socialteenz
10-11-2016, 07:27 PM
So, basically i have been noticing many vb forums affected by this pop under malware..
What happens is, when you make a click on your site, the pop under appears and it redirects you to these sites..
adnety.com
clicknety.com
namefuze.com
Affected vBulletin Sites so far..
http://www.neogaf.com/forum/showthread.php?t=1229205&page=28 (https://www.vbulletin.com/link.php?u=http%3A%2F%2Fwww.neogaf.com%2Fforum%2Fs howthread.php%3Ft%3D1229205%26page%3D28)
http://www.tsptalk.com/mb/report-problems/26162-pop-ups-anyone-still-seeing-them.html? (https://www.vbulletin.com/link.php?u=http%3A%2F%2Fwww.tsptalk.com%2Fmb%2Frep ort-problems%2F26162-pop-ups-anyone-still-seeing-them.html%3Fs%3D9acbf7ebe10540390bc7657353a110f9)
http://www.contractortalk.com/f45/virus-pop-up-301393/ (https://www.vbulletin.com/link.php?u=http%3A%2F%2Fwww.contractortalk.com%2Ff 45%2Fvirus-pop-up-301393%2F)
https://forums.rajah.com/showthread.php?151343-Pop-ups
FIX:
Generally, we've found these have been caused by a rogue plugin installed under the 'vBulletin' product. Anyone else with this issue should check there in the first instance and delete it if there is one.
Best Practices...
1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.
2) Check your plugins list for any that are not part of a product you've added:
AdminCP > Plugins & Products > Plugin Manager
Any listed under 'vBulletin' at the top of the list should be examined carefully and removed if you're unsure as to what they are.
3) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.
4) Update the following passwords in addition to your AdminCP:
- FTP
- Database
When updating the database password, ensure you also change your config.php file to use the new password otherwise your site won't be able to connect to the database.
5) Secure your AdminCP directory via .htaccess/.htpasswd.
Credits: Trevor Hannant
What happens is, when you make a click on your site, the pop under appears and it redirects you to these sites..
adnety.com
clicknety.com
namefuze.com
Affected vBulletin Sites so far..
http://www.neogaf.com/forum/showthread.php?t=1229205&page=28 (https://www.vbulletin.com/link.php?u=http%3A%2F%2Fwww.neogaf.com%2Fforum%2Fs howthread.php%3Ft%3D1229205%26page%3D28)
http://www.tsptalk.com/mb/report-problems/26162-pop-ups-anyone-still-seeing-them.html? (https://www.vbulletin.com/link.php?u=http%3A%2F%2Fwww.tsptalk.com%2Fmb%2Frep ort-problems%2F26162-pop-ups-anyone-still-seeing-them.html%3Fs%3D9acbf7ebe10540390bc7657353a110f9)
http://www.contractortalk.com/f45/virus-pop-up-301393/ (https://www.vbulletin.com/link.php?u=http%3A%2F%2Fwww.contractortalk.com%2Ff 45%2Fvirus-pop-up-301393%2F)
https://forums.rajah.com/showthread.php?151343-Pop-ups
FIX:
Generally, we've found these have been caused by a rogue plugin installed under the 'vBulletin' product. Anyone else with this issue should check there in the first instance and delete it if there is one.
Best Practices...
1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.
2) Check your plugins list for any that are not part of a product you've added:
AdminCP > Plugins & Products > Plugin Manager
Any listed under 'vBulletin' at the top of the list should be examined carefully and removed if you're unsure as to what they are.
3) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.
4) Update the following passwords in addition to your AdminCP:
- FTP
- Database
When updating the database password, ensure you also change your config.php file to use the new password otherwise your site won't be able to connect to the database.
5) Secure your AdminCP directory via .htaccess/.htpasswd.
Credits: Trevor Hannant