The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Possible Security Issue
I purchased VBulletin several years ago.
Currently using Version 3.6.7 I have not upgraded because I use it for a Tech Support BB and thought all would be well. I just upgraded to Kaspersky 9.0 and it reports that access to my VBulletin contains a link to 78.110.75.21 and has been identified as a site that steal passwords, credit card numbers, etc. I ran some software that captures all network traffic and monitored communication with my site and VBulliten. In the middle of the page load - thers was a lot of data transferred to THAT IP address. I called the people who host my site and asked if THEY were injecting this detour or communication. Their reply was NO. They said that they have seen hackers inject java scripts into BB to accomplish things like this. So ... Now I am asking the folks at VBulletin if this is YOUR communication or is it a real security issue? Will an upgrade to the latest release address this? Thanks in advance for your reply. |
#2
|
||||
|
||||
Not a pro vb coder but in my opinion you need to actually vist that ip to check if its a site or just someones server ip. Vbulletin doest streamline things from your site they only have a call back function that lets them verify if theres a real liscence there and who its registered to. I would upgrade but most of your mods wont work if you upgrade to 3.7.4 seeing its the securest stable out right now. Have you checked the ip? you can paste it in the browser and view that way if that helps.
|
#3
|
|||
|
|||
You get a "Fail to Connect".
My question is Why/How is this redirect taking place and can it be terminated? |
#4
|
||||
|
||||
you can always bann that ip from your server. I would run suspect file versions and see if anything strange shows up.
|
#5
|
||||
|
||||
You can you`ll have to find where the leak is. Its probably someon using some javascript to access the site and them having that info stored by php or perl into a database. My suggestion is to upgrade to a version thats CRSF and XSS protected. I would say 3.7.4 SP1 since the newest 3.6 doenst have the hole fix.
--------------- Added [DATE]1230144309[/DATE] at [TIME]1230144309[/TIME] --------------- OrgName: RIPE Network Coordination Centre OrgID: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL ReferralServer: whois://whois.ripe.net:43 NetRange: 78.0.0.0 - 78.255.255.255 CIDR: 78.0.0.0/8 NetName: 78-RIPE NetHandle: NET-78-0-0-0-1 Parent: NetType: Allocated to RIPE NCC NameServer: NS-PRI.RIPE.NET NameServer: SEC1.APNIC.NET NameServer: SEC3.APNIC.NET NameServer: TINNIE.ARIN.NET NameServer: SUNIC.SUNET.SE NameServer: NS.LACNIC.NET Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at http://www.ripe.net/whois RegDate: 2006-08-29 Updated: 2006-09-07 # ARIN WHOIS database, last updated 2008-12-23 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. there you the ips info --------------- Added [DATE]1230144367[/DATE] at [TIME]1230144367[/TIME] --------------- Might be a proxy or shell account it could be hard to know it thats the only IP being used. --------------- Added [DATE]1230144505[/DATE] at [TIME]1230144505[/TIME] --------------- Hers a link to more ip info. http://www.geoiptool.com/en/?IP=78.110.75.21 |
#6
|
|||
|
|||
I have upgraded to 3.7.4.
Issue still exists. It occurs AFTER users or Admin has log on - so Logon name and password may be compromised. Any suggestions on debugging and killing this thing? |
#7
|
||||
|
||||
Admin CP > Maintenance > Diagnostics > Suspect File Versions
See if anything comes up there. |
#8
|
|||
|
|||
Also:
- Search your post table for this IP - Search your files for this IP - Search templates for this IP |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|