Any vBulletin experts about..

**Kymmy** · 17-01-2011, 10:16

Hi, I admin on a vb site runing the latest patch to V3.8 and we're getting people dropping files that contain #Web Shell by oRb in, with these they're compromising the admincp (various admin accounts) and changing the template header to include a spam/virii iframe.

Anyone (especially Paul if you're about) have you seen this documented recently or do you know how they're getting in?

The site is www.xrv.org.uk.. Last two files were found in VBSEO addons and also the forum cache.

Any help greatly appreciatted..

PS.. the site is fully vb licenced, but the owner who has the registered email is busy at work..

**Rob** · 17-01-2011, 12:49

Having one a

There is a lot of chatter about this being related to a script called phpthumb, which is something to do with resizing images. No idea if that would be a standard part of vbulletin, or included with a mod.

Since this relates to an ability to upload images or attachments a temporary fix mix simply be to disable those functions for your users.

---------- Post added at 12:49 ---------- Previous post was at 12:40 ----------

Looks like it might be something to do with a "Two-Steps external links module"

http://secunia.com/advisories/39552/

**Kymmy** · 17-01-2011, 12:53

tnX Rob will look into it

Dude111 · 19-01-2011, 15:12

This is quite disturbing Kymmy,

Is it possible to have the software filter out any uploads containing "#Web Shell by oRb" (As soon as it sees this it deletes the file)

I am sorry you guys are going thru this and i hope you can correct it soon!

**Rob** · 19-01-2011, 17:23

to clarify anyone misreading this thread, Cable Forum is not affected by this issue.

**Kymmy** · 21-01-2011, 16:18

Hence I put the URL in the post #1

What's the state of patching for 3.8? Is it still being patched or are they now leaving it for V4?