Danger: Malware (HELP)

[wickedstangs]

All,
When I go to one of my sites using Chrome i get this error page how can I fix it? Its running Vbulletin.

 

[Chris D]

Is it a specific page? Because I don't get the same alert when I try to visit the front page.

EDIT: Oops, yes I do.

 

[Slavik]

Take your site offline, SSH in and search for any files which have been modified recently.

 

[turtile]

You might be able to fix it easily if you have a backup of the files (as long as the database is safe).

 

[Blue]

If you use google webmaster tool check the link "security issues".

 

[AdamD]

All,
When I go to one of my sites using Chrome i get this error page how can I fix it? Its running Vbulletin.

Does it happen JUST on the front page? or all pages?
Not getting anything being flagged when scanning it with - http://sitecheck.sucuri.net

web site: www.wmdracing.net/forum/forum.php
status: Verified Clean

 

[rootsxrocks]

I had the problem once from a hotlinked image on a site that was reported

 

[rootsxrocks]

Arboristsite (221,390 Discussions 4,470,092 Messages 54,063 Members) got hacked on VB4 because they had not removed the install folder. The Hack persisted through several re-installs and eventually resulted in them converting to Xenforo.

 

[rdn]

I had the problem once from a hotlinked image on a site that was reported

Then enable Proxy Images of XenForo 1.3.0

 

[wickedstangs]

Take your site offline, SSH in and search for any files which have been modified recently.

The following files have been modified in the past 3 days:

-----
/home/wmdracin

./mail/wmdracing.net/webmaster/tmp
./mail/wmdracing.net/webmaster/maildirsize
./mail/wmdracing.net/webmaster/new
./mail/wmdracing.net/webmaster/new/1391527103.H869844P19734.host.wickedstangs.com,S=59402
./mail/tmp
./mail/maildirsize
./mail/new
./mail/new/1391546401.H971214P14813.host.wickedstangs.com,S=2309
./mail/new/1391416862.H515557P21141.host.wickedstangs.com,S=1002
./mail/new/1391589662.H57157P7567.host.wickedstangs.com,S=1002
./mail/new/1391503261.H610025P22633.host.wickedstangs.com,S=1002
./mail/new/1391546405.H125313P14833.host.wickedstangs.com,S=2302
./clientscript/yui/uploader/assets
./clientscript/yui/uploader/assets/uploader.swf
./public_html
./public_html/index.php
./public_html/forum/clientscript/yui/uploader/assets
./public_html/forum/clientscript/yui/uploader/assets/uploader.swf
./public_html/google5c72b66b52db8ab1.html
./public_html/index.php.html
./tmp/awstats
./tmp/awstats/awstats.wmdracing.net.conf
./tmp/awstats/awstats022014.wmdracing.net.txt
./logs
./logs/ftp.wmdracing.net-ftp_log-Feb-2014.gz
-----

It looks like index.php was modified but after looking at it I do not see any obvious issues.

 

[wickedstangs]

Does it happen JUST on the front page? or all pages?
Not getting anything being flagged when scanning it with - http://sitecheck.sucuri.net

web site: www.wmdracing.net/forum/forum.php
status: Verified Clean

only happens on chrome and can't tell if front page only.

 

[AdamD]

Google also says the site is clean, so I don't know
I would search the database itself for any references to the apparent malware domain (polarek.pl), see if someone has linked to a picture on that domain or something.
Another scanner says OK, too - http://app.webinspector.com/public/reports/19944954

 

[Mike Edge]

Its running Vbulletin.

I located your problem...

 

[rootsxrocks]

Then enable Proxy Images of XenForo 1.3.0

After just spending 4 hours cleaning up hot linked images that were dead links back to 2008 I am looking for a way to disable future IMG code while preserving any remaining ones. It just makes sense in the long term to host them yourself.