Announcement

Collapse
No announcement yet.

Blackhole kit flag on my forum

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Blackhole kit flag on my forum

    Hello I run 4.0.8 and have a few members today getting blackhole toolkit ?

    my forum is thecatfishnation.com/forum

    Can someone help with founding & removing this , I am not that good with this stuff but can follow detrails very well.

  • #2
    1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

    2) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

    3) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

    4) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

    5) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

    Query for step 4 and 5 -
    SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

    6) Run this query:
    SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

    You should also upgrade to the latest version.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment


    • #3
      Good evening. Several of my members are getting this, though my own AVG doesn't seem to be picking it up.

      Originally posted by Wayne Luke View Post
      1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.
      OK, I have a slew of these. For example, vbulletin-core.js says "File does not contain expected contents." But I also have a lot of files that say "File not recognized as part of vBulletin." These are files that I certainly expect to be part of vBulletin, such as vbulletin-forumhome.js.

      Do I replace these as well? Do I handle these differently?

      Comment


      • #4
        If you think a file is supposed to be part of vBulletin, but the checker says it isn't, it was probably removed from the package. The updater doesn't remove old files that are no longer used.

        You can check each file by opening it in an editor and noting the vB version number given at the top. If it's less than the version you are running, you can delete it.

        Comment


        • #5
          Originally posted by Thunderbird View Post
          If you think a file is supposed to be part of vBulletin, but the checker says it isn't, it was probably removed from the package. The updater doesn't remove old files that are no longer used.

          You can check each file by opening it in an editor and noting the vB version number given at the top. If it's less than the version you are running, you can delete it.
          OK. Thanks. Sounds rather labor-intensive, but worth it.

          I'm set to upgrade from 4.1.12 to 4.2. Should I do that first, or clean up this other mess first?

          Comment

          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
          Working...
          X