Fli
02-20-2015, 05:57 PM
Symptoms of the filestore vbulletin hack:
When the forum based on the vbulletin script is accessed normally from any website or directly, no issue.
But when one time/first time accessed vbulletin forum from Google search results page, im redirected to some site like adultfriend finder, myfilestore.com, filestore72.info or similar. Simply forum is infected, hacked somehow... i did not found any last modiffied files, but i found tutorials on how to remove redirect and prevent it in future.
What worked to remove so called "filestore vbulletin hack"?
How i solved this: password protect (http://internetlifeforum.com/php-mysql-forum/3125-how-password-protect-some-directory-apache-server-using-htaccess-htpasswd/) your admincp directory (it is vbulletin forum script directory of the forum administrator), password must be different from ones used previously for vbulletin
Then go to vBulletin AdminCP, Plugins & Products, Manage Products
and disable some plugin (i disabled VBSEO) and enable it again. That should reset mysql based so called vbulletin datastore.
Then forum should no longer be redirecting Google visitors. One can verify by accessing forum from google search results page (search your domain name in google) and click link to some topic, not main page, main page may not be redirected, just verify it all goes through. You MUST use Anonymity mode of your browser as hack might be using cookies. Chrome has Anonymity mode window and Firefox too. To clear "cache", close anonymous window and open it again. I would make sure no Javascript blocking plugins are enabled in browser.
page still redirected under no-cookies/no-cache private browsing window? try to add following to the file misc.php on a new line affter line "<?php":
// anti-redirect hack
if (!empty($_GET['g']) && $_GET['g'] == 'js') { die; }
Now as you protected admincp, hack should not happen again, but schedule reminder after like 1 month to verify forum is not redirected when accessing from Google.
Hope that helped
------------------
Rest of this page are things i tried to avoid the hack, but it not helped
1)
edit vbseo.php file in the forum root directory and add following code after first line (after <?php)
if (strpos($_SERVER["QUERY_STRING"],'%00')) die;
2)
disable writting permission to the vbseo configuration file:
chmod 544 vbseo/resources/xml/config.xml
3)
edit vbseo/functions_vbseo_hook.php
find in that file:
$vbulletin->options['bburl'].'/'.$_GET['vbseourl']
replace by:
$vbulletin->options['bburl'].'/'.preg_replace('#[\x00-\x1F]#', '', $_GET['vbseourl']) :
(above should prevent future attacks)
4)
edit misc.php file and add following line of code to the second line in that misc.php file:
if($_GET['g']=='js') die;
Then schedule an recurring event that after lets say a few weeks you will again check google and your domain in it if the malicious redirect is not there again. Bookmark this topic and if its there, an idea is to check last modiffied files. Example linux commands:
cd /home/myusername/www
find . -type f -path /home/virtfs -prune -o -name "*.*" -newermt 2015-01-20 ! -newermt 2015-02-20
(it will find files modiffied from January 20 to February 20)
In my case the site was re-infected again, but no modiffied files found, it can mean it is an mysql infection, not file based.
next try can be to list accesslog for your domain, in my case linux command: cat /usr/local/apache/domlogs/mydomain.tld | grep POST | grep -v register | grep -v mobiq | grep -v login | grep -v misc.php
Another thing to try: password protect (http://internetlifeforum.com/php-mysql-forum/3125-how-password-protect-some-directory-apache-server-using-htaccess-htpasswd/) your admincp directory, password must be different from ones used previously for vbulletin
Another thing to try, install vBuleltin plugin that rebuilds datastore once base64 string is found in datastore. http://www.vbulletin.org/forum/showthread.php?t=265866
202
$infections = $vbulletin->db->query_read("SELECT title FROM " . TABLE_PREFIX . "datastore WHERE data LIKE '%base64%'");
But on my infected site when i exported datastore mysql table, only base64 i found was Tapatalk plugin one:
<a href="http://tapatalk.com/tapatalk_image.php?img=\\''.urlencode(base64_encod e($matches[2].\\''/original\\''.$matches[3])).\\''" target="_blank" class="externalLink">
regarding "http" phrasse, i did not found anything strange
My 4 vB forums re-infection history and steps i did to prevent it
First check (March 8, 2015)
--- ILF - password protected (http://internetlifeforum.com/php-mysql-forum/3125-how-password-protect-some-directory-apache-server-using-htaccess-htpasswd/) admincp directory and disabled VBSEO plugin, lets wait
--- GT - not re-infected
--- CBB - disabled vbseo plugin, renamed vbseo directory + changed vseo path in file vbseo.php to reflect new directory name ( "vbseo/" to "vbseo_myrandomphrasse/" )
--- ZF - no infect.
Second check (March 25, 2015)
--- ILF - no re-infect
--- GT - re-infected, no main page, but forumdisplay.php . so lets password protect (http://internetlifeforum.com/php-mysql-forum/3125-how-password-protect-some-directory-apache-server-using-htaccess-htpasswd/) admincp, and disabe/enable some plugin from admincp and see next check
--- CBB - got re-infected. so lets password protect (http://internetlifeforum.com/php-mysql-forum/3125-how-password-protect-some-directory-apache-server-using-htaccess-htpasswd/) admincp, and i enabled VBSEO in admin cp + rename vbseo folder, + edit vbseo.php to reflect new name. lets see next check
--- ZF - no infect.
Third check (April 10, 2015)
--- ILF - no re-infect
--- GT - no re-infect
--- CBB - no re-infect
--- ZF - no re-infect
Fourth check (May 8, 2015)
--- ILF - no re-infect
--- GT - no re-infect
--- CBB - no re-infect
--- ZF - no re-infect
X check (....)
--- none of the sites got reinfected again so far, if they do, i will update this
If re-infected after a few weeks/month... try rename admincp directory and password protect it by some different password, then disable/enable some plugin to refresh data strore.. (try grep eval,base64 from domain accesslogs as mentioned above) + wait some weeks and check periodically.
More reading:
http://club.myce.com/f20/vbulletin-myfilestore-hack-find-traces-remove-them-332219
http://www.blackberryos.com/off-topic-discussion/39854-how-fix-vbulletin-redirecting-filestore72-info-url123-info-etc-redirect-google.html - many ideas there
source of this tutorial here (http://www.webhostchat.co.uk/business-technical-advice/29421-fix-vbulletin-redirecting-filestore72-info-url123-info-etc-redirect-google.html)
When the forum based on the vbulletin script is accessed normally from any website or directly, no issue.
But when one time/first time accessed vbulletin forum from Google search results page, im redirected to some site like adultfriend finder, myfilestore.com, filestore72.info or similar. Simply forum is infected, hacked somehow... i did not found any last modiffied files, but i found tutorials on how to remove redirect and prevent it in future.
What worked to remove so called "filestore vbulletin hack"?
How i solved this: password protect (http://internetlifeforum.com/php-mysql-forum/3125-how-password-protect-some-directory-apache-server-using-htaccess-htpasswd/) your admincp directory (it is vbulletin forum script directory of the forum administrator), password must be different from ones used previously for vbulletin
Then go to vBulletin AdminCP, Plugins & Products, Manage Products
and disable some plugin (i disabled VBSEO) and enable it again. That should reset mysql based so called vbulletin datastore.
Then forum should no longer be redirecting Google visitors. One can verify by accessing forum from google search results page (search your domain name in google) and click link to some topic, not main page, main page may not be redirected, just verify it all goes through. You MUST use Anonymity mode of your browser as hack might be using cookies. Chrome has Anonymity mode window and Firefox too. To clear "cache", close anonymous window and open it again. I would make sure no Javascript blocking plugins are enabled in browser.
page still redirected under no-cookies/no-cache private browsing window? try to add following to the file misc.php on a new line affter line "<?php":
// anti-redirect hack
if (!empty($_GET['g']) && $_GET['g'] == 'js') { die; }
Now as you protected admincp, hack should not happen again, but schedule reminder after like 1 month to verify forum is not redirected when accessing from Google.
Hope that helped
------------------
Rest of this page are things i tried to avoid the hack, but it not helped
1)
edit vbseo.php file in the forum root directory and add following code after first line (after <?php)
if (strpos($_SERVER["QUERY_STRING"],'%00')) die;
2)
disable writting permission to the vbseo configuration file:
chmod 544 vbseo/resources/xml/config.xml
3)
edit vbseo/functions_vbseo_hook.php
find in that file:
$vbulletin->options['bburl'].'/'.$_GET['vbseourl']
replace by:
$vbulletin->options['bburl'].'/'.preg_replace('#[\x00-\x1F]#', '', $_GET['vbseourl']) :
(above should prevent future attacks)
4)
edit misc.php file and add following line of code to the second line in that misc.php file:
if($_GET['g']=='js') die;
Then schedule an recurring event that after lets say a few weeks you will again check google and your domain in it if the malicious redirect is not there again. Bookmark this topic and if its there, an idea is to check last modiffied files. Example linux commands:
cd /home/myusername/www
find . -type f -path /home/virtfs -prune -o -name "*.*" -newermt 2015-01-20 ! -newermt 2015-02-20
(it will find files modiffied from January 20 to February 20)
In my case the site was re-infected again, but no modiffied files found, it can mean it is an mysql infection, not file based.
next try can be to list accesslog for your domain, in my case linux command: cat /usr/local/apache/domlogs/mydomain.tld | grep POST | grep -v register | grep -v mobiq | grep -v login | grep -v misc.php
Another thing to try: password protect (http://internetlifeforum.com/php-mysql-forum/3125-how-password-protect-some-directory-apache-server-using-htaccess-htpasswd/) your admincp directory, password must be different from ones used previously for vbulletin
Another thing to try, install vBuleltin plugin that rebuilds datastore once base64 string is found in datastore. http://www.vbulletin.org/forum/showthread.php?t=265866
202
$infections = $vbulletin->db->query_read("SELECT title FROM " . TABLE_PREFIX . "datastore WHERE data LIKE '%base64%'");
But on my infected site when i exported datastore mysql table, only base64 i found was Tapatalk plugin one:
<a href="http://tapatalk.com/tapatalk_image.php?img=\\''.urlencode(base64_encod e($matches[2].\\''/original\\''.$matches[3])).\\''" target="_blank" class="externalLink">
regarding "http" phrasse, i did not found anything strange
My 4 vB forums re-infection history and steps i did to prevent it
First check (March 8, 2015)
--- ILF - password protected (http://internetlifeforum.com/php-mysql-forum/3125-how-password-protect-some-directory-apache-server-using-htaccess-htpasswd/) admincp directory and disabled VBSEO plugin, lets wait
--- GT - not re-infected
--- CBB - disabled vbseo plugin, renamed vbseo directory + changed vseo path in file vbseo.php to reflect new directory name ( "vbseo/" to "vbseo_myrandomphrasse/" )
--- ZF - no infect.
Second check (March 25, 2015)
--- ILF - no re-infect
--- GT - re-infected, no main page, but forumdisplay.php . so lets password protect (http://internetlifeforum.com/php-mysql-forum/3125-how-password-protect-some-directory-apache-server-using-htaccess-htpasswd/) admincp, and disabe/enable some plugin from admincp and see next check
--- CBB - got re-infected. so lets password protect (http://internetlifeforum.com/php-mysql-forum/3125-how-password-protect-some-directory-apache-server-using-htaccess-htpasswd/) admincp, and i enabled VBSEO in admin cp + rename vbseo folder, + edit vbseo.php to reflect new name. lets see next check
--- ZF - no infect.
Third check (April 10, 2015)
--- ILF - no re-infect
--- GT - no re-infect
--- CBB - no re-infect
--- ZF - no re-infect
Fourth check (May 8, 2015)
--- ILF - no re-infect
--- GT - no re-infect
--- CBB - no re-infect
--- ZF - no re-infect
X check (....)
--- none of the sites got reinfected again so far, if they do, i will update this
If re-infected after a few weeks/month... try rename admincp directory and password protect it by some different password, then disable/enable some plugin to refresh data strore.. (try grep eval,base64 from domain accesslogs as mentioned above) + wait some weeks and check periodically.
More reading:
http://club.myce.com/f20/vbulletin-myfilestore-hack-find-traces-remove-them-332219
http://www.blackberryos.com/off-topic-discussion/39854-how-fix-vbulletin-redirecting-filestore72-info-url123-info-etc-redirect-google.html - many ideas there
source of this tutorial here (http://www.webhostchat.co.uk/business-technical-advice/29421-fix-vbulletin-redirecting-filestore72-info-url123-info-etc-redirect-google.html)