'].'/'.$_GET['vbseourl']


    To...


    Code:
    vbseo_ping_proc($vbseo_ref, $_GET['vbseourl'] ?  
    $vbulletin->options['bburl'].'/'.preg_replace('#[\x00-\x1F]#', '', $_GET['vbseourl']) :


    The above is mostly to prevent future attacks and also a bit of cleaning up;

    As it stands your site WILL still be redirecting from the current attack.

    Step 13:
    To inject their redirect js they use the misc.php file in your forum root folder.
    They call with the query string g=js.

    So to prevent the redirect in its current form add this to the top of your misc.php file.

    Code:
    if($_GET['g']=='js') die;


    Step 14:

    Now to clear out the current infection you need to refresh the data store database.
    Login to your admincp and go to plugins -> Manage plugins.

    Disable ANY plugin, and then Re-enable that plugin.
    This will reset your data store and remove the existing problems.

    Finally...

    Step 15:

    Check for any dodgy files on your forum that may have backdoors in them.
    From what I can see these files should have Base64 code in them;

    Code:
    forum/cron.php
    forum/asset.php
    forum/picture.php
    forum/blog_attachment.php
    forum/attachment.php
    forum/includes/adminfunctions_template.php
    forum/includes/adminfunctions_plugin.php
    forum/includes/class_xmlrpc.php
    forum/includes/functions.php
    forum/includes/class_mail.php
    forum/includes/facebook/base_facebook.php
    forum/vb/verticalresponse.php
    forum/forumrunner/push.php
    forum/forumrunner/support/Snoopy.class.php
    forum/admincp/navigation.php

    It is worth checking for any files that contain base64 and one of the following (system / curl / exec / eval).

    I made this perl script that is quite handy to run in a cronjob perhaps every 12 hours that will email you of any NEW files found with base64 code in them;

    Place this file in a tools directory somewhere such as /home/tools/ and name it anything you like such as scan_website1.pl
    Configure its variables to your own of course at the top of the file they are all fairly easy to understand what they do.
    Tell it where your website directory is, where to store it's cache and your smtp email details and it is as easy as that!

    Troubleshooting:
    (Q) It keeps emailing me every time the same list even though there are no new files.
    (A) The location you chose in the variables for your cache file does not have the correct permissions for your cron user to write files to it.

    Add a cron entry to run the script using something like this;

    Code:
    0 11,23 * * * perl /home/tools/scan_website1.pl


    The file:


    Code:
    #!/usr/bin/perl
    
    ### Free to enjoy from www.webhostchat.co.uk (http://www.webhostchat.co.uk/business-technical-advice/29421-vbulletin-redirecting-filestore72-info-url123-info-etc-filestore-redirect-hack.html)
    ### This script will check for any changes in the files that have BASE64 code in them and send a email alert.
    ### This is quite handy for knowing if you just got hacked!
    ### This file requires File::Find::Rule and MIME::Lite perl modules, they are available on YUM.
    
    
    
    ### Which website to scan for dodgyness and where to store a scan cache (important)
    $web_directory = "/home/webhostchat.co.uk/public_html/";
    $cache_file = "/home/whc_scan.cache";
    
    ### To send email you can setup SMTP
    $from_email = "from\@email";
    $admin_email = "to\@email";
    $subject = "Your site webhostchat.co.uk has detected ~~filecount~~ base64 files";
    $email_host = "localhost";
    $email_user = "";
    $email_pass = "";
    
    
    ### The stuff
    chdir("$web_directory");
    use File::Find::Rule;
    my $base_dir = shift // '.';
    my $find_rule = File::Find::Rule->new;
    $find_rule->maxdepth(10);
    $find_rule->name('*.php','*.cgi','*.attach');
    my @sub_dirs = $find_rule->in($base_dir);
    $fc='0';
    open(t,"<$cache_file");$cd = ;close(t);@exist = split(/~~~/,$cd);
    foreach $b(@sub_dirs){
        open(t,"<$b");
        @t = ;
        close(t);$m1='';$m='';
        foreach $c(@t){
      if($c =~ /base64/gi){ $m1="y";}
                    if($c =~ /system/gi){ $m2="y";}
                    if($c =~ /curl/gi){ $m2="y";}
                    if($c =~ /exec/gi){ $m2="y";}
                    if($c =~ /eval/gi){ $m2="y";}
    
        }
        if($m1 eq "y"){ if($m2 eq "y"){
      if( grep $_ == "$b", @exist){ } else { $newf[$fc]="$b"; $fc++; $email = "yes";}
      $filelist = "$filelist$b~~~";
        }}
    }
    chop($filelist);chop($filelist);chop($filelist);
    open(t,">$cache_file");print t $filelist;close(t);
    print "Found $fc new files...\n";
    $emsg = "Dear Administrator\n\nThere is a new file(s) detected on your website that contains base64 code. You should check this file urgently and if it is a exploit file start to work out how it was placed there!\nHere is a list of the NEW files:\n\n";
    foreach $b(@newf){
        print "$web_directory$b\n";
        $emsg = "$emsg $webdirectory$b\n";
    }
    $subject =~ s/~~filecount~~/$fc/gi;
    $emsg = "$emsg \n\n All the best\n Your server!";
    if($email eq "yes"){
    use MIME::Lite;
    my $msg = MIME::Lite->new
    (
    Subject => $subject,
    From    => $from_email,
    To      => $admin_email,
    Type    => 'text/plain',
    Data    => $emsg
    );
    $msg->send('smtp',"$email_host");
    }
    And that covers it all! So far no redirects and we've not been re-infected either.
    Last edited by Joe Jerde; 12-24-2013 at 10:46 PM.



    Click the button in the bottom right of a post to say thanks!
    Downloads Center | Rules and Guidelines l BlackBerry 10 Zone


Similar Threads

  1. Os 5 need some info tnx ^^
    By frcosmin in forum BlackBerry Bold 9700
    Replies: 1
    Last Post: 10-30-2011, 06:27 PM
  2. OS 5.0 updated info
    By mule0331 in forum General Discussion
    Replies: 4
    Last Post: 05-05-2009, 04:19 AM
  3. Too much info!
    By demonheadx in forum 9530/9500 Operating Software
    Replies: 16
    Last Post: 04-10-2009, 12:41 PM
  4. MMS Message Info
    By heloguy in forum BlackBerry Storm 9530/9500
    Replies: 3
    Last Post: 04-02-2009, 12:41 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •