Security issue

It may take a few days for Google to clear up the error on its side and start sending traffic back to your site.

Goog Morning,
This Hacker is intelligent.
So what the vbSEO Team find out in my log. He visit me twice.
Both times he edit the same plugin.
So i think he put in the Code and 5 Days later he remove the code.

Why that?
His target is, that people download his malware from this free downlod sites.
He know that the Malware will be removed from this site if discovered.
So he need to do that on as many Target sits as possible.
If possible he like to be undiscovered.
To reach this target, he use a cookie, he remove the code, he let his code work only for search engine traffic.

Due the way he did it, it look like that there was only a normal login to the adminCP.
Reaction form vBulletin = Must be a Problem of the Admin he do not care about his password security
Reaction form the Hacker = ROFL

Nerver mind, it ever might happens that one of us has a porblem with his PC - A virus or whatever, even if we take care that our virus scanner is ever up to date.
Things like this happens in the past an will happed in the future.

but in the case there are too many forums involved. And we discovers only 3 Target sites.
There might me many more out there.

So the question are:

• If he did this without password - how?
• If he had all this password - how he get this?
• Are there more target sites out there?
• What should the Malware do (not important for us but for general Internet security)

I check yesterday the ulr2short.info, form the 10 Upstream sites were 8 vBulletin (2 Google)
On 4 of them the code was still present. I informd 3 of the webmaster (on the 4th site every click open too many ads, sorry)

Greetings
Christian

Goodmorning, I have the problem on my site of redirect to http://myfilestore.com/download.php/.... I have read the old post, but I have not understand.
If you find my site justoverclok in google and if you click on "forum" from result of google, you'll be redirect in http://myfilestore.com/download.php/id...
The problem can you see only on first clck on forum and not always.

I have joomla 1.5.15 ,vbulletin 3.7.1 and vbseo 3.3.2

Are there any further results of this problem? We were affected too.

Hi Angelo,
Please give me you URL i will check.

It happens only one time because a cooie is set.
Search for the cookie "vbsp" on your Computer delete it and you are able to see if the problem is still present.
Only if you follow Google Links.

Than lets find your bad coode an get rid of it.
You might disable and enable vBSEO, that clear the datasore Cache, If the code is no mor in the Plugin it helps.

The Target site has a lot of traffic from Brasil and Italy.
If you are Brazilian i could help in Portuguese (Italian - we need to use English)


Greetings Christian

I'm Italian, and dont know portuguese :(
My url is JustOverclock.com - Raffreddamento a liquido e ad aria, hardware, overclock e modding but the problem live only when go on from google.

OK,
yes you are infected.
So we need to find out, were the code is.

You need to go to your Admin CP and take a look at you Plug in codes.
The Hacker need a global Plugin to let it work on all Sites.

In my case he used one of the plugins at: global_start
The code is encoded it should start with "base64"
so you need to find tis code an delete it.

Greetings
Christian

Sorry but I have many files in my ftp, and I can't open all files for find this code. Have you a tip? The file that most attacked where is in vbulletin and joomla? I havent a folder o file that name is global_start.
Sorry if i not understand

I must find "base64" in files or base 64 is a tipe of codes?

Hi,
it is vBulletin related but it is not in the files its stored in the database:
You need to go to your AdminCP:
Entra - JustOverclock.com - vBulletin Pannello Admin

and then - Text in Italian or English?:


Greetings
Christian

Wow thank you

I now can find in all file global, but i can search the voice "base64" and delete all code?

Well you should only delete the Bad part of the code.
I never saw that on my Forum because the code was removed and only present in the datasore cache.

But if you fin somthng start with base64 you migth post the hole code here (inside Tags) and wee compare with our forums to what is standard an that is extra an should be deleted.

Christian

Originally Posted by anjx

Goodmorning, I have the problem on my site of redirect to http://myfilestore.com/download.php/.... I have read the old post, but I have not understand.
If you find my site justoverclok in google and if you click on "forum" from result of google, you'll be redirect in http://myfilestore.com/download.php/id...
The problem can you see only on first clck on forum and not always.

I have joomla 1.5.15 ,vbulletin 3.7.1 and vbseo 3.3.2

Please try asking license owner to add you to Priority Support within their customer profile.

I have see in this plugin but I havent find "base64"

In a module I find two sospected link to site of manga, I have delete it and the problem is vanished. You can confirmed?

Hi.
looks OK now.
You should read the howl Thread and put som extra protection on you Admin CP.
Rename and/or .htaccess Protection.

Christian