Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 06 Feb 2012, 17:56
begin begin is offline
 
Join Date: Dec 2004
virus redirect url123.info

Hello ,

When i search from google, my forum links has redirect to url123.info/xyz...
help me, how to scan and repair forum.
Reply With Quote
  #2  
Old 13 Feb 2012, 17:02
g00gl3r g00gl3r is offline
 
Join Date: Sep 2005
Did you get any help with this?

Some advice here if you have VBSEO: http://www.vbseo.com/f3/security-issue-41463/

Some advice from VB themselves:

To check a site for compromises follow these steps:

1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you. See step #7

5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

The following query can be run in phpMyAdmin and will provide results for steps 5 and 6 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

If you a plugin that you can't read or the code is obfuscated then you should probably contact the addon author. If it is assigned to the vBulletin, vBulletin CMS, vBulletin Blog or Skimlink products, delete it.

7) Using PHPMyAdmin run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

It checks the templates for compromising code. You will need to review the results from this. If you can't read it or the code is obfuscated then you should revert the template in the Admin CP.

8) Check .htaccess to make sure there are no redirects there.

9) Check all plugins in reference to cache or cookies. If they are similar to any of the above, delete them.
Reply With Quote
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mini Mods Login Redirect - Redirect your users to their User CP or Profile when logging on sockwater vBulletin 3.7 Add-ons 29 19 Jun 2012 18:07
[RELEASE] Vb Sophos Virus Info Feed JHSoundZ vBulletin 2.x Template Modifications 14 29 Jun 2003 13:35



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 01:36.

Layout Options | Width: Wide Color: