Announcement

Collapse
No announcement yet.

Help Malware Infection that I can't see - What to do?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Answered] Help Malware Infection that I can't see - What to do?

    My Forum/CMS has been infected with Malware and Google has listed it as an attack site. At first I was getting redirected to some site so I could plainly see there was a problem. I went through and deleted all files on the server and uploaded a fresh copy from vBulletin. I created a new default style and thought I was all ok.

    I've been playing tag with Google for about two weeks now requesting a review to have my site unlisted as an attack site. Every time I request a review google come back saying I am still infected. When ever I look at the pages they say, I can't see anything wrong. I even tried the "Fetch as Google" tool from Google Webmaster tools and I still can't see anything wrong. My antivirus doesn't show any warnings (It did when the problem first occured, but doesn't now). One of my Moderators PM'ed me last night saying his antivirus still gives him warnings that the site is an attack site.

    I'm at a loss as what to do.

    Any ideas?

    BTW: my site is www.modelpowerboat.com

  • #2
    Sounds like you still have issues, could be transfered from your PC to your site..., make sure you scan your files, change your passwords and upload clean copy.

    The code could hide in many php and htm files and easy to miss.

    Also, it could be in some thread(s) on your forum and not the files.. I would ask your mod what part of the site was he on when he was alerted to virus.
    To be or not to be... Where the hell is the question????
    My psychiatrist told me I was crazy and I said I want a second opinion. He said okay, you're ugly too

    Live vBulletin 4.2.0 Multilingual * Alpha/Beta vB 4 - vB 5 Tier 1A
    CentOS 6.2 - Apache:2.2.15(Apache2Handler) - PHP:5.3.3 - MySQL:5.1.61
    Xampp/Win-XP - Apache v2.2.21(Apache2Handler) - PHP:5.3.8 - MySQL:5.5.16

    Comment


    • #3
      Originally posted by John h View Post
      My antivirus doesn't show any warnings (It did when the problem first occured, but doesn't now).
      Mine does clicking on www.modelpowerboat.com:
      http://safeweb.norton.com/report/sho...source=toolbar

      Edit: Perhaps both Google and Norton do not like redirections to doubleclick.net?


      Code:
      http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7005778430025579&output=html&h=15&slotname=5182904917&w=728&lmt=1340778129&flash=11.3.300&url=http%3A%2F%2Fwww.modelpowerboat.com%2Fforum.php&dt=1340778130148&bpp=2&shv=r20120620&jsv=r20110914&correlator=1340778130194&frm=20&adk=802579221&ga_vid=469533974.1340778130&ga_sid=1340778130&ga_hid=914882764&ga_fc=0&u_tz=600&u_his=3&u_java=1&u_h=1050&u_w=1680&u_ah=1010&u_aw=1680&u_cd=24&u_nplug=23&u_nmime=109&dff=tahoma&dfs=13&adx=360&ady=191&biw=1447&bih=850&oid=3&ref=http%3A%2F%2Fwww.modelpowerboat.com%2Factivity.php%3Fs%3Dd971b1cb8c1d79260d4a61e7fcc4609c&fu=0&ifi=1&dtd=75&xpc=ZJ2R9Odtdm&p=http%3A//www.modelpowerboat.com&rl_rc=true&adsense_enabled=true&ad_type=text_image&oe=utf8&height=15&width=728&format=fp_al_lp&kw_type=radlink&prev_fmts=728x15_0ads_al_s&rt=ChBP6qagAA1wLQqkHo__NEsSEg9TcGVlZCBCb2F0IFRvdXIaCFSnRx2Lqw4oKAFSEwie-K_o4-2wAhXMgKQKHTBRuRI&hl=en&kw0=Power+Boat&kw1=Boat+Registration&kw2=Boat+Bill+of+Sale&kw3=Speed+Boat+Tour&okw=Speed+Boat+Tour
      Last edited by beishe8; Tue 26 Jun '12, 10:27pm.


      vB5 is unequivocally the best forum software, but not yet...

      Comment


      • #4
        Not all antivirus programs alike... I found that out many moons ago. I use Avast, I don't wanna bash any programs but some are well known but are worthless...
        I did click on your site and went through the tabs and got no issues... It could be in your threads like I said if google and your mod saying there is still an issue.. I didn't go through your threads!!!
        To be or not to be... Where the hell is the question????
        My psychiatrist told me I was crazy and I said I want a second opinion. He said okay, you're ugly too

        Live vBulletin 4.2.0 Multilingual * Alpha/Beta vB 4 - vB 5 Tier 1A
        CentOS 6.2 - Apache:2.2.15(Apache2Handler) - PHP:5.3.3 - MySQL:5.1.61
        Xampp/Win-XP - Apache v2.2.21(Apache2Handler) - PHP:5.3.8 - MySQL:5.5.16

        Comment


        • #5
          Would be interesting if Google didn't like redirects to Doubleclick... Google owns Doubleclick.

          1) make sure all your files are proper. Delete any files not part of vBulletin. You can use the suspect file diagnostic for this. Maintenance -> Diagnostics.

          2) check all your plugins against the code they are originally installed with. There should be no plugins assigned to the vBulletin product that you didn't write yourself.

          3) make sure your using the latest version. That is 4.2.0 PL 1

          4) run the template fix tool from vBulletin.org. http://www.vbulletin.org/forum/showthread.php?t=281080

          5) make sure your server is secure.
          Last edited by Wayne Luke; Tue 26 Jun '12, 11:15pm.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API

          Comment


          • #6
            Originally posted by Wayne Luke View Post
            Would be interesting if Google didn't like redirects to Doubleclick... Google owns Doubleclick.
            Thanks for the info.


            vB5 is unequivocally the best forum software, but not yet...

            Comment


            • #7
              Originally posted by Wayne Luke View Post
              Would be interesting if Google didn't like redirects to Doubleclick... Google owns Doubleclick.

              1) make sure all your files are proper. Delete any files not part of vBulletin. You can use the suspect file diagnostic for this. Maintenance -> Diagnostics.

              2) check all your plugins against the code they are originally installed with. There should be no plugins assigned to the vBulletin product that you didn't write yourself.

              3) make sure your using the latest version. That is 4.2.0 PL 1

              4) run the template fix tool from vBulletin.org. http://www.vbulletin.org/forum/showthread.php?t=281080

              5) make sure your server is secure.
              Just a small correction. The latest version is vBulletin 4.2.0 Patch Level 2, not 1.
              Former vBulletin user

              Comment


              • #8
                Shshhhhhh,, don't tell Wayne
                To be or not to be... Where the hell is the question????
                My psychiatrist told me I was crazy and I said I want a second opinion. He said okay, you're ugly too

                Live vBulletin 4.2.0 Multilingual * Alpha/Beta vB 4 - vB 5 Tier 1A
                CentOS 6.2 - Apache:2.2.15(Apache2Handler) - PHP:5.3.3 - MySQL:5.1.61
                Xampp/Win-XP - Apache v2.2.21(Apache2Handler) - PHP:5.3.8 - MySQL:5.5.16

                Comment


                • #9
                  Originally posted by Amaury25 View Post
                  Just a small correction. The latest version is vBulletin 4.2.0 Patch Level 2, not 1.
                  one of the issues of posting at 12:10 a.m. But yes, you're correct.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API

                  Comment


                  • #10
                    Originally posted by Wayne Luke View Post
                    one of the issues of posting at 12:10 a.m. But yes, you're correct.
                    Always happy to help.

                    Also, we have the same time zone.
                    Former vBulletin user

                    Comment


                    • #11
                      Originally posted by John h View Post
                      I'm at a loss as what to do.

                      Any ideas?

                      BTW: my site is www.modelpowerboat.com
                      Try the info in this article - https://www.vbulletin.com/forum/cont...vBulletin-Site see if you can't identify the issue and remove it yourself... it they keep seeing something present on the site chances are it is in fact still present and not residual.


                      Former vBulletin Support Staff
                      Hacked recently? See my blog post "Recovering a Hacked vBulletin Site".
                      Thinking outside the box? Need modification support? Visit www.vBulletin.org and have at it!

                      Comment


                      • #12
                        I would also recommend that you talk to your host about it so they can check their logs for around the time of the infection and see what happened and how it did happen.

                        Comment


                        • #13
                          Originally posted by John h View Post
                          My Forum/CMS has been infected with Malware and Google has listed it as an attack site. At first I was getting redirected to some site so I could plainly see there was a problem. I went through and deleted all files on the server and uploaded a fresh copy from vBulletin. I created a new default style and thought I was all ok.

                          I've been playing tag with Google for about two weeks now requesting a review to have my site unlisted as an attack site. Every time I request a review google come back saying I am still infected. When ever I look at the pages they say, I can't see anything wrong. I even tried the "Fetch as Google" tool from Google Webmaster tools and I still can't see anything wrong. My antivirus doesn't show any warnings (It did when the problem first occured, but doesn't now). One of my Moderators PM'ed me last night saying his antivirus still gives him warnings that the site is an attack site.

                          I'm at a loss as what to do.

                          Any ideas?

                          BTW: my site is www.modelpowerboat.com
                          I checked your site here: http://sitecheck.sucuri.net/results/...powerboat.com/

                          According to them your .htaccess file may have suspicious redirects: http://labs.sucuri.net/db/malware/malware-entry-mwhta7

                          Have you checked the .htaccess file?

                          Comment


                          • #14
                            Thanks for all the replies. The htaccess file had been modified and it was hidden way, way, way to right of the file so it could be seen. I think it is all fixed now.

                            Comment


                            • #15
                              Originally posted by John h View Post
                              Thanks for all the replies. The htaccess file had been modified and it was hidden way, way, way to right of the file so it could be seen. I think it is all fixed now.
                              We are all here to help . Do me one favor though if you have not already, run the queries listed in the article I linked you to and run suspect file versions... basically I'm telling you to double-check it all and ensure nothing is still present on your server, this way there's absolutely no hidden point of access or other still remaining .


                              Former vBulletin Support Staff
                              Hacked recently? See my blog post "Recovering a Hacked vBulletin Site".
                              Thinking outside the box? Need modification support? Visit www.vBulletin.org and have at it!

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X