My forums are being hijacked
 

I posted about it last week but could not find the posts.

Strangely, in the posts (so far looks like it's only in the quotes) some words are being linked to some searchmiracle.php.

Some people here told me that I had spyware on my PC. Problem is I have not posted for one day, and everyone else sees those links. So could be that my users have the spyware. How do I prevent them to be transferred to forums?

Could you provide a link to one of those posts and a test login.

username test
password test

the first post on that page... words bank, radio, forum etc...
here

What is overlib.js?

That is not a standard vB javascript file.

And my browser go totally crazy from all blocked cookies if i try to visit that page.

Edit: most blocked cookies are also because you where linking me to the www. version of your site, and all links/cookies use your site without www.

overlib has been there for a while. it is being used to display certain texts in a box, like the geek's autolink

You have that hack enabled where you can link certain words right? If so I would chat with the coder and or check your coding. Can you access searchmiracle.php from your ftp? I would also notify vbulletin.com if all else fails as this could mean an exploit of some kind.

I think those links are from a hack you installed: Geek Auto Linker.

Edit: Not hte only one with that answer ;)

I am not sure I follow you on that

don't have searchmiracle anywhere in my coding... and this seems to happen only with a certain user.

geek autolink displays all links differently

what is HTE?

the automerge keeps on posting in same post and uou might have missed it.

Its hard to tell because of the lang used but the coding for vbpager looks wrong and the searchmiracle is coming from coding from within.

Also wheres the code for the warning system?

<!-- checks for warning system --> <!-- end of warning system -->

I would check the code for the autolinker for the source of your problem.

I just finished checking all codes. No mention of searchmiracle.php This seems to happen from quotes made by a specific user. Maybe she is the one who is infected and transfering to me?

At vb.com they are going to tell me no support because of the hacking.

Marco, 2 questions:

1-what is hte?

2-you just solved a cookie issue i had for the longest time and posted http://www.vbulletin.com/forum/showthread.php?t=141069

how can I have both? http://site and http://www.site ?

My guess... "the" typed too quickly. ;)

1. Like oly51 guessed. My left hand being faster then my right :/ Happens a lot to me :(

2. Try making the "Cookie Domain" blank in your vBulletin Options. (hmm not sure now if that won't have the opposite effect. Actually i hink how you got it now with a leading dot should be the best you can do)

yup, I am going to the pain of correcting those links one by one

This is getting really annoying. Vbulletin is being exploited. A member should not be able to involuntary transfer her junks in vbulletin posts

Well it is hardly an exploit to be able to post links. You could put the url in the word censor.

Those links are being posted without members knowing about it. Can't vbulletin post only what is in textarea, without having to grab the other junks? I have been removing links like crazy. The member does not even know about it. I put searchmiracle.com in my censor box, it still goes thru.

Yiou mean to tell me anyone can use a member and insert their things into my forums, and that is not being exploited?

You have hacked your board with the geek auto linker and now words are being linked..... Sounds like this is a bug or error coding on your part.


Doubt its a vbulletin exploit. :rolleyes:

this is happening with only ONE member, so leave thegeek alone.

Like everyone at vb.com is saying, that member's PC is infected. All I am saying is that textarea should be protected from foreign elements in posts. If one smart searchmiracle.com can do it, it's only a matter of time before we start seeing sex links popup in kids forums. Then what do we say? That a member is infected?

We should start charging premium rates to view that members post. :lick:


If you really think that is the problem then tell him to clean his crap up or ban.

Sure I told her. I've got 7500+ members. I just hope that there won't be an epidemy some day.:nervous:

I also put searchmiracle on my censor list; but guess what. I am also using the warning hack, and everytime that poor girl posts, there is a warning issued for obscene words, and after x warnings, she got banned. I already lifted the ban manually twice.:ermm: She is not doing it on purpose. Some people are just not computer literate.

Thats not you problem. Ignorance is not bliss and spamming the community is not something I would have on my board.

She might have a bot on er PC without knowing about it.

If you do a bit of google research on this search miracle you will find that it is associated with a trojan called EliteBar. From what i see it seems to be a hell of a trojan to get rid of.

Most seem to have the best result with Giant (now Microsoft).

I am sorry that we can't really help you with this since it is not really a vB problem. Your member should clean her PC, that is the best advice i can give.

eventually, sooner or later this will become a jelsoft, phbb and everybody else problem. I got 3 new cases today with a new one
http://forums.al7bar.tk

edit make that four
http://www.dss-newbies.net

more again

http://69.42.87.218/cgi-bin/ezlclk.fcgi?id=10125

My observation: This is happening only when message is in a quote.

that al7bar looks familiar to me

Marco, I know you said this is not a vb problem, but I am going crazy here, they are popping all over. But it seem to be active only when in a quote.

There is a thread on vb.com about a similar problem. Someone call "Southernlady" (i hope i remembered the name correct) is offering help on trojan/spyware removal. I don't know here, but she seems to be specialized in these kinda things.

Is it still only in post made by 1 user?

If yes:
- Created a (.htaccess protected) test forum with a clean install (database and files)
- Give this 1 user access to the board and let her post.
- Maybe a few more of your users.

Then see if the same is happening.

Lionel, do you know what's her browser user agent? It's a long shot, but if the browser sig has an indication of any special software plugins or product tags, this may give a clue as to what's causing this. You can get her useragent from the session table.

I am getting it from 3 different users now. For her, I am pretty sure it's IE

They are also coming in PM

That's not enough info :) The full browser footprint might hold some clues, like: