you have a virus.
its not the website
So I have a virus on Android, and 3 different PCs ? Seems highly unlikely.... it's a very well documented hack affecting Vbulletin :
FIX - Vbulletin redirecting to filestore72.info / url123.info etc - Redirect Google
Hullo everyone,
Just for any forum runners out there, I've spent about a week sorting out this latest hack. Looks like I'm not alone and it is very widespread through vbulletin forums with or without VBSEO installed.
This page will tell you how to fix the google/yahoo/SE traffic redirect hack effecting lots of people using Vbulletin and/or VBSEO.
So here are all the things I did that have resolved it mostly I found these lying around the internet but some cunning bits elsewhere too.
This hack mostly redirects your google/yahoo/SE traffic to a malware page such as filestore72.info, url123.info.
It sets a cookie so it will only do it on the first go, clearing your cookies will see it happen again. Fortunatly it is not logging IP's or things would be harder.
It seems they can get in fairly easilly given the number of forums reporting issues so these steps may be worth doing even if you are NOT effected.
Some reported redirect urls are;
myfilestore.com
filestore72.info
file2store.info
url2short.info
filestore123.info
url123.info
dollarade.com
The hack looks to exploit various methods that obtain passwords for admins to login to the admincp where they then install their code in the data store mysql table.
It is not a dodgy upload from the looks of it at all.
Step 1:
Rename your admincp and modcp folders to something random and secure of your choosing.
Then in your includes/config.php change the following to read the correct locations;
Code:
$config['Misc']['admincpdir'] = 'youradmincpdir';
$config['Misc']['modcpdir'] = 'yourmodcpdir';
Step 2:
Change all your admin passwords and delete any old admin accounts that are unused (or at least change them to normal users).
Step 3:
Add a htaccess password to the admincp directory. This gives a great second defense if they find your new admincp.
Put this in a .htaccess file in the admincp and modcp directory you have now moved.
Code:
AuthType Basic
AuthName "restricted area"
AuthUserFile /directory/blah/.htpasswd
require valid-user
Then create the password file to allow people to login at the location specified.
This site comes up in google for password file generation : Dynamic Drive: .htaccess password generator
And finally ensure that the password file has the right permissions for your webserver.
Code:
chown apache:apache /directory/blah/.htpasswd
Step 3b:
Make sure your footer template for vbulletin does not include a link to your admincp! Most forums have this so you need to remove it from the footer template.
Find and delete these bits in the template.
PHP Code:
<vb:if condition="$show['admincplink']"><li><a href="{vb:raw admincpdir}/index.php{vb:raw session.sessionurl_q}">{vb:rawphrase admin}</a></li></vb:if>
<vb:if condition="$show['modcplink']"><li><a href="{vb:raw modcpdir}/index.php{vb:raw session.sessionurl_q}">{vb:rawphrase mod}</a></li></vb:if>
Step 4 :
Make sure that 'Register Globals' is off on your server.
Go to your AdminCp and then scroll down to Maintenance, then click on View PHP Info then look for 'Register Globals' if it says off then you are safe.
If it says 'on' then you need to disable it, ask your host to do this for you or if you are in charge of your servers edit the /etc/php.ini file (this may be somewhere else of course).
Add or change this line in the file;
Code:
register_globals = 0
And then reload your webserver.
Step 5 :
If you have vbseo installed add this to the top of vbseo.php in your forum root directory.
Code:
if (strpos($_SERVER["QUERY_STRING"],'%00'))
die;
Step 6 :
Also with VBSEO make sure that your config file is not writable! You should only make it writable when you need to edit it.
The file is located in vbseo/resources/xml/config.xml
Code:
Chmod 444 vbseo/resources/xml/config.xml
Step 7 :
Check all your folder permissions are correct! You should only have write permissions enabled for the following folders;
Code:
attachments/
customavatars/
customgroupicons/
customprofilepics/
signaturepics/
I set all the other folders to chmod 544.
Step 8 :
This was advised to put a .htaccess file with the following contents;
PHP Code:
<Files ~ "\.(php\d*|cgi|pl|phtml)$">
order allow,deny
deny from all
</Files>
In all your upload folders (see Step 7 above). You may have other upload folders on your site of course.
While to me this seems like a minor step it is probably worth doing given the number of people who have advised doing it.
Step 9 :
In your vbulletin admincp, go to options --> Server Settings and Optimization Options.
Find the "Use Remote YUI" , and set this to Google. Do not use none or Yahoo.
Step 10 :
Update and change all your mysql passwords for your websites.
You will need to update your includes/config.php file with the new password.
Step 11:
Ensure that you have no remote access errors in your mysql users.
You do not want people outside of your server / or network to be able to connect to your mysql server directly to install code.
Make sure all users are tied to localhost, or a specific ip/network being able to access them.
If you use phpmyadmin, login to that and then click on Privileges.
Look down the "HOST" column for any users where the host is "%" or any users that you do not recognise!
These all need to be changed or removed.
Step 12:
VBSEO users.
Change this file /forums/vbseo/functions_vbseo_hook.php
Edit;
Code:
vbseo_ping_proc($vbseo_ref, $_GET['vbseourl'] ?
$vbulletin->options['bburl'].'/'.$_GET['vbseourl']
To
Code:
vbseo_ping_proc($vbseo_ref, $_GET['vbseourl'] ?
$vbulletin->options['bburl'].'/'.preg_replace('#[\x00-\x1F]#', '', $_GET['vbseourl']) :
The above is mostly to prevent future attacks and also a bit of cleaning up;
As it stands your site WILL still be redirecting from the current attack.
Step 13
To inject their redirect js they use the misc.php file in your forum root folder.
They call with the query string g=js.
So to prevent the redirect in its current form add this to the top of your misc.php file.
Code:
if($_GET['g']=='js') die;
Step 14
Now to clear out the current infection you need to refresh the data store database.
Login to your admincp and go to plugins -> Manage plugins.
Disable ANY plugin, and then Re-enable that plugin.
This will reset your data store and remove the existing problems.
Finally;
Step 15
Check for any dodgy files on your forum that may have backdoors in them.
From what I can see these files should have Base64 code in them;
Code:
forum/cron.php
forum/asset.php
forum/picture.php
forum/blog_attachment.php
forum/attachment.php
forum/includes/adminfunctions_template.php
forum/includes/adminfunctions_plugin.php
forum/includes/class_xmlrpc.php
forum/includes/functions.php
forum/includes/class_mail.php
forum/includes/facebook/base_facebook.php
forum/vb/verticalresponse.php
forum/forumrunner/push.php
forum/forumrunner/support/Snoopy.class.php
forum/admincp/navigation.php
It is worth checking for any files that contain base64 and one of the following (system / curl / exec / eval).
I made this perl script that is quite handy to run in a cronjob perhaps every 12 hours that will email you of any NEW files found with base64 code in them;
Place this file in a tools directory somewhere such as /home/tools/ and name it anything you like such as scan_website1.pl
Configure its variables to your own of course at the top of the file they are all fairly easy to understand what they do.
Tell it where your website directory is, where to store it's cache and your smtp email details and it is as easy as that!
Troubleshooting:
(Q) It keeps emailing me every time the same list even though there are no new files.
(A) The location you chose in the variables for your cache file does not have the correct permissions for your cron user to write files to it.
Add a cron entry to run the script using something like this;
Code:
0 11,23 * * * perl /home/tools/scan_website1.pl
The file:
Code:
#!/usr/bin/perl
### Free to enjoy from
www.webhostchat.co.uk (
http://www.webhostchat.co.uk/busine...-url123-info-etc-filestore-redirect-hack.html)
### This script will check for any changes in the files that have BASE64 code in them and send a email alert.
### This is quite handy for knowing if you just got hacked!
### This file requires File::Find::Rule and MIME::Lite perl modules, they are available on YUM.
### Which website to scan for dodgyness and where to store a scan cache (important)
$web_directory = "/home/webhostchat.co.uk/public_html/";
$cache_file = "/home/whc_scan.cache";
### To send email you can setup SMTP
$from_email = "from\@email";
$admin_email = "to\@email";
$subject = "Your site webhostchat.co.uk has detected ~~filecount~~ base64 files";
$email_host = "localhost";
$email_user = "";
$email_pass = "";
### The stuff
chdir("$web_directory");
use File::Find::Rule;
my $base_dir = shift // '.';
my $find_rule = File::Find::Rule->new;
$find_rule->maxdepth(10);
$find_rule->name('*.php','*.cgi','*.attach');
my @sub_dirs = $find_rule->in($base_dir);
$fc='0';
open(t,"<$cache_file");$cd = ;close(t);@exist = split(/~~~/,$cd);
foreach $b(@sub_dirs){
open(t,"<$b");
@t = ;
close(t);$m1='';$m='';
foreach $c(@t){
if($c =~ /base64/gi){ $m1="y";}
if($c =~ /system/gi){ $m2="y";}
if($c =~ /curl/gi){ $m2="y";}
if($c =~ /exec/gi){ $m2="y";}
if($c =~ /eval/gi){ $m2="y";}
}
if($m1 eq "y"){ if($m2 eq "y"){
if( grep $_ == "$b", @exist){ } else { $newf[$fc]="$b"; $fc++; $email = "yes";}
$filelist = "$filelist$b~~~";
}}
}
chop($filelist);chop($filelist);chop($filelist);
open(t,">$cache_file");print t $filelist;close(t);
print "Found $fc new files...\n";
$emsg = "Dear Administrator\n\nThere is a new file(s) detected on your website that contains base64 code. You should check this file urgently and if it is a exploit file start to work out how it was placed there!\nHere is a list of the NEW files:\n\n";
foreach $b(@newf){
print "$web_directory$b\n";
$emsg = "$emsg $webdirectory$b\n";
}
$subject =~ s/~~filecount~~/$fc/gi;
$emsg = "$emsg \n\n All the best\n Your server!";
if($email eq "yes"){
use MIME::Lite;
my $msg = MIME::Lite->new
(
Subject => $subject,
From => $from_email,
To => $admin_email,
Type => 'text/plain',
Data => $emsg
);
$msg->send('smtp',"$email_host");
}
And that covers it all! So far no redirects and we've not been re-infected either
