Web Host Chat - The UK's host forum since 2001!
Colocation Rack Services
UK Web & Reseller Hosting
UK Leased Lines
VMWare Cloud Servers
Advertise here!
Results 1 to 3 of 3
Like Tree2Likes
  • 2 Post By administrator

Thread: FIX - Vbulletin redirecting to filestore72.info / url123.info etc - Redirect Google

  1. #1
    Posts 4846
    Post rank 14 (-6)

    FIX - Vbulletin redirecting to filestore72.info / url123.info etc - Redirect Google

    Hullo everyone,

    Just for any forum runners out there, I've spent about a week sorting out this latest hack. Looks like I'm not alone and it is very widespread through vbulletin forums with or without VBSEO installed.
    This page will tell you how to fix the google/yahoo/SE traffic redirect hack effecting lots of people using Vbulletin and/or VBSEO.

    So here are all the things I did that have resolved it mostly I found these lying around the internet but some cunning bits elsewhere too.

    This hack mostly redirects your google/yahoo/SE traffic to a malware page such as filestore72.info, url123.info.
    It sets a cookie so it will only do it on the first go, clearing your cookies will see it happen again. Fortunatly it is not logging IP's or things would be harder.
    It seems they can get in fairly easilly given the number of forums reporting issues so these steps may be worth doing even if you are NOT effected.

    Some reported redirect urls are;

    The hack looks to exploit various methods that obtain passwords for admins to login to the admincp where they then install their code in the data store mysql table.
    It is not a dodgy upload from the looks of it at all.

    Step 1:
    Rename your admincp and modcp folders to something random and secure of your choosing.
    Then in your includes/config.php change the following to read the correct locations;
    $config['Misc']['admincpdir'] = 'youradmincpdir';
    $config['Misc']['modcpdir'] = 'yourmodcpdir';
    Step 2:
    Change all your admin passwords and delete any old admin accounts that are unused (or at least change them to normal users).

    Step 3:
    Add a htaccess password to the admincp directory. This gives a great second defense if they find your new admincp.
    Put this in a .htaccess file in the admincp and modcp directory you have now moved.
    AuthType Basic
    AuthName "restricted area"
    AuthUserFile /directory/blah/.htpasswd
    require valid-user
    Then create the password file to allow people to login at the location specified.
    This site comes up in google for password file generation : Dynamic Drive: .htaccess password generator
    And finally ensure that the password file has the right permissions for your webserver.
     chown apache:apache /directory/blah/.htpasswd
    Step 3b:
    Make sure your footer template for vbulletin does not include a link to your admincp! Most forums have this so you need to remove it from the footer template.
    Find and delete these bits in the template.
    PHP Code:
      <vb:if condition="$show['admincplink']"><li><a href="{vb:raw admincpdir}/index.php{vb:raw session.sessionurl_q}">{vb:rawphrase admin}</a></li></vb:if>
    vb:if condition="$show['modcplink']"><li><a href="{vb:raw modcpdir}/index.php{vb:raw session.sessionurl_q}">{vb:rawphrase mod}</a></li></vb:if> 
    Step 4 :
    Make sure that 'Register Globals' is off on your server.

    Go to your AdminCp and then scroll down to Maintenance, then click on View PHP Info then look for 'Register Globals' if it says off then you are safe.
    If it says 'on' then you need to disable it, ask your host to do this for you or if you are in charge of your servers edit the /etc/php.ini file (this may be somewhere else of course).
    Add or change this line in the file;
    register_globals = 0
    And then reload your webserver.

    Step 5 :
    If you have vbseo installed add this to the top of vbseo.php in your forum root directory.
    if (strpos($_SERVER["QUERY_STRING"],'%00'))
    Step 6 :
    Also with VBSEO make sure that your config file is not writable! You should only make it writable when you need to edit it.
    The file is located in vbseo/resources/xml/config.xml
     Chmod 444 vbseo/resources/xml/config.xml
    Step 7 :
    Check all your folder permissions are correct! You should only have write permissions enabled for the following folders;
    I set all the other folders to chmod 544.

    Step 8 :
    This was advised to put a .htaccess file with the following contents;
    PHP Code:
    <Files "\.(php\d*|cgi|pl|phtml)$">
    order allow,deny
    deny from all
    In all your upload folders (see Step 7 above). You may have other upload folders on your site of course.
    While to me this seems like a minor step it is probably worth doing given the number of people who have advised doing it.

    Step 9 :
    In your vbulletin admincp, go to options --> Server Settings and Optimization Options.
    Find the "Use Remote YUI" , and set this to Google. Do not use none or Yahoo.

    Step 10 :
    Update and change all your mysql passwords for your websites.
    You will need to update your includes/config.php file with the new password.

    Step 11:
    Ensure that you have no remote access errors in your mysql users.
    You do not want people outside of your server / or network to be able to connect to your mysql server directly to install code.
    Make sure all users are tied to localhost, or a specific ip/network being able to access them.

    If you use phpmyadmin, login to that and then click on Privileges.
    Look down the "HOST" column for any users where the host is "%" or any users that you do not recognise!
    These all need to be changed or removed.

    Step 12:
    VBSEO users.
    Change this file /forums/vbseo/functions_vbseo_hook.php

    vbseo_ping_proc($vbseo_ref, $_GET['vbseourl'] ?  

    vbseo_ping_proc($vbseo_ref, $_GET['vbseourl'] ?  
    $vbulletin->options['bburl'].'/'.preg_replace('#[\x00-\x1F]#', '', $_GET['vbseourl']) :

    The above is mostly to prevent future attacks and also a bit of cleaning up;

    As it stands your site WILL still be redirecting from the current attack.

    Step 13
    To inject their redirect js they use the misc.php file in your forum root folder.
    They call with the query string g=js.

    So to prevent the redirect in its current form add this to the top of your misc.php file.
    if($_GET['g']=='js') die;
    Step 14
    Now to clear out the current infection you need to refresh the data store database.
    Login to your admincp and go to plugins -> Manage plugins.

    Disable ANY plugin, and then Re-enable that plugin.
    This will reset your data store and remove the existing problems.


    Step 15

    Check for any dodgy files on your forum that may have backdoors in them.
    From what I can see these files should have Base64 code in them;
    It is worth checking for any files that contain base64 and one of the following (system / curl / exec / eval).

    I made this perl script that is quite handy to run in a cronjob perhaps every 12 hours that will email you of any NEW files found with base64 code in them;

    Place this file in a tools directory somewhere such as /home/tools/ and name it anything you like such as scan_website1.pl
    Configure its variables to your own of course at the top of the file they are all fairly easy to understand what they do.
    Tell it where your website directory is, where to store it's cache and your smtp email details and it is as easy as that!

    (Q) It keeps emailing me every time the same list even though there are no new files.
    (A) The location you chose in the variables for your cache file does not have the correct permissions for your cron user to write files to it.

    Add a cron entry to run the script using something like this;
    0 11,23 * * * perl /home/tools/scan_website1.pl
    The file:
    ### Free to enjoy from www.webhostchat.co.uk (http://www.webhostchat.co.uk/business-technical-advice/29421-vbulletin-redirecting-filestore72-info-url123-info-etc-filestore-redirect-hack.html)
    ### This script will check for any changes in the files that have BASE64 code in them and send a email alert.
    ### This is quite handy for knowing if you just got hacked!
    ### This file requires File::Find::Rule and MIME::Lite perl modules, they are available on YUM.
    ### Which website to scan for dodgyness and where to store a scan cache (important)
    $web_directory = "/home/webhostchat.co.uk/public_html/";
    $cache_file = "/home/whc_scan.cache";
    ### To send email you can setup SMTP
    $from_email = "from\@email";
    $admin_email = "to\@email";
    $subject = "Your site webhostchat.co.uk has detected ~~filecount~~ base64 files";
    $email_host = "localhost";
    $email_user = "";
    $email_pass = "";
    ### The stuff
    use File::Find::Rule;
    my $base_dir = shift // '.';
    my $find_rule = File::Find::Rule->new;
    my @sub_dirs = $find_rule->in($base_dir);
    open(t,"<$cache_file");$cd = ;close(t);@exist = split(/~~~/,$cd);
    foreach $b(@sub_dirs){
    	@t = ;
    	foreach $c(@t){
    		if($c =~ /base64/gi){ $m1="y";}
                    if($c =~ /system/gi){ $m2="y";}
                    if($c =~ /curl/gi){ $m2="y";}
                    if($c =~ /exec/gi){ $m2="y";}
                    if($c =~ /eval/gi){ $m2="y";}
    	if($m1 eq "y"){ if($m2 eq "y"){
    		if( grep $_ == "$b", @exist){ } else { $newf[$fc]="$b"; $fc++; $email = "yes";}
    		$filelist = "$filelist$b~~~";
    open(t,">$cache_file");print t $filelist;close(t);
    print "Found $fc new files...\n";
    $emsg = "Dear Administrator\n\nThere is a new file(s) detected on your website that contains base64 code. You should check this file urgently and if it is a exploit file start to work out how it was placed there!\nHere is a list of the NEW files:\n\n";
    foreach $b(@newf){
    	print "$web_directory$b\n";
    	$emsg = "$emsg $webdirectory$b\n";
    $subject =~ s/~~filecount~~/$fc/gi;
    $emsg = "$emsg \n\n All the best\n Your server!";
    if($email eq "yes"){
    use MIME::Lite;
    my $msg = MIME::Lite->new
    Subject => $subject,
    From    => $from_email,
    To      => $admin_email,
    Type    => 'text/plain',
    Data    => $emsg

    And that covers it all! So far no redirects and we've not been re-infected either
    Last edited by administrator; 24th April 2013 at 11:47 AM.

  2. #2
    Registered User Array
    Great information i always do the second level of authentication and if your using CMS always update to latest version and make sure all your plugins are good enough

  3. #3
    Registered User Array
    Well I think it's got me beat. So many of out members do a search to get to the website and they are being redirected to that darn Filestore website.

    I do not run VBSEO. but running the DragonByte alternative. Had the admin from DragonByte take a look, but he couldn't not find out what the issue was.

    I have run through all the steps above yesterday morning, and by that night I tested it and the darn thing was back. Soo annoying. I have control of the Dedicated server, well I dont feel I'm in control at the moment, what can I do next? Can anyone help?
    Last edited by TransAmDan; 15th February 2017 at 10:54 AM.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Content Relevant URLs by vBSEO 3.6.1