[z0diac]

I've been getting infected with malicious software daily for the last week. I've hired the good guys at Total Server Solutions and they have pointed toward ajax.php being insecure.

Is there an updated version of JUST that file that I can use with vB 3.6.8 ? I cannot do a full vB upgrade due to a lot of php file edits that have been done to create some custom stuff.

Are there any known security holes in ajax.php on my version of vB? (The !C99madShell v. 2.0 madnet edition! hack was put on)

NEED HELP with ajax.php and what I can do to it so this doesn't happen again!

[Zachery]

Not out of the box. your third party addons, or old version of vBulletin may be allowing hackers access. Its also possible they got in completely unrelated to your vb site and hit your site as they were passing by.

[z0diac]

Could updating just the ajax.php file to a more recent version help secure it?

[Simon Lloyd]

It definitely wont be the ajax file, it's usually due to an add on poorly coded allowing access, if you have all the security patches for vb up to date for your installation then it will be from something else, do you have vbseo?

Check these too:
https://www.vbulletin.com/forum/entr...Forums-(Part-1)
https://www.vbulletin.com/forum/entr...Forums-(Part-2)
https://www.vbulletin.com/docs/html/securing_vbulletin
http://www.vbulletin.org/forum/showthread.php?t=193930

[z0diac]

Originally Posted by Simon Lloyd

It definitely wont be the ajax file, it's usually due to an add on poorly coded allowing access, if you have all the security patches for vb up to date for your installation then it will be from something else, do you have vbseo?

Check these too:
https://www.vbulletin.com/forum/entr...Forums-(Part-1)
https://www.vbulletin.com/forum/entr...Forums-(Part-2)
https://www.vbulletin.com/docs/html/securing_vbulletin
http://www.vbulletin.org/forum/showthread.php?t=193930

Yes I have VBSEO although I cant' even remember what it does.

It was definitely the ajax.php file in 3.6.8 - the guys at Total Server Solutions tried a test of the exploit on it and it worked. They put on a vb 4.x ajax.php file and tried the exploit, and it didn't work.

Exploit in 3.6.8 ajax.php (example):

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

[Simon Lloyd]

The xploit may well have worked on taht php file but unless your vbseo is patched up to date thats almost certainly where it was injected, there's been many threads on it, go to vbseo and check your version against the latest, they have a tool you can download to check.

[kh99]

I think you might want to check your plugins and see if you have any that use hook ajax_start or ajax_complete - the ajax.php file itself doesn't use the global parameter so something else must have been processing the command (I suppose it could have to do with vbseo - I don't know how that exploit worked).

Edit: BTW, here's an older thread discussing the issue: www.vbulletin.org/forum/showthread.php?t=202532 ...and if what was said in that thread is true, ajax.php isn't the original problem, it's just where a "back door" was added.