myfilestore redirect / hijack

It is an issue with the forum hopefully the moderators will pick this up

Bill

Wed 25th May '11, 5:13pm

See also http://articles.digitalpoint.com/con...ze-vBulletin-4





Use YUI 2.82 (or 2.9.x)
vBulletin 4.x currently ships with an outdated version of Yahoo User Interface (version 2.7.0). You can simply replace 2.7.0 with 2.9.x without any problems (2.8.x has a number of bug fixes, and so does 2.9.x).

The easiest way to do this is to go to Settings -> Options -> Server Settings and Optimization Options and make sure your Use Remote YUI setting is set to use Yahoo or Google remote hosting. Then edit your includes/class_core.php file and change this line:



PHP Code:

define('YUI_VERSION', '2.7.0'); // define the YUI version we bundle



to this:



PHP Code:

define('YUI_VERSION', '2.8.2'); // define the YUI version we bundle
 
I'm assuming (hoping) this exploit is local to the diyaudio site, and not a redirect that loads things on to the local computer. I say that because once I saw it happen on my PC I tried it from my Android tablet and the same thing happened, which kind of suggests it's not getting driven from the local device (fingers crossed).

I also ran Antimalwarebytes, S&D, and Microsoft Essentials in regular and Safe mode and nothing was found on my PC. The last thing I did was try to access some known anti-virus sites like Kapersky and Symantec from Google and Yahoo. I could access them okay. The locally invasive form of this exploit (based on what I've seen), once installed will also keep the user from accessing sites like this, or from running programs like AMWB and S&D.

Could others who've seen this to try and run scans on ther own machines to see if anything got installed?
 
I just got hijacked and redirected to a site that said the file or resource did not exist, with a further popup in front and behind it, sorry I didnt take more note of the content, as I closed it and the popup behind it straight away. I was clicking on a google link to a thread here. I clicked again after closing the windows and it linked me fine. i'm on Mac OS Lion using firefox.
 

Jason

Powder Monkey
Paid Member
2000-10-08 1:19 pm
Melbourne
www.diyaudio.com
Sorry for the slow update on this, it hasn't been simple to resolve and we're taking some extra measures to ensure the best result. In the meantime, you might like to add "myfilestore.com 127.0.0.1" to your hosts file (you can follow the example here for Windows but but replace myfilestore.com with the ebay.com which is used in the example).
 

Jason

Powder Monkey
Paid Member
2000-10-08 1:19 pm
Melbourne
www.diyaudio.com
The bug has been squashed. Thanks Chris719 for the link. According to that site thousands of vBulletin websites have been affected by this in the last few days.

My apologies that this was not fixed quicker. The problem was reported just as I was getting on a 12 hour flight, my connecting train that was meant to have wifi didn't (iCE), and the internet sim card I got refuses to tether (Ortel).

Today after seeing that the malware links weren't in the HTML source I assumed this was going to be worse than it was (think "Darkleech", which has consumed 20,000 websites recently) and blew several hours with forensics, web server recompiles and hatch battening that weren't necessary at all.