PDA

View Full Version : Solved vbet security breach



hotslot
12-05-10, 16:22
http://www.hotslot.org/new-member-introductions/


I'm running vbet and 4.0.3

It appears the js virus redirect got in from vbet.

vBET
12-05-10, 16:58
I will check it fast. What virus do you mean and how you suppose it was got from vbet?

hotslot
12-05-10, 17:03
we trying to help you sir.. Obviously It's not your fault! But if You can help find away from this happening again that would be cool.

thank you

hotslot
12-05-10, 17:13
http://www.hotslot.org/new-member-introductions/


I'm running vbet and 4.0.3

It appears the js virus redirect got in from vbet.


Check link above, its pretty obvious on redirect. AVG blocks my browser after that.
http://www.hotslot.org/vbenterprisetranslator_seo.php

vBET
12-05-10, 17:27
I see that your main page is not working correctly - output HTML is cut. What was changed since last time when forum run appropriately?

vBET
12-05-10, 17:33
Check link above, its pretty obvious on redirect. AVG blocks my browser after that.
http://www.hotslot.org/vbenterprisetranslator_seo.php

Yes I see this redirect but didn't found the cause - you wrote about some virus so I thought that you know what you are writing about. Please describe what AVG means?

I'm investigating this issue right now and in logs I see that link which you gave gives strange .htaccess redirect to: /var/chroot/home/content/h/o/t/hotslot/html/vbenterprisetranslator_seo.php
what causes this end URL in browser. I'm wondering right now why vBET never sees member introduction URL... Looks like some redirect happens before, but I do not see it in .htaccess

If you have nay informations which could help - please give it.

hotslot
12-05-10, 17:34
Good question. The forum was fully functional last night. This morning is when it occurred.

vBET
12-05-10, 17:36
we trying to help you sir.. Obviously It's not your fault! But if You can help find away from this happening again that would be cool.

thank you

This is not obvious at this moment - have to be diagnosed first.

vBET
12-05-10, 17:43
Good question. The forum was fully functional last night. This morning is when it occurred.

Ask persons who have access to your forum - you already had issue that somebody removed you files from server. You should limit access there and change all your passwords. We already gave you advice to change FTP password and you ignored it after some files disappear from your server... Please consider again to do that.

Also - as I wrote your main page is not generating appropriately, what is not vBET fault and shows that your whole forum status is crashed. It is possible that those strange redirections are because of your forum higher issue and when you fix your forum issue then everything will work again. Of course this is only possibility, but now I can tell that some issues are obviously not vBET fault.

Do you have any redirections rules set before .htaccess file - on apache configuration level? It seems that redirection happens before vBET rules takes action and this is possible cause of issue. If you do have - please provide those here. At this moment I have no other clue why redirection is made before vBET rule applies...

Also, if you do have backup from yesterday - please consider to use it.

vBET
12-05-10, 18:53
Any feedback to last post? I need any informations you can give me, to help you solve this issue.

tavenger5
13-05-10, 00:27
Security issue - vBulletin SEO Forums (http://www.vbseo.com/f3/security-issue-41463/)

hotslot
13-05-10, 03:28
I don't know what to say ?

Still there

vBET
13-05-10, 18:34
Security issue - vBulletin SEO Forums (http://www.vbseo.com/f3/security-issue-41463/)

Very long thread - is there something related to vBET?

vBET
13-05-10, 18:35
Any feedback to our last messages?:
http://www.vbenterprisetranslator.com/forum/vbet4-troubleshooting/671-vbet-security-breach.html#post2824
http://www.vbenterprisetranslator.com/forum/vbet4-troubleshooting/671-vbet-security-breach.html#post2827

Smiggy
13-05-10, 23:52
I hope a fix is provided for this soon.

hotslot
14-05-10, 05:23
I obviously know nothing about this stuff guys.. My techs tried for an entire day and no luck. Only way to get control of the forum again was to basically start over and lose all content.

I have no idea what happened. :o

Smiggy
14-05-10, 19:00
This is a serious concern.

Disabled now until the issue has been diagnosed and fixed.

hotslot
14-05-10, 19:36
I dont want other members freaking out on this. Michal is a professional. His is running fine still, maybe its how it runs in 4.0.3? who knows but we had to disable the entire forum and functions and we lost all are content. Terrible news for many reasons, obviously Google and most security softwares will block entrances into your url. We just need to figure out how in the hell they exploited. This isn't an easy task. and I know nothing about this stuff! I'm not sure if Vbet has been in my admin section to try and fix or not and try to determine how it happened. I hope they are because this security breach will never be fixed other wise and thats are best bet.

vBET
14-05-10, 23:58
We didn't went to your Admin CP. Still didn't get any feedback about questions asked. If you have technical guy with full access to your forum - please ask him. Do you have any redirection rules on Apache configuration level?
Also did you found what was the issue with your main page generation? - you have issues not related to vBET, and those redirections could be side effect of your forum bigger issue. Does anything was made in this area?

Please PM access details for your Admin CP - I will completly dissable vBET to check does it have anything to do with this issue.

vBET
15-05-10, 00:04
This is a serious concern.

Disabled now until the issue has been diagnosed and fixed.

At this moment there is no final diagnose yet. We do not know what changes was made since forum last time was functional. We do not know does any security breach was made by vBET. We know that forum was broken in areas not related to vBET. We know that someone had access to this forum, because there was issues with missing files before and no passwords was changed by the owner.

Our actual diagnose shows that forum owner had no idea what he is writing about in his first post. So by sure we can tell that there was no any js virus got by vBET. Link which was given to us was redirected by something before it even got to vBET .htacces rules. We suspect that it was something on Apache configuration level, but cannot be sure because we got no cooperation from user owner in this area. But for sure it was no any js - because js is evaluated on browser side and those redirections was made on server side. And as I already wrote - it was made before vBET took any action - diagnosed by logs added into vbenterprisetranslator_seo - this is first access point to vBET and whole forum. So because there URL went already changed we suspect some higher level issue. On this forum pages was generating only in a half for not translated views what confirms our suspects. Still - those are only suspects, because we got no cooperation from forum owner in asked areas.

Shortly - it can have nothing to do with vBET. Is can have something to do with vBET. We will completely disable vBET on the forum to check does it is related to vBET at all.

At this moment we have right to believe that security breach cause was poor security/administration management. Previous issues on this forum was because someones actions (removed .htaccess rules, removed whole files). Our suggestion, given when some files disappear, to change FTP passwords was ignored.

Please note that we are still in this issue and as I wrote there is no final diagnose. At this moment waiting for owner feedback.

hotslot
19-05-10, 01:23
I'm back sorry...

So to make a long story short we lost everything and uploaded fresh.. We are still getting this however...

does this have anything to do with VBET?


Thanks to NLP-er enjoy automatic translations (vBET 2.4.3)


<div id="footer_copyright" class="shade footer_copyright">
<!-- Do not remove this copyright notice -->
Thanks to <a href="http://www.forum.simple-nlp.pl/">NLP-er you enjoy</a> automatic translations (vBET 2.4.3)<br>
<!-- Do not remove this copyright notice -->
</div>

I think 1 keyword and 1 url is enough if it is.

vBET
19-05-10, 19:02
I'm back sorry...

So to make a long story short we lost everything and uploaded fresh.. We are still getting this however...

does this have anything to do with VBET?





I think 1 keyword and 1 url is enough if it is.

Why are you using free version? You have license for paid one. What you quoted is output from free version.

hotslot
19-05-10, 22:11
I have no idea!

LOL

AfrikaansAlbanianArabicBelarusianBulgarianCatalanChineseCroatianCzechDanishDutchEnglishEstonianFilipinoFinnishFrenchGalicianGermanGreekHaitian CreoleHebrewHindiHungarianIcelandicIndonesianIrishItalianJapaneseKoreanLatvianLithuanianMacedonianMalayMalteseNorwegianPersianPolishPortugueseRomanianRussianSerbianSlovakSlovenianSpanishSwahiliSwedishTaiwaneseThaiTurkishUkrainianVietnameseWelshYiddish
Languages translations made by vBET Translator 4.10.1