vBulletin Mods

The Official vBulletin Modifications Site
https://www.vbulletin.org/forum/showthread.php?t=328118

Malware - popup ads
by digif
25 Jun 2020 15:35

Hi,

Recently I've noticed that when I click on the website, popup comes up, even though I never added such ads on the forum.

URL: beneamata.com

How can I find where the code was added and through where did they manage to do that?

Thanks in advance

--------------- Added 25 Jun 2020 at 21:35 ---------------

Ive upgraded version from 3.8.4 to 3.8.9, now there are no more popups, but I wanted to upgrade it to 3.8.11, it got stuck on 3.8.9 with the error:

Database error in vBulletin 3.8.9:
Invalid SQL:
ALTER TABLE adminlog CHANGE ipaddress ipaddress VARCHAR(45) NOT NULL DEFAULT '';
MySQL Error : Table 'elebocom_beneamata.adminlog' doesn't exist
Error Number : 1146
IP Address : IPADDRESS
Username :

Any ideas why?

--------------- Added 25 Jun 2020 at 22:59 ---------------

Ive created the table, everything is now fixed, I've upgraded to 3.8.11, no more malware popups. Thread can go on lock.

DCD.RB 29 Jun 2020 08:03

It sounds like they might have injected malicious code on the local php files themselves. When you upgraded, you replaced those files with original vB files.

I've seen this happen to wordpress sites.

I'd get your host to review your server to ensure it's not compromised.

digif 11 Feb 2021 19:40

Hi guys,

Malware came back, now I have no idea how to get rid of it. Is it possible it came through some of the plugins?

I've removed a folder called 'nav' which was full of files with strange external domains, but still popups are here. Files were called 'nmd sela something'.

Any help appreciated.

Dr.CustUmz 13 Feb 2021 06:04

Quote:

Originally Posted by digif (Post 2606169)
Is it possible it came through some of the plugins?

very likely, I browsed your forum and was unable to see any of these popups to pin point the ad (I dont use any adblockers)

If you could share a link to exactly where you are receiving these popups I could help.

digif 13 Feb 2021 14:33

Quote:

Originally Posted by Dr.CustUmz (Post 2606195)
very likely, I browsed your forum and was unable to see any of these popups to pin point the ad (I dont use any adblockers)

If you could share a link to exactly where you are receiving these popups I could help.

Homepage, click on the side (blue background, one left mouse click is enough).

Dr.CustUmz 14 Feb 2021 09:45

Quote:

Originally Posted by digif (Post 2606199)
Homepage, click on the side (blue background, one left mouse click is enough).

they are not appearing for me =/ I am also not receiving any blocked pop-up notifications, nor am I seeing anything in the console...

With that said this could be one of many issues:

You yourself could be infected with malware
You may have a malware infected browser extension (they're pretty common)
Or it may be a vBulletin product with ads injected and only visible to you (which in the sense of adding hidden ads to a product would make no sense, you would want as many viewers as possible to make any kind of profit)

Are any of your members reporting these popups?

I would register but I do not know Andrea's surname lol

digif 14 Feb 2021 10:37

Quote:

Originally Posted by Dr.CustUmz (Post 2606215)
they are not appearing for me =/ I am also not receiving any blocked pop-up notifications, nor am I seeing anything in the console...

With that said this could be one of many issues:

You yourself could be infected with malware
You may have a malware infected browser extension (they're pretty common)
Or it may be a vBulletin product with ads injected and only visible to you (which in the sense of adding hidden ads to a product would make no sense, you would want as many viewers as possible to make any kind of profit)

Are any of your members reporting these popups?

I would register but I do not know Andrea's surname lol

Maybe try few times clicking on the background of the homepage. I get them when I run Firefox Private Window as I have adblock on the normal one.

I'm not logged in, so I dont think its only for users. Also, I dont get it on other websites so its not malware on pc.

Forum is inactive now, but I want to keep it clean as an archive, so I dont get reports from other users. If you want to register, answer is 'Ranocchia'.

Thanks for trying to help.

Dr.CustUmz 14 Feb 2021 12:58

I have tried firefox, firefox private, chrome, chrome incognito, edge, and IE, all without adblocker. I'm just not getting any form of ads.

but what you can do when you see the ad inspect it in console.

Find the top most div of the ad, see where that is in your style, search the words in the html of the ad in your styles, plugins, ect.

snakes1100 14 Feb 2021 13:08

I'd agree with Dr., i've checked it as well.

Sometimes those ads are IP specific, which may be why you dont get every user complaining about it the popups.

It looks like you have some scanning/checking to do in your file system & db.

digif 14 Feb 2021 15:27

Quote:

Originally Posted by Dr.CustUmz (Post 2606220)
I have tried firefox, firefox private, chrome, chrome incognito, edge, and IE, all without adblocker. I'm just not getting any form of ads.

but what you can do when you see the ad inspect it in console.

Find the top most div of the ad, see where that is in your style, search the words in the html of the ad in your styles, plugins, ect.

I've recorded it:
https://screencast-o-matic.com/watch/crn2DZSwqm

Also, popup also comes up but after a while, so I didnt want to wait for it to record it.

snakes1100 14 Feb 2021 17:19

Check the last time this file was touched/edited file permissions etc

vbulletin_read_marker.js

https://www.beneamata.com/clientscri...rker.js?v=3811

It appears to be hacked & has code in it.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


digif 14 Feb 2021 17:32

Quote:

Originally Posted by snakes1100 (Post 2606237)
Check the last time this file was touched/edited file permissions etc

vbulletin_read_marker.js

https://www.beneamata.com/clientscri...rker.js?v=3811

It appears to be hacked & has code in it.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

It's weird, I can't find vbulletin_read_marker.js?v=3811, only the original one - vbulletin_read_marker.js

snakes1100 14 Feb 2021 17:35

Ignore the ?v=3811, thats just for caching for browsers.

Just check vbulletin_read_marker.js

digif 14 Feb 2021 17:45

Quote:

Originally Posted by snakes1100 (Post 2606245)
Ignore the ?v=3811, thats just for caching for browsers.

Just check vbulletin_read_marker.js

I've overwrote it with the original file from vB, you can check the file:
https://www.beneamata.com/clientscri...read_marker.js

snakes1100 14 Feb 2021 17:51

That file looks correct now.

Clear any caches & chk the home page issue.

digif 14 Feb 2021 18:10

Quote:

Originally Posted by snakes1100 (Post 2606249)
That file looks correct now.

Clear any caches & chk the home page issue.

The one with ?v.. is still showing different code. I've opened the website with Chrome, still same happens..

Dr.CustUmz 14 Feb 2021 18:51

Quote:

Originally Posted by digif (Post 2606252)
The one with ?v.. is still showing different code. I've opened the website with Chrome, still same happens..

nice catch snake, i wasnt looking at any files since I wasnt seeing anything visually.

digif,

the v does not matter it is the same file, you need to clear your browser cache to make it reload the file.

You can do this by holding shift and pressing F5 or by using browser extensions

as a web developer I am constantly reloading cache, so much so it is my normal refresh the page button. I use https://chrome.google.com/webstore/d...kmgnhonkkjfpdn

digif 14 Feb 2021 19:24

Quote:

Originally Posted by Dr.CustUmz (Post 2606253)
nice catch snake, i wasnt looking at any files since I wasnt seeing anything visually.

digif,

the v does not matter it is the same file, you need to clear your browser cache to make it reload the file.

You can do this by holding shift and pressing F5 or by using browser extensions

as a web developer I am constantly reloading cache, so much so it is my normal refresh the page button. I use https://chrome.google.com/webstore/d...kmgnhonkkjfpdn

I've cleared cache with a plugin, same crap again..

snakes1100 14 Feb 2021 20:25

Yes, its still showing here
https://www.beneamata.com/clientscri...rker.js?v=3811

Not here:
https://www.beneamata.com/clientscri...read_marker.js

Is the server caching your content? If so you need to have the cache cleared or if your running a cache in the forum, like dragonbytes etc

digif 14 Feb 2021 21:30

Quote:

Originally Posted by snakes1100 (Post 2606261)
Yes, its still showing here
https://www.beneamata.com/clientscri...rker.js?v=3811

Not here:
https://www.beneamata.com/clientscri...read_marker.js

Is the server caching your content? If so you need to have the cache cleared or if your running a cache in the forum, like dragonbytes etc

I'll give it time, maybe it'll clear itself, but the issue remains, how it came back.. These are the plugins I have installed:
https://i.imgur.com/9AI1kBP.jpg

Dr.CustUmz 14 Feb 2021 22:07

FB connect is obsolete

as for the rest did you download them from 3rd party sites? I see vBadvanced so I'm guessing some others may have been downloaded else where too.

Leachers will inject ads and malicious codes into products that is why I choose to share my products myself on vbulletin warez sites, because I would rather share something myself than to have someone redistribute my work and ruin my name.

But as snake said your going to have to clear your server host cache. Not knowing your provider, there could be a few ways to do this, so just google "how to clear site cache SERVER PROVIDER"

--------------- Added 14 Feb 2021 at 22:14 ---------------

UPDATE neither link is displaying the misc. code for me (it is the same file either way) i could change ?v=3811 to ?v=41354 and it is still the same file (that v is only for caching)

knowing what we are looking for though:
- put all of your products you are using into one folder on your desktop
- open notepad++
- CTRL + F
- Find in files
- point the directory to your folder containing all the product files.
- Find What: graizoah
- Filters: *.xml*
- click find all

Repeat replacing filters with *.php*

If it is one of those products it should show up.

digif 15 Feb 2021 18:52

Quote:

Originally Posted by Dr.CustUmz (Post 2606264)
FB connect is obsolete

as for the rest did you download them from 3rd party sites? I see vBadvanced so I'm guessing some others may have been downloaded else where too.

Leachers will inject ads and malicious codes into products that is why I choose to share my products myself on vbulletin warez sites, because I would rather share something myself than to have someone redistribute my work and ruin my name.

But as snake said your going to have to clear your server host cache. Not knowing your provider, there could be a few ways to do this, so just google "how to clear site cache SERVER PROVIDER"

--------------- Added 14 Feb 2021 at 22:14 ---------------

UPDATE neither link is displaying the misc. code for me (it is the same file either way) i could change ?v=3811 to ?v=41354 and it is still the same file (that v is only for caching)

knowing what we are looking for though:
- put all of your products you are using into one folder on your desktop
- open notepad++
- CTRL + F
- Find in files
- point the directory to your folder containing all the product files.
- Find What: graizoah
- Filters: *.xml*
- click find all

Repeat replacing filters with *.php*

If it is one of those products it should show up.

First of all, thanks for the help, both of you..

All plugins were installed from this forum. By your instructions I've checked all plugins, 0 found the mentioned keyword.

Regarding the cache, I'm on namecheap hosting, can't find in cPanel something that could flush it. It's not on my end, I've tried at work, same ads pop up.

Dr.CustUmz 16 Feb 2021 05:50

the only thing left i can see to do is download your www folder through FTP and do the same thing with the difference being for your filters use ** so it scans every file.

I have still not been able to reproduce this ad.

if you provide my account admin privilege's with access to at least styles and plugins I can check the backend for you.

snakes1100 16 Feb 2021 10:36

Id give him phpmyadmin access as well & check the db for base code etc...

If your trusting enough & shell is active, just give him the cpanel login, ive worked a few sites from that host, shell can be turned on if its not.

Id do a grep -H -r "xxxxxxx" on the entire acct dir

digif 16 Feb 2021 15:49

Quote:

Originally Posted by Dr.CustUmz (Post 2606284)
the only thing left i can see to do is download your www folder through FTP and do the same thing with the difference being for your filters use ** so it scans every file.

I have still not been able to reproduce this ad.

if you provide my account admin privilege's with access to at least styles and plugins I can check the backend for you.

Done the search in the whole websites folder, nothing found under 'graizoah'. Long time ago I've added a popup code, but I think I've removed it. I've searched for some kind of script code in styles and the whole website with notepad++, couldnt find anything.

Also, there are some threads that doesnt exist and are shown from the homepage. If you check the first forum, thread is called 'Sexy photo...', and if you press on it, error tells you thread doesnt exist.

Dr.CustUmz 16 Feb 2021 16:49

I cant really help without any type of privileges


All times are GMT. The time now is 06:14.

Powered by vBulletin® Version 3.8.14
Copyright © 2021, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.