Thread: Trojan warnings when clicking on Google search results into our MB.
View Single Post
  #6  
Old 02-26-2015, 09:54 PM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
  
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
- Upload 100% fresh files from a brand new vbulletin .zip (download the exact same version you're on now, once you fix the exploit/virus you can then upgrade but not before).
- Check to see if you're using a version that's still utilizing an outdated and prone to exploit swf file: http://www.vbulletin.com/forum/forum...ecommended-fix (if so then use this: https://vborg.vbsupport.ru/showthread.php?t=307008 )

It sounds like the filestore72 or 123 exploit from a while back, so basically you're only being redirected to malicious/porn/similar sites from the Google links correct?

- If no then its another exploit/virus.

- If yes upload fresh files like I mentioned above, then go to AdminCP > Server Settings and Optimization Options > User Remote YUI > *If that is set to google or yahoo or none change the setting to check, if changing to google or yahoo does not work try none and use local files (you just overwrote any bad files with fresh files remember) and no clear your sites cache, your browser cache, AND cookies - close your browser afterwords and DO NOT follow any bookmarks (delete those if you had them saved in browser and remake them)... now when you re-open your browser go to google and check the sub-links are they fixed?
-- If fixed now upgrade.
-- If not fixed then its more than likely not filestore72 or a variant.

*Also use suspect files in admincp > maintenance they could have dropped a shell script on your server, modified plugins and or edited one if not all of your .php files this could be coming from a base64 snippet in a file or in a template they added.
**Also in your browser, change your home page and make it https://www.google.com because its adding in the ?gws_rd=ssl in the url since your browser has the old url saved as your home page setting, they've since made that page https versus the old url which was http.
***Last * else you might die from over-use LOL no but seriously, Google does not normally give out virus/infected warnings unless something is actually up so from me to you, please never assume its a false-alarm or false-positive - always confirm else anytime someone visits your site, its your site that's placing them at risk.

http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
http://www.vbulletin.com/forum/forum...lestore72-info
This is not filestore however it shows an example of what might be added in .php files:
http://www.innovationbyinstinct.com/...um-and-admincp
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04171 seconds
  • Memory Usage 1,775KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete