vBulletin malware issue

**Ace** · Sat 10 Dec '11, 7:40am

Originally posted by 04wayne

I have an issue with my site - for the second time inside of one month, vBulletin is placing a malware warning on my site.

vBulletin did not put that message there. Google did.

Your hosts 'comprehensive scan' was inefficient. You will have some base64-encoded scum in one or more of your templates or plugins.

**PossumX** · Sat 10 Dec '11, 7:40am

vBulletin malware issue

It's not vB, check your templates and also your htaccess file (way at the bottom). Someone hacked/exploited your installation. The host will see their components, you will need to remediate templates and files.

Many plugins have serious security vulnerabilities.

**04wayne** · Sat 10 Dec '11, 8:06am

Oh, I know it was Google! LOL. Sorry, wasn't functioning correctly. I've had this issue before, and via Webmaster Tools I've managed to "request a review" and its been removed.

Would what I said work - rewriting all of the vBulletin files, to remove any corrupt coding that has managed to find itself a place?

**Ace** · Sat 10 Dec '11, 8:57am

Originally posted by 04wayne

Would what I said work - rewriting all of the vBulletin files, to remove any corrupt coding that has managed to find itself a place?

Highly unlikely. The malware will be in the database. plugin or template are the usual suspects.

**04wayne** · Sat 10 Dec '11, 11:02am

Urgh, I don't know how I'd go about removing these errors, will I have to go through each style and remove the coding? I've used this site: http://sitecheck.sucuri.net/scanner/ to find where the errors are.

And an example error its showing is this:

Code:

Malware found on javascript file:
http://www.vanityedge.com/forum/forum.php/clientscript/yui/animation/animation-min.js?v=418

Hidden Iframes.
Details: http://sucuri.net/malware/entry/MW:IFRAME:HD202
<iframe src="http://www.feedurbrain.com/forum/vb/item/config.php" width="1" height="1">

So how would I go about removing that?

**04wayne** · Sun 11 Dec '11, 3:36pm

Anyone?

**reefland** · Sun 11 Dec '11, 4:18pm

Replace that javascript file (clientscript/yui/animation/animation-min.js)

**K!nG** · Tue 13 Dec '11, 6:37pm

Well this might sound weird but i used to have this same exact problem on my old vb forum whenever someone visit my site used to get this type of threat warnings including myself i contacted hosting nothing was found and all i found was that some users created new thread and put few hyper links and whenever i deleted those threads physically i never came across with those threats/viruses.

**Frieda MSweb** · Thu 22 Dec '11, 3:52am

There could just be put a link to an image in members[dot]lycos[dot]tld. This happens in our Dutch forum from time to time. Just yesterday, with the .nl domain of Lycos.

Innocent forum users put an image in an innocent subdirectory of this site and refer to it in their message or signature. Just because other subdirectories of this site hold malware, Google and other browsers issue this severe warning.

I woud bet there's nothing wrong with the vB forums in these cases. Just try if you can find a message or a signature with a link to a site like lycos or some other site where malware could be stored, and remove it.

vBulletin 4 End of Life

vBulletin malware issue

[Forum] vBulletin malware issue

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment