vBSEO Broken: wreak'n havoc...

Status
Not open for further replies.

froglips

New User
Jim Campbell
We have started getting odd reports of errors.

Seem to affect IE8, but now folks are finding "Avast Trojan Virus" alerts.

I just kicked off a virus scan.

More digging, but seems really bizzare.

Jim
 
Last edited:

froglips

New User
Jim Campbell
Re: Weirdness, maybe trojan virus?

I think our Web Hosting company might have a problem.

It appears to me that their DNS might be compromised.

vbSEO should be inserting a URL to google-analytics.com/ga.js at the bottom of most pages.

It appears that people are getting various urls, all at the domain servehttp.com. Many of those scripts are not valid.

These are being flagged as virus/trojan's by several members virus scanning tools.

I ran a Clam Virus scan on our server, nothing found.

If anyone has some experience with this, I could use some help.

For now, I've turned off VBSEO, which has removed the offending analytics code.

Turning it off has broken links and some parts of the site aren't working now.

Jim
 

Bas

Recovering tool addict
Bas
Corporate Member
Re: Weirdness, maybe trojan virus?

Sorry, should have replied sooner, been swamped with work. I've asked around about what's going on with this virus, as you described it tends to get pulled in from other sites, it doesn't appear to be hosted locally.
Will let you know if I hear anything.
 

froglips

New User
Jim Campbell
Re: Weirdness, maybe trojan virus?

Thanks Bas!

I'm guessing its one of those DNS exploits.

I did hear back from those reporting problems, that turning off vbSEO has "fixed" the problem.

Thanks,
Jim
 

Bas

Recovering tool addict
Bas
Corporate Member
Re: Weirdness, maybe trojan virus?

See this on the VBSEO web site -> http://www.vbseo.com/f3/alert-huge-security-hole-vbseo-3-3x-41463/
Looks like we need to reinstall/ upgrade, or at the very least check the vBSEO xml product file. I can do that, but I won't be able to get to it until 7pm or so. If you have some cycles this afternoon, that'd be great.

We may also need to change our passwords on the systems.
 

froglips

New User
Jim Campbell
Re: Weirdness, maybe trojan virus?

Great find! We are on version 3.3.0, so we need to patch.

I'll work on that.

Jim
 

froglips

New User
Jim Campbell
Tracy, we staffers don't have access to vbSEO to download.

If you have Steve's old account, we need it to access the vbSEO Download Area.

http://www.vbseo.com/downloads/

We need version 3.3.2 and 3.3.0 if you can download both.

Thanks,
Jim
 

froglips

New User
Jim Campbell
Thanks to Tracy, we have the new code.

I went ahead and tested re-installing 3.3.0. That fixed our problem. :banana:

But, that also implies our site was compromised. :kamahlitu

I've asked Tracy to change all our passwords.

I'm also going to upgrade our vbSEO to 3.3.2, the latest Gold version this evening.

Also, I've turned vbSEO OFF. If someone is exploiting that hold, I don't want them to get right back in.

I have a meeting tonight, so I won't be around till after 9pm. I left the install pages in a place Bas and Toolman can use them if need be.

Big thanks to Bas and Tracy for all the great support, go team! :notworthy:

Jim
 

froglips

New User
Jim Campbell
Fingers crossed, we are now at 3.3.2 and I don't see the bad code.

As part of the install, I had to set a new vbseo password. I'll be sending that on to Tracy, Bas and Toolman.

I also talked to Steve, he suggested we turn off Google Analytics.

I've turned it off for now, but if anyone would like it enabled, just say the word.

It does add complexity to our site and slows things down a bit.

Thanks,
Jim
 

Bas

Recovering tool addict
Bas
Corporate Member
Well done Jim, great job on the quick turnaround.
As for the analytics - do we do anything with that info? I suppose if we did aggressive marketing and looked to improve hits, references etc. it would be useful, but we're far more laid back than that I think. So turning it off wouldn't hurt us.
 

scsmith42

New User
Scott Smith
I didn't want to post this in the public forum, but apparently whatever was in our system was capturing the IP and port addresses for the various computers that logged into NCWW, and then forwarded that information on to a server in Bejing, China. The IP address of that server is 59.53.91.108, and 59.53.91.102. That server would then attempt to hack into the users PC and download a virus.

There were multple application path: One was /device/harddiskvolume2/program files/adobe/acrobat 7.0/reader/acrord32.exe.

Another was /device/harddiskvolume2/program files/internet explorer/iexplore.exe.

For the past 3 or 4 days, in hindsight I now realize that every time that I've logged into NCWW Norton has blocked an attempt to hack into my computer.
 

Glennbear

Moderator
Glenn
Fingers crossed, we are now at 3.3.2 and I don't see the bad code.

As part of the install, I had to set a new vbseo password. I'll be sending that on to Tracy, Bas and Toolman.

I also talked to Steve, he suggested we turn off Google Analytics.

I've turned it off for now, but if anyone would like it enabled, just say the word.

It does add complexity to our site and slows things down a bit.

Thanks,
Jim

Well done Jim, great job on the quick turnaround.
As for the analytics - do we do anything with that info? I suppose if we did aggressive marketing and looked to improve hits, references etc. it would be useful, but we're far more laid back than that I think. So turning it off wouldn't hurt us.

I didn't want to post this in the public forum, but apparently whatever was in our system was capturing the IP and port addresses for the various computers that logged into North Carolina Woodworker, and then forwarded that information on to a server in Bejing, China. The IP address of that server is 59.53.91.108, and 59.53.91.102. That server would then attempt to hack into the users PC and download a virus.

There were multple application path: One was /device/harddiskvolume2/program files/adobe/acrobat 7.0/reader/acrord32.exe.

Another was /device/harddiskvolume2/program files/internet explorer/iexplore.exe.

For the past 3 or 4 days, in hindsight I now realize that every time that I've logged into North Carolina Woodworker Norton has blocked an attempt to hack into my computer.

As a former detective I have a tendency to look at things with an analytical eye. Taking the above posts in conjunction with the recent news about the ongoing battle between China and Google it makes me wonder, are we the victims of "collateral damage" in this battle ? I am a strong supporter of the KISS principle so if we do not need the data from Google Analytics let's stay out of the fray. :gar-La;
 
Status
Not open for further replies.

Our Sponsors

LATEST FOR SALE LISTINGS

Top