We recently had an appspot link turn bad for us, it was previously our qualifying form, but the host wanted it removed.
Now we are getting malware alerts, blocking an outgoing IP.

The big problem is this,, when the links were removed from the database it had some unwanted side effects.
It stopped the malware alerts yes, but.

Our footer had dissapeared, posting options were affected (reply came up as reply with quote) PM messaging is not working correctly, and a couple of other small things.


How can we correctly remove these links so the forum works properly?


Our version is 4.0.7

Thanks in advance :)

I don't understand what links you are trying to remove.

I don't understand what links you are trying to remove.

Hi Lynne

The links are/were our qualifying form (racing league), it was an outside app that a member had running on appspot, and has since become soured.

I CAN post the offending url, but I dont want to risk infecting anyone, or any other entity.


I maybe should have asked another way,, just that.

We are getting a malware redirect on our site and need to find a way to remove it.

The security message is "IP-BLOCK 96.44.139.222 (Type: outgoing, Port: 51111, Process: iexplore.exe)"

Help:confused:


TY:-)

Here is a canned response regarding check for hacking:

****
Here are the steps to check for site compromises -

1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or gzencode(). These are also often signs of a hacked site.

Query for steps 5 and 6 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE 'Febase64%' OR phpcode LIKE '18xec%' OR phpcode LIKE '?ystem%' OR phpcode like 'AMass_thru%' OR phpcode like '?zencode%';

7) Run this query: SELECT styleid, title, template FROM template WHERE template LIKE 'Febase64%' OR template LIKE '18xec%' OR template LIKE '?ystem%' OR template like 'AMass_thru%' OR template like '10frame%';

The query checks the templates for compromising code.

8) Check .htaccess to make sure there are no redirects there.

9) Make sure all third-party addons are up to date.

Here is a company that will clean your site for you if you have malware. http://affl.sucuri.net/ But if it is a missing file... they dont fix that. However, if you site was blacklisted for malware, this company can fix that for you! You can run a free scan, they will let you know if you have any malware or if you are blacklisted anywhere.