Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 11 Oct 2016, 21:27
socialteenz's Avatar
socialteenz socialteenz is offline
 
Join Date: May 2011
Real name: Arun
Angry Pop Unders with false click..!

So, basically i have been noticing many vb forums affected by this pop under malware..

What happens is, when you make a click on your site, the pop under appears and it redirects you to these sites..

adnety.com
clicknety.com
namefuze.com

Affected vBulletin Sites so far..

http://www.neogaf.com/forum/showthread.php?t=1229205&page=28

http://www.tsptalk.com/mb/report-problems/26162-pop-ups-anyone-still-seeing-them.html?

http://www.contractortalk.com/f45/virus-pop-up-301393/

https://forums.rajah.com/showthread.php?151343-Pop-ups


FIX:


Originally Posted by Trevor Hannant View Post
Generally, we've found these have been caused by a rogue plugin installed under the 'vBulletin' product. Anyone else with this issue should check there in the first instance and delete it if there is one.

Best Practices...



1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Check your plugins list for any that are not part of a product you've added:

AdminCP > Plugins & Products > Plugin Manager

Any listed under 'vBulletin' at the top of the list should be examined carefully and removed if you're unsure as to what they are.

3) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

4) Update the following passwords in addition to your AdminCP:

- FTP
- Database

When updating the database password, ensure you also change your config.php file to use the new password otherwise your site won't be able to connect to the database.

5) Secure your AdminCP directory via .htaccess/.htpasswd.

Credits: Trevor Hannant
__________________

Last edited by socialteenz; 13 Oct 2016 at 16:40.
Reply With Quote
  #2  
Old 11 Oct 2016, 21:33
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
More than likely hidden in a file, called via referencing a url... could or could not be in base64 format i.e. encrypted per say from reading heck not sure, will know more once I run into this first-hand as with all this crud these terd-nuggets (hacker folks) come up with .
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #3  
Old 11 Oct 2016, 21:35
socialteenz's Avatar
socialteenz socialteenz is offline
 
Join Date: May 2011
Real name: Arun
Update:

The temporary fix to this issue is by disabling the plugin system.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

__________________
Reply With Quote
  #4  
Old 11 Oct 2016, 21:40
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
This code is at the top of two of your sites listed, I'd check for that on the site you have access to.

On one site:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

From a completely different site, similar code:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #5  
Old 11 Oct 2016, 21:51
socialteenz's Avatar
socialteenz socialteenz is offline
 
Join Date: May 2011
Real name: Arun
The site which i have access is undergoing server update, i will get you the details once it's done.

This was the code found on their site..


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

__________________
Reply With Quote
  #6  
Old 11 Oct 2016, 21:53
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Originally Posted by socialteenz View Post
The site which i have access is undergoing server update, i will get you the details once it's done.

This was the code found on their site..


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.
Looks identical to the ones I also found, so look for how that was added or injected, what is in that area of the page on the back-end of the site? A Hook location or what? Trace it down that way . Also once removed check in a day or so and one solid week after to ensure it wasn't added again i.e. shell script left on the site OR code in a file that allows the code to be re-inserted etc etc.

While I find this interesting I'm terribly busy today so I may not be back to comment again for a few hours, catch up is my name at the moment (lol).
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #7  
Old 11 Oct 2016, 21:56
socialteenz's Avatar
socialteenz socialteenz is offline
 
Join Date: May 2011
Real name: Arun
Originally Posted by TheLastSuperman View Post
Looks identical to the ones I also found, so look for how that was added or injected, what is in that area of the page on the back-end of the site? A Hook location or what? Trace it down that way . Also once removed check in a day or so and one solid week after to ensure it wasn't added again i.e. shell script left on the site OR code in a file that allows the code to be re-inserted etc etc.

While I find this interesting I'm terribly busy today so I may not be back to comment again for a few hours, catch up is my name at the moment (lol).
Sure, thanks for the info.

I am super sleepy as well, 3:25AM at my side of the world.
__________________

Last edited by socialteenz; 11 Oct 2016 at 22:03.
Reply With Quote
  #8  
Old 12 Oct 2016, 10:21
Trevor Hannant's Avatar
Trevor Hannant Trevor Hannant is offline
 
Join Date: May 2003
Real name: Trevor
Generally, we've found these have been caused by a rogue plugin installed under the 'vBulletin' product. Anyone else with this issue should check there in the first instance and delete it if there is one.
__________________
vBulletin Support
Reply With Quote
  #9  
Old 12 Oct 2016, 20:57
socialteenz's Avatar
socialteenz socialteenz is offline
 
Join Date: May 2011
Real name: Arun
Originally Posted by Trevor Hannant View Post
Generally, we've found these have been caused by a rogue plugin installed under the 'vBulletin' product. Anyone else with this issue should check there in the first instance and delete it if there is one.
Yup, right on.

Thanks.
__________________
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 22:49.

Layout Options | Width: Wide Color: