1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Danger: Malware (HELP)

Discussion in 'Off Topic' started by wickedstangs, Feb 5, 2014.

  1. wickedstangs

    wickedstangs Well-Known Member

    All,
    When I go to one of my sites using Chrome i get this error page how can I fix it? Its running Vbulletin.
    malware.JPG
     
  2. Chris D

    Chris D XenForo Developer Staff Member

    Is it a specific page? Because I don't get the same alert when I try to visit the front page.

    EDIT: Oops, yes I do.
     
  3. Slavik

    Slavik XenForo Moderator Staff Member

    Take your site offline, SSH in and search for any files which have been modified recently.
     
  4. turtile

    turtile Well-Known Member

    You might be able to fix it easily if you have a backup of the files (as long as the database is safe).
     
  5. Blue

    Blue Well-Known Member

    If you use google webmaster tool check the link "security issues".
     
  6. AdamD

    AdamD Well-Known Member

    Does it happen JUST on the front page? or all pages?
    Not getting anything being flagged when scanning it with - http://sitecheck.sucuri.net

    web site: www.wmdracing.net/forum/forum.php
    status: Verified Clean
     
    wickedstangs likes this.
  7. rootsxrocks

    rootsxrocks Active Member

    I had the problem once from a hotlinked image on a site that was reported
     
  8. rootsxrocks

    rootsxrocks Active Member

    Arboristsite (221,390 Discussions 4,470,092 Messages 54,063 Members) got hacked on VB4 because they had not removed the install folder. The Hack persisted through several re-installs and eventually resulted in them converting to Xenforo.
     
  9. RoldanLT

    RoldanLT Well-Known Member

    Then enable Proxy Images of XenForo 1.3.0 ;)
     
    rootsxrocks likes this.
  10. wickedstangs

    wickedstangs Well-Known Member

    The following files have been modified in the past 3 days:

    -----
    /home/wmdracin

    ./mail/wmdracing.net/webmaster/tmp
    ./mail/wmdracing.net/webmaster/maildirsize
    ./mail/wmdracing.net/webmaster/new
    ./mail/wmdracing.net/webmaster/new/1391527103.H869844P19734.host.wickedstangs.com,S=59402
    ./mail/tmp
    ./mail/maildirsize
    ./mail/new
    ./mail/new/1391546401.H971214P14813.host.wickedstangs.com,S=2309
    ./mail/new/1391416862.H515557P21141.host.wickedstangs.com,S=1002
    ./mail/new/1391589662.H57157P7567.host.wickedstangs.com,S=1002
    ./mail/new/1391503261.H610025P22633.host.wickedstangs.com,S=1002
    ./mail/new/1391546405.H125313P14833.host.wickedstangs.com,S=2302
    ./clientscript/yui/uploader/assets
    ./clientscript/yui/uploader/assets/uploader.swf
    ./public_html
    ./public_html/index.php
    ./public_html/forum/clientscript/yui/uploader/assets
    ./public_html/forum/clientscript/yui/uploader/assets/uploader.swf
    ./public_html/google5c72b66b52db8ab1.html
    ./public_html/index.php.html
    ./tmp/awstats
    ./tmp/awstats/awstats.wmdracing.net.conf
    ./tmp/awstats/awstats022014.wmdracing.net.txt
    ./logs
    ./logs/ftp.wmdracing.net-ftp_log-Feb-2014.gz
    -----

    It looks like index.php was modified but after looking at it I do not see any obvious issues.
     
  11. wickedstangs

    wickedstangs Well-Known Member

  12. AdamD

    AdamD Well-Known Member

    Google also says the site is clean, so I don't know
    I would search the database itself for any references to the apparent malware domain (polarek.pl), see if someone has linked to a picture on that domain or something.
    Another scanner says OK, too - http://app.webinspector.com/public/reports/19944954
     
    Last edited: Feb 6, 2014
  13. The Forum Heroes

    The Forum Heroes Well-Known Member

    I located your problem...
     
  14. rootsxrocks

    rootsxrocks Active Member

    After just spending 4 hours cleaning up hot linked images that were dead links back to 2008 I am looking for a way to disable future IMG code while preserving any remaining ones. It just makes sense in the long term to host them yourself.
     

Share This Page