Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 25 Jun 2020, 15:35
digif's Avatar
digif digif is offline
 
Join Date: Feb 2009
Malware - popup ads

Hi,

Recently I've noticed that when I click on the website, popup comes up, even though I never added such ads on the forum.

URL: beneamata.com

How can I find where the code was added and through where did they manage to do that?

Thanks in advance

--------------- Added 25 Jun 2020 at 21:35 ---------------

Ive upgraded version from 3.8.4 to 3.8.9, now there are no more popups, but I wanted to upgrade it to 3.8.11, it got stuck on 3.8.9 with the error:

Database error in vBulletin 3.8.9:
Invalid SQL:
ALTER TABLE adminlog CHANGE ipaddress ipaddress VARCHAR(45) NOT NULL DEFAULT '';
MySQL Error : Table 'elebocom_beneamata.adminlog' doesn't exist
Error Number : 1146
IP Address : IPADDRESS
Username :

Any ideas why?

--------------- Added 25 Jun 2020 at 22:59 ---------------

Ive created the table, everything is now fixed, I've upgraded to 3.8.11, no more malware popups. Thread can go on lock.
__________________
Inter Milan

Last edited by digif; 25 Jun 2020 at 22:59.
Reply With Quote
  #2  
Old 29 Jun 2020, 08:03
DCD.RB DCD.RB is offline
 
Join Date: Jan 2011
It sounds like they might have injected malicious code on the local php files themselves. When you upgraded, you replaced those files with original vB files.

I've seen this happen to wordpress sites.

I'd get your host to review your server to ensure it's not compromised.
Reply With Quote
  #3  
Old 11 Feb 2021, 19:40
digif's Avatar
digif digif is offline
 
Join Date: Feb 2009
Hi guys,

Malware came back, now I have no idea how to get rid of it. Is it possible it came through some of the plugins?

I've removed a folder called 'nav' which was full of files with strange external domains, but still popups are here. Files were called 'nmd sela something'.

Any help appreciated.
__________________
Inter Milan
Reply With Quote
  #4  
Old 13 Feb 2021, 06:04
Dr.CustUmz's Avatar
Dr.CustUmz Dr.CustUmz is offline
 
Join Date: Aug 2013
Real name: Ryan
Originally Posted by digif View Post
Is it possible it came through some of the plugins?
very likely, I browsed your forum and was unable to see any of these popups to pin point the ad (I dont use any adblockers)

If you could share a link to exactly where you are receiving these popups I could help.
__________________
If you need custom work done please use Dirt RIF CustUmz
Owner of vBTeam
vBulletin 3.8.14 DRC Edition PHP 7.4 Compatible- NOT a null, NOT complete files Requires a legit copy of vBulletin 3.8.11.
Reply With Quote
  #5  
Old 13 Feb 2021, 14:33
digif's Avatar
digif digif is offline
 
Join Date: Feb 2009
Originally Posted by Dr.CustUmz View Post
very likely, I browsed your forum and was unable to see any of these popups to pin point the ad (I dont use any adblockers)

If you could share a link to exactly where you are receiving these popups I could help.
Homepage, click on the side (blue background, one left mouse click is enough).
__________________
Inter Milan
Reply With Quote
  #6  
Old 14 Feb 2021, 09:45
Dr.CustUmz's Avatar
Dr.CustUmz Dr.CustUmz is offline
 
Join Date: Aug 2013
Real name: Ryan
Originally Posted by digif View Post
Homepage, click on the side (blue background, one left mouse click is enough).
they are not appearing for me =/ I am also not receiving any blocked pop-up notifications, nor am I seeing anything in the console...

With that said this could be one of many issues:

You yourself could be infected with malware
You may have a malware infected browser extension (they're pretty common)
Or it may be a vBulletin product with ads injected and only visible to you (which in the sense of adding hidden ads to a product would make no sense, you would want as many viewers as possible to make any kind of profit)

Are any of your members reporting these popups?

I would register but I do not know Andrea's surname lol
__________________
If you need custom work done please use Dirt RIF CustUmz
Owner of vBTeam
vBulletin 3.8.14 DRC Edition PHP 7.4 Compatible- NOT a null, NOT complete files Requires a legit copy of vBulletin 3.8.11.
Reply With Quote
  #7  
Old 14 Feb 2021, 10:37
digif's Avatar
digif digif is offline
 
Join Date: Feb 2009
Originally Posted by Dr.CustUmz View Post
they are not appearing for me =/ I am also not receiving any blocked pop-up notifications, nor am I seeing anything in the console...

With that said this could be one of many issues:

You yourself could be infected with malware
You may have a malware infected browser extension (they're pretty common)
Or it may be a vBulletin product with ads injected and only visible to you (which in the sense of adding hidden ads to a product would make no sense, you would want as many viewers as possible to make any kind of profit)

Are any of your members reporting these popups?

I would register but I do not know Andrea's surname lol
Maybe try few times clicking on the background of the homepage. I get them when I run Firefox Private Window as I have adblock on the normal one.

I'm not logged in, so I dont think its only for users. Also, I dont get it on other websites so its not malware on pc.

Forum is inactive now, but I want to keep it clean as an archive, so I dont get reports from other users. If you want to register, answer is 'Ranocchia'.

Thanks for trying to help.
__________________
Inter Milan
Reply With Quote
  #8  
Old 14 Feb 2021, 12:58
Dr.CustUmz's Avatar
Dr.CustUmz Dr.CustUmz is offline
 
Join Date: Aug 2013
Real name: Ryan
I have tried firefox, firefox private, chrome, chrome incognito, edge, and IE, all without adblocker. I'm just not getting any form of ads.

but what you can do when you see the ad inspect it in console.

Find the top most div of the ad, see where that is in your style, search the words in the html of the ad in your styles, plugins, ect.
__________________
If you need custom work done please use Dirt RIF CustUmz
Owner of vBTeam
vBulletin 3.8.14 DRC Edition PHP 7.4 Compatible- NOT a null, NOT complete files Requires a legit copy of vBulletin 3.8.11.
Reply With Quote
  #9  
Old 14 Feb 2021, 13:08
snakes1100 snakes1100 is offline
 
Join Date: Dec 2001
Real name: Anthony
I'd agree with Dr., i've checked it as well.

Sometimes those ads are IP specific, which may be why you dont get every user complaining about it the popups.

It looks like you have some scanning/checking to do in your file system & db.
Reply With Quote
  #10  
Old 14 Feb 2021, 15:27
digif's Avatar
digif digif is offline
 
Join Date: Feb 2009
Originally Posted by Dr.CustUmz View Post
I have tried firefox, firefox private, chrome, chrome incognito, edge, and IE, all without adblocker. I'm just not getting any form of ads.

but what you can do when you see the ad inspect it in console.

Find the top most div of the ad, see where that is in your style, search the words in the html of the ad in your styles, plugins, ect.
I've recorded it:
https://screencast-o-matic.com/watch/crn2DZSwqm

Also, popup also comes up but after a while, so I didnt want to wait for it to record it.
__________________
Inter Milan
Reply With Quote
  #11  
Old 14 Feb 2021, 17:19
snakes1100 snakes1100 is offline
 
Join Date: Dec 2001
Real name: Anthony
Check the last time this file was touched/edited file permissions etc

vbulletin_read_marker.js

https://www.beneamata.com/clientscri...rker.js?v=3811

It appears to be hacked & has code in it.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Reply With Quote
  #12  
Old 14 Feb 2021, 17:32
digif's Avatar
digif digif is offline
 
Join Date: Feb 2009
Originally Posted by snakes1100 View Post
Check the last time this file was touched/edited file permissions etc

vbulletin_read_marker.js

https://www.beneamata.com/clientscri...rker.js?v=3811

It appears to be hacked & has code in it.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.
It's weird, I can't find vbulletin_read_marker.js?v=3811, only the original one - vbulletin_read_marker.js
__________________
Inter Milan
Reply With Quote
  #13  
Old 14 Feb 2021, 17:35
snakes1100 snakes1100 is offline
 
Join Date: Dec 2001
Real name: Anthony
Ignore the ?v=3811, thats just for caching for browsers.

Just check vbulletin_read_marker.js
Reply With Quote
  #14  
Old 14 Feb 2021, 17:45
digif's Avatar
digif digif is offline
 
Join Date: Feb 2009
Originally Posted by snakes1100 View Post
Ignore the ?v=3811, thats just for caching for browsers.

Just check vbulletin_read_marker.js
I've overwrote it with the original file from vB, you can check the file:
https://www.beneamata.com/clientscri...read_marker.js
__________________
Inter Milan
Reply With Quote
  #15  
Old 14 Feb 2021, 17:51
snakes1100 snakes1100 is offline
 
Join Date: Dec 2001
Real name: Anthony
That file looks correct now.

Clear any caches & chk the home page issue.
Reply With Quote
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mini Mods Login Popup - Adds a DHTML popup login form w/ forgotten password & register links Analogpoint vBulletin 3.6 Add-ons 41 28 May 2010 19:18
Forum Display Enhancements popup ads to guest bellaa vBulletin 3.8 Template Modifications 3 15 Aug 2009 16:36
Miscellaneous Hacks PP-Popup - Photo-Popup for Photopost cellarius vBulletin 3.7 Add-ons 20 19 Jan 2009 22:01



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 02:16.

Layout Options | Width: Wide Color: