Announcement

Collapse
No announcement yet.

Forums triggering virus alerts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • kau
    replied
    We opted out of Certified Ad Networks and that fixed the issue.

    Leave a comment:


  • Jamsoft
    replied
    Originally posted by kau View Post
    Same with us. We own a vertical that we cannot run Google ads on, those sites did not get any complaints whereas all Google sites got complaints about viruses.
    Kau,

    Have you found a solution for these sites yet? We've got a similar thing happening, ourselves. And I've already checked the VBSEO and other mentioned exploits posted here.

    Leave a comment:


  • kau
    replied
    Originally posted by 45Wheelgun View Post
    I have had the same experience. I disabled the Certified Ad Networks and have not had a complaint since.
    Same with us. We own a vertical that we cannot run Google ads on, those sites did not get any complaints whereas all Google sites got complaints about viruses.

    Leave a comment:


  • Jafo
    replied
    Not 100% sure, but good chance these are related:

    https://www.vbulletin.com/forum/show...ssible-Exploit

    Leave a comment:


  • 45Wheelgun
    replied
    I have had the same experience. I disabled the Certified Ad Networks and have not had a complaint since.

    Leave a comment:


  • MarkTTU
    replied
    Originally posted by creativepart View Post
    It certainly could be a rogue ad that's causing your problem, but those of us with a script in our Footer that tries to load alltagcloud.info are having a different issue. And, it's not a rogue ad.
    Granted, but since I couldn't find anything (footer or otherwise) I figured it was worth posting my own experience since it seems to have been solved for me.

    Leave a comment:


  • creativepart
    replied
    Originally posted by MarkTTU View Post
    I think I may have found it.
    It certainly could be a rogue ad that's causing your problem, but those of us with a script in our Footer that tries to load alltagcloud.info are having a different issue. And, it's not a rogue ad.

    I talked to another forum owner today -- huge forum -- he had it in his footer and I noticed it and reported it to him. He said, he'd removed it once and now it's back. And yes... he's running Forum Runner, too.

    Leave a comment:


  • MarkTTU
    replied
    I think I may have found it. I've tried everything mentioned here and found no problems so I finally decided to try something off-the-wall and I disabled all Google Certified Ad Networks in my Adsense control panel. I did this on the 29th and have had no reports of infection since then. It would appear that one of Google's "Certified" networks was my culprit. I'm going to begin turning those networks back on one at a time and see what happens....

    Leave a comment:


  • Wayne Luke
    replied
    3) Templates are stored in the database. You would have to search these from the AdminCP or by direct query. Templates have never been stored in the file system in vBulletin.

    4) Plugins are stored in the database. You would have to manually review the code of each one within the Admin CP under Plugins/Products -> Plugin Manager.

    5) Same as 4

    6) Same as 4

    A query was provided in the steps to handle 5 and 6 (says for 4 and 5 but that is wrong). Very easy to check simply by running the provided query.

    7) output format here is really bad and can't really view the columns.


    All of these steps can be run either in the AdminCP or phpMyAdmin though. They don't require special hosting privileges to check.

    Leave a comment:


  • Wardsweb
    replied
    Originally posted by Wayne Luke View Post
    So... Has anyone run the steps that I listed above? What were the results?
    Reply from our dedicated server company. Numbers from your suggested steps:

    1. sounds like a good idea, shouldn't cause any problems. You should go ahead and do this. (I did this but found nothing)

    2. I looked and it all looks fine

    3. I couldn't find any of the files mentioned by name here, so I couldn't check these

    4. I couldn't find a "plugin" or "plugins" directory, and I don't know where plugins are installed, so I can't do this

    5. same as 4

    6. same as 4

    I ran the provided SQL and the one result returned looks fine (just calling a function that has 'exec' as part of the name):
    Code:
    mysql> SELECT title, phpcode, hookname, product FROM plugin WHERE 
    mysql> phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE 
    mysql> '%system%' OR phpcode like '%pass_thru%' OR phpcode like 
    mysql> '%iframe%';
    +----------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+----------+
    | title | phpcode | hookname | product |
    +----------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+----------+
    | vBa CMPS - Open Smilie Window in Admin CP Redirect | if 
    | ($_REQUEST['do'] == 'getsmilies')
    {
    exec_header_redirect($vbulletin->options['bburl'] . '/misc.php?do=getsmilies&editorid=' . $_REQUEST['editorid'] . '&wysiwyg=' . intval($_REQUEST['wysiwyg']) . '&getsmilies=' . intval($_REQUEST['getsmilies'])); } | admin_global | adv_cmps | 
    +----------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+----------+
    1 row in set (0.00 sec)
    7. I ran this SQL and the results all look fine / non-malicious:
    Code:
    styleid title template
    \n".(($GLOBALS['vbulletin']->options['skimlinks_domain'] != 'go.yourdomain.com') ? ("var skimlinks_domain = '" . $GLOBALS['vbulletin']->options['skimlinks_domain'] . "';"\n</script>.events.systemInit.subscribe(skimlinks);
    \nVerdanaet MSmanperifum_font Arial
    -1 forumhome_markread_script <script type=\\"text/javascript\\" src=\\"clientscript/vbulletin_read_marker.js?v=" . $GLOBALS['vbulletin']->options['simpleversio\n</script>m_readmarker_system();kread'] = \\"$vbphrase[doubleclick_forum_markread]\\";
    \n</fieldset>t>ype=\\"hidden\\" name=\\"recaptcha_response_field\\" value=\\"manual_challenge\\" />\\" width=\\"400\\" frameborder=\\"0\\"></iframe>/iframe>
    \n\t".(($show['emailcol'] AND exec_switch_bg()) ? ("<td class=\\"$bgclass\\">".(($show['emaillink']) ? ("<a href=\\"sendmessage.php?" . $GLOBALS['vbulletin']->session->vars['sessionurl'] . "do=mailmember&amp;u=$userinfo[userid]\\" target=\\"_blank\\" rel=\\"nofollow\\"><img src=\\"$stylevar[imgdir_button]/email.gif\\" alt=\\"email.gif\\" title=\\"" . construct_phrase("$vbphrase[click_here_to_email_x]", "$userinfo[username]") . "\\" border=\\"0\\" /></a>") : (""))."&nbsp;".(($show['pmlink']) ? ("<a href=\\"private.php?" . $GLOBALS['vbulletin']->session->vars['sessionurl'] . "do=newpm&amp;u=$userinfo[userid]\\" target=\\"_blank\\" rel=\\"nofollow\\"><img src=\\"$stylevar[imgdir_button]/sendpm.gif\\" alt=\\"sendpm.gif\\" title=\\"" . construct_phrase("$vbphrase[send_private_message_to_x]", "$userinfo[username]") . "\\" border=\\"0\\" /></a>"\n\t".(($show['imicons'] AND exec_switch_bg()) ? ("<td class=\\"$bgclass\\">$userinfo[icqicon] $userinfo[aimicon] $userinfo[msnicon] $userinfo[yahooicon] $userinfo[skypei\n\t".(($show['homepagecol'] AND exec_switch_bg()) ? ("<td class=\\"$bgclass\\">".(($show['homepagelink']) ? ("<a href=\\"$userinfo[homepage]\\" target=\\"_blank\\"><img src=\\"$stylevar[imgdir_button]/home.gif\\" alt=\\"home.gif\\" title=\\"" . construct_phrase("$vbphrase[visit_xs_homepage]", "$userinfo[username]") . "\\" border=\\"0\\"\n\t".(($show['searchcol'] AND exec_switch_bg()) ? ("<td class=\\"$bgclass\\">".(($show['searchlink']) ? ("<a href=\\"search.php?" . $GLOBALS['vbulletin']->session->vars['sessionurl'] . "do=finduser&amp;u=$userinfo[userid]\\" rel=\\"nofollow\\"><img src=\\"$stylevar[imgdir_button]/find.gif\\" alt=\\"find.gif\\" title=\\"" . construct_phra\n\t".(($show['avatarcol'] AND exec_switch_bg()) ? ("<td class=\\"$bgclass\\">".(($show['avatar']) ? ("<img src=\\"$avatarurl\\" border=\\"0\\" $avwidth $avheight alt=\\"\n\t".(($show['usergroup'] AND exec_switch_bg()) ? ("<td class=\\"$bgclass\\">".(($show['hideleader']) ? ("&nbsp;") : ("<input type=\\"checkbox\\" name=\\"deletebox[$user\n</tr>erid]]\\" value=\\"yes\\" />"))."</td>") : (""))."
    \n\t\t<a style=\\"float:$stylevar[right]\\" href=\\"#top\\" onclick=\\"return toggle_collapse('uopt_login')\\"><img id=\\"collapseimg_uopt_login\\" src=\\"$stylevar[imgdi\n\t\t\t\t\t\t<td><label for=\\"cb_invisible\\"><input type=\\"checkbox\\" name=\\"options[invisible]\\" value=\\"1\\" id=\\"cb_invisible\\" $checked[invisible] />$vbphra\n\t\t\t\t\t\t<td><label for=\\"cb_showreputation\\"><input type=\\"checkbox\\" name=\\"options[showreputation]\\" value=\\"1\\" id=\\"cb_showreputation\\" $checked[showr\n\t\t\t\t\t\t<td><label for=\\"cb_showvcard\\"><input type=\\"checkbox\\" name=\\"options[showvcard]\\" value=\\"1\\" id=\\"cb_showvcard\\" $checked[showvcard] />$vbphra\n\t\t<a style=\\"float:$stylevar[right]\\" href=\\"#top\\" onclick=\\"return toggle_collapse('uopt_msg')\\"><img id=\\"collapseimg_uopt_msg\\" src=\\"$stylevar[imgdir_bu\n\t\t\t\t\t\t<td><label for=\\"cb_adminemail\\"><input type=\\"checkbox\\" name=\\"options[adminemail]\\" value=\\"1\\" id=\\"cb_adminemail\\" $checked[adminemail] />$vb\n\t\t\t\t\t\t<td><label for=\\"cb_showemail\\"><input type=\\"checkbox\\" name=\\"options[showemail]\\" value=\\"1\\" id=\\"cb_showemail\\" $checked[showemail] />$vbphra\n\t\t\t\t\t\t<td><label for=\\"cb_receivefriendemailrequest\\"><input type=\\"checkbox\\" name=\\"options[receivefriendemailrequest]\\" value=\\"1\\" id=\\"cb_receivefriendemailrequest\\" $checked[receivefriendemailrequest] />$vbphrase[receive_friendship_req_email]</label><input type=\\"hidden\\" name=\\"set_options[receivefriendemailreq\n\t\t\t\t\t\t<td><label for=\\"cb_receivepm\\"><input type=\\"checkbox\\" name=\\"options[receivepm]\\" value=\\"1\\" id=\\"cb_receivepm\\" onclick=\\"toggle_disabled(this.checked, 'pmoptions')\\" $checked[receivepm] />$vbphrase[enable_private_messaging]</label><input type=\\"hidden\\" name=\\"set_options[receivepm]\\" value=\\"1\\" /></\n\t\t\t\t\t\t\t<td><label for=\\"cb_receivepmbuddies\\"><input type=\\"checkbox\\" name=\\"options[receivepmbuddies]\\" value=\\"1\\" id=\\"cb_receivepmbuddies\\" $check\n\t\t\t\t\t\t\t<td><label for=\\"cb_emailonpm\\"><input type=\\"checkbox\\" name=\\"options[emailonpm]\\" value=\\"1\\" id=\\"cb_emailonpm\\" $checked[emailonpm] />$vbph\n\t\t\t\t\t\t\t<td><label for=\\"cb_pmpopup\\"><input type=\\"checkbox\\" name=\\"pmpopup\\" value=\\"1\\" id=\\"cb_pmpopup\\" $checked[pmpopup] />$vbphrase[show_pm_popu\n\t\t\t\t\t\t\t<td><label for=\\"cb_pmdefaultsavecopy\\"><input type=\\"checkbox\\" name=\\"options[pmdefaultsavecopy]\\" value=\\"1\\" id=\\"cb_pmdefaultsavecopy\\" $checked[pmdefaultsavecopy] />" . construct_phrase("$vbphrase[save_pm_copy_default]", "private.php?" . $GLOBALS['vbulletin']->session->vars['sessionurl_q'] . "folderid=-1") \n\t\t\t\t\t\t\t" . construct_phrase("$vbphrase[features_visitor_messaging_system]", "member.php?" . $GLOBALS['vbulletin']->session->vars['sessionurl'] . "u=" . $GLOBALS[\n\t\t\t\t\t\t<td><label for=\\"cb_vm_enable\\"><input type=\\"checkbox\\" name=\\"options[vm_enable]\\" value=\\"1\\" id=\\"cb_vm_enable\\" onclick=\\"toggle_disabled(this.checked, 'vmoptions')\\" $checked[vm_enable] />$vbphrase[enable_visitor_messaging]</label><input type=\\"hidden\\" name=\\"set_options[vm_enable]\\" value=\\"1\\" /></\n\t\t\t\t\t\t\t<td><br />" . construct_phrase("$vbphrase[usage_vm_only_from_contacts]", "profile.php?" . $GLOBALS['vbulletin']->session->vars['sessionurl'] . "do=buddyli\n\t\t\t\t\t\t\t<td><label for=\\"cb_vm_contactonly\\"><input type=\\"checkbox\\" name=\\"options[vm_contactonly]\\" value=\\"1\\" id=\\"cb_vm_contactonly\\" $checked[vm_\n\t\t\t<a style=\\"float:$stylevar[right]\\" href=\\"#top\\" onclick=\\"return toggle_collapse('uopt_thrd')\\"><img id=\\"collapseimg_uopt_thrd\\" src=\\"$stylevar[imgdi\n\t\t\t\t\t\t\t<div><label for=\\"cb_showsignatures\\"><input type=\\"checkbox\\" name=\\"options[showsignatures]\\" value=\\"1\\" id=\\"cb_showsignatures\\" $checked[sh\n\t\t\t\t\t\t\t<div><label for=\\"cb_showavatars\\"><input type=\\"checkbox\\" name=\\"options[showavatars]\\" value=\\"1\\" id=\\"cb_showavatars\\" $checked[showavatars\n\t\t\t\t\t\t\t<div><label for=\\"cb_showimages\\"><input type=\\"checkbox\\" name=\\"options[showimages]\\" value=\\"1\\" id=\\"cb_showimages\\" $checked[showimages] />\n\t\t\t\t\t\t<td>" . construct_phrase("$vbphrase[choose_thread_display_mode]", "faq.php?" . $GLOBALS['vbulletin']->session->vars['sessionurl'] . "faq=vb3_board_usage#faq\n\t\t\t<a style=\\"float:$stylevar[right]\\" href=\\"#top\\" onclick=\\"return toggle_collapse('uopt_date')\\"><img id=\\"collapseimg_uopt_date\\" src=\\"$stylevar[imgdi\n\t\t<a style=\\"float:$stylevar[right]\\" href=\\"#top\\" onclick=\\"return toggle_collapse('uopt_misc')\\"><img id=\\"collapseimg_uopt_misc\\" src=\\"$stylevar[imgdir_\n\t\t\t\t\t\t<label for=\\"cb_showusercss\\"><input type=\\"checkbox\\" name=\\"options[showusercss]\\" value=\\"1\\" id=\\"cb_showusercss\\" $checked[showusercss] />$vb\n</form>te_hook[usercp_options_end]\\"button\\" value=\\"$vbphrase[reset_fields]\\" accesskey=\\"r\\" />>\">"1\\" /> \n\t\t\t\t\twindow.location=\\"online.php?" . $GLOBALS['vbulletin']->session->vars['sessionurl_js'] . "order=$sortorder&sort=$sortfield&pp=$perpage&page=$pagenumber$refre\n\t\t<meta http-equiv=\\"refresh\\" content=\\"" . $GLOBALS['vbulletin']->options['WOLrefresh'] . ";url=online.php?" . $GLOBALS['vbulletin']->session->vars['sessionurl']\n<table class=\\"tborder\\" cellpadding=\\"$stylevar[cellpadding]\\" cellspacing=\\"$stylevar[cellspacing]\\" border=\\"0\\" width=\\"100%\\" align=\\"center\\" id=\\"wo\n\t\t<strong>" . construct_phrase("$vbphrase[x_members_and_y_guests]", "$numbervisible", "$numberguests") . "</strong><br />" . construct_phrase("$vbphrase[most_users_ev\n\t\t\t<a href=\\"$sorturl".((!$show['sorturlnoargs']) ? ("&amp;") : (""))."order=desc&amp;sort=time&amp;pp=$perpage&amp;page=$pagenumber\\">$vbphrase[last_activity]</a>\n\t\t<a href=\\"$sorturl".((!$show['sorturlnoargs']) ? ("&amp;") : (""))."order=asc&amp;sort=username&amp;pp=$perpage&amp;page=$pagenumber\\">$vbphrase[username]</a> $so\n\t<td class=\\"thead\\"><a href=\\"$sorturl".((!$show['sorturlnoargs']) ? ("&amp;") : (""))."order=asc&amp;sort=location&amp;pp=$perpage&amp;page=$pagenumber\\">$vbphra\n</html>icons and forum jump -->\">&nbsp; $vbphrase[viewing_error_message]</td>vbphrase[viewing_error_message]\\" /></td>age]\\" /></td>0%\\" align=\\"center\\"> \n</html>t>esh();0;"; = \\"$js_url\\";efresh();\\", 100);" />se[click_if_browser_does_not_redirect]</a></p>" onclick=\\"proceed_click()\\" accesskey=\\"s\\" />">
    
     

    8. htaccess files are all clean.

    Leave a comment:


  • 45Wheelgun
    replied
    These three have been replaced but still report that they are not as expected: vbulletin-adminhelp.xml vbulletin-language.xml vbulletin-settings.xml

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by 45Wheelgun View Post
    Wayne,

    I ran Suspect File Diagnostics and it said that class_core.php and functions.php, now when I rerun it they are reported as:
    File version mismatch: found 3.8.7 Patch Level 2, expected 3.8.7 Patch Level 1"
    At the top of the page it says I am running 3.8.7 PL2 so I am confused.
    This is common after applying a Patch Level release. It isn't anything to be worried about.

    Leave a comment:


  • 45Wheelgun
    replied
    Wayne,

    I ran Suspect File Diagnostics and it said that class_core.php and functions.php, now when I rerun it they are reported as:
    File version mismatch: found 3.8.7 Patch Level 2, expected 3.8.7 Patch Level 1"
    At the top of the page it says I am running 3.8.7 PL2 so I am confused.

    Leave a comment:


  • diretur
    replied
    Originally posted by Wayne Luke View Post
    This on your 3.7.4 or 3.8.7 license?

    Run this query:
    UPDATE usertextfield SET searchprefs='';

    Make sure you're on either 3.8.7 PL2 or 4.1.9

    Finally secure your Admin CP with a second layer of access through .htaccess.
    I'm on 3.8.7 PL2
    DB query done.
    Admin CP secured.

    thanks

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by diretur View Post
    I had the same problem on the 27th of December and found this in the header template. I have no clue where this is from. Once I deleted it, the problem was gone. Users with ie had the virus notification. As soon as they used Chrome there was no problem.
    This on your 3.7.4 or 3.8.7 license?

    Run this query:
    UPDATE usertextfield SET searchprefs='';

    Make sure you're on either 3.8.7 PL2 or 4.1.9

    Finally secure your Admin CP with a second layer of access through .htaccess.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X