site redirect to http://tinyurl4.info

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Tariq Rathore
    Senior Member
    • Mar 2008
    • 337
    • 3.8.x

    site redirect to http://tinyurl4.info

    my redirect to http://tinyurl4.info/aa24d1e7 from search engine
    Attached Files
    Mortal Kombat Nexus
    Pleae read before buying Ryan
  • Trevor Hannant
    vBulletin Support
    • Aug 2002
    • 24325
    • 5.7.X

    #2
    To check a site for compromises follow these steps:

    1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

    2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

    3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

    4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you. See step #7

    5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

    6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

    The following query can be run in phpMyAdmin and will provide results for steps 5 and 6 -
    SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

    If you a plugin that you can't read or the code is obfuscated then you should probably contact the addon author. If it is assigned to the vBulletin, vBulletin CMS, vBulletin Blog or Skimlink products, delete it.

    7) Using PHPMyAdmin run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

    It checks the templates for compromising code. You will need to review the results from this. If you can't read it or the code is obfuscated then you should revert the template in the Admin CP.

    8) Check .htaccess to make sure there are no redirects there.

    9) Check all plugins in reference to cache or cookies. If they are similar to any of the above, delete them.
    Vote for:

    - Admin Settable Paid Subscription Reminder Timeframe (vB6)
    - Add Admin ability to auto-subscribe users to specific channel(s) (vB6)

    Comment

    • Tariq Rathore
      Senior Member
      • Mar 2008
      • 337
      • 3.8.x

      #3
      could you please tell me what default text in .htaccess file
      Mortal Kombat Nexus
      Pleae read before buying Ryan

      Comment

      • Trevor Hannant
        vBulletin Support
        • Aug 2002
        • 24325
        • 5.7.X

        #4
        There isn't a default .htaccess file with 3.8 - any you have is one you have placed there.
        Vote for:

        - Admin Settable Paid Subscription Reminder Timeframe (vB6)
        - Add Admin ability to auto-subscribe users to specific channel(s) (vB6)

        Comment

        • Tariq Rathore
          Senior Member
          • Mar 2008
          • 337
          • 3.8.x

          #5
          i put this query
          The following query can be run in phpMyAdmin and will provide results for steps 5 and 6 -
          SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

          and i find below result now what i do

          SELECT title, phpcode, hookname, product
          FROM plugin
          WHERE phpcode LIKE '%base64%'
          OR phpcode LIKE '%exec%'
          OR phpcode LIKE '%system%'
          OR phpcode LIKE '%pass_thru%'
          OR phpcode LIKE '%iframe%'
          LIMIT 0 , 30
          Mortal Kombat Nexus
          Pleae read before buying Ryan

          Comment

          • Trevor Hannant
            vBulletin Support
            • Aug 2002
            • 24325
            • 5.7.X

            #6
            That's not a result, that's the query - what is the result when you run that query?
            Vote for:

            - Admin Settable Paid Subscription Reminder Timeframe (vB6)
            - Add Admin ability to auto-subscribe users to specific channel(s) (vB6)

            Comment

            • Tariq Rathore
              Senior Member
              • Mar 2008
              • 337
              • 3.8.x

              #7
              i tried this again

              SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

              see below attached file for result.
              Attached Files
              Last edited by Tariq Rathore; Tue 30 Oct '12, 9:42pm. Reason: wrong attachment
              Mortal Kombat Nexus
              Pleae read before buying Ryan

              Comment

              • Tariq Rathore
                Senior Member
                • Mar 2008
                • 337
                • 3.8.x

                #8
                sorry for double post but Please response?
                Mortal Kombat Nexus
                Pleae read before buying Ryan

                Comment

                • Lexserv
                  Senior Member
                  • Feb 2003
                  • 135

                  #9
                  If none of the above works, try this script found here: http://www.vbulletin.org/forum/showthread.php?t=220967

                  Comment

                  • Tariq Rathore
                    Senior Member
                    • Mar 2008
                    • 337
                    • 3.8.x

                    #10
                    i did already and there is no error by the way please reply this one
                    Mortal Kombat Nexus
                    Pleae read before buying Ryan

                    Comment

                    • Tariq Rathore
                      Senior Member
                      • Mar 2008
                      • 337
                      • 3.8.x

                      #11
                      Originally posted by Trevor Hannant
                      That's not a result, that's the query - what is the result when you run that query?
                      Please reply me
                      Mortal Kombat Nexus
                      Pleae read before buying Ryan

                      Comment

                      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                      Working...