It would appear that diyaudio.com's google results are redirecting to
myfilestore.com/download.php?id=7e7e1ef6
This is a well known forum exploit I believe and can be reproduced by opening a Private/Incognito browser session, using Google to search for a thread on the forum, and then clicking on the link.
See:
http://club.myce.com/f20/vbulletin-myfilestore-hack-find-traces-remove-them-332219/
myfilestore.com/download.php?id=7e7e1ef6
This is a well known forum exploit I believe and can be reproduced by opening a Private/Incognito browser session, using Google to search for a thread on the forum, and then clicking on the link.
See:
http://club.myce.com/f20/vbulletin-myfilestore-hack-find-traces-remove-them-332219/
Yeah I've been getting that too, yesterday and today. I always do a Google search to get into the forum. I've started going to the top level Google result, just diyaudio.com, then to the forum from there as a workaround.
Yeah, we've noticed it, but haven't been able to pin it down yet, some mods can reproduce the problem, others can't. But we are aware. 🙂
If you don't clear cookies or use a private session you won't trigger it more than once. I can reproduce it on 3 computers in different locations with Chrome and Firefox. I dont use IE.
Getting it off google searches with Chrome here. Hitting refresh (CTRL+R) always brings up the proper page.
Is this related? For the last couple of days I've been getting this AVAST 'trojan' blocked pop-up every time I click on a DIYaudio forum thread update email link to open it in a new CHROME tab:
URL: diyAudio - Smilies...
Process: C:\Documents and Settings\GM\Local Setti...
Infection: HTML:RedirDL-inf [Trj]
GM
URL: diyAudio - Smilies...
Process: C:\Documents and Settings\GM\Local Setti...
Infection: HTML:RedirDL-inf [Trj]
GM
It is an issue with the forum hopefully the moderators will pick this up
Bill
Wed 25th May '11, 5:13pm
See also http://articles.digitalpoint.com/con...ze-vBulletin-4
Use YUI 2.82 (or 2.9.x)
vBulletin 4.x currently ships with an outdated version of Yahoo User Interface (version 2.7.0). You can simply replace 2.7.0 with 2.9.x without any problems (2.8.x has a number of bug fixes, and so does 2.9.x).
The easiest way to do this is to go to Settings -> Options -> Server Settings and Optimization Options and make sure your Use Remote YUI setting is set to use Yahoo or Google remote hosting. Then edit your includes/class_core.php file and change this line:
PHP Code:
define('YUI_VERSION', '2.7.0'); // define the YUI version we bundle
to this:
PHP Code:
define('YUI_VERSION', '2.8.2'); // define the YUI version we bundle
Bill
Wed 25th May '11, 5:13pm
See also http://articles.digitalpoint.com/con...ze-vBulletin-4
Use YUI 2.82 (or 2.9.x)
vBulletin 4.x currently ships with an outdated version of Yahoo User Interface (version 2.7.0). You can simply replace 2.7.0 with 2.9.x without any problems (2.8.x has a number of bug fixes, and so does 2.9.x).
The easiest way to do this is to go to Settings -> Options -> Server Settings and Optimization Options and make sure your Use Remote YUI setting is set to use Yahoo or Google remote hosting. Then edit your includes/class_core.php file and change this line:
PHP Code:
define('YUI_VERSION', '2.7.0'); // define the YUI version we bundle
to this:
PHP Code:
define('YUI_VERSION', '2.8.2'); // define the YUI version we bundle
My website is redirected to myfilestore.com - vBulletin Community Forum
I don't know if this helps but there are some links to the same forum on this issue.
I don't know if this helps but there are some links to the same forum on this issue.
I'm assuming (hoping) this exploit is local to the diyaudio site, and not a redirect that loads things on to the local computer. I say that because once I saw it happen on my PC I tried it from my Android tablet and the same thing happened, which kind of suggests it's not getting driven from the local device (fingers crossed).
I also ran Antimalwarebytes, S&D, and Microsoft Essentials in regular and Safe mode and nothing was found on my PC. The last thing I did was try to access some known anti-virus sites like Kapersky and Symantec from Google and Yahoo. I could access them okay. The locally invasive form of this exploit (based on what I've seen), once installed will also keep the user from accessing sites like this, or from running programs like AMWB and S&D.
Could others who've seen this to try and run scans on ther own machines to see if anything got installed?
I also ran Antimalwarebytes, S&D, and Microsoft Essentials in regular and Safe mode and nothing was found on my PC. The last thing I did was try to access some known anti-virus sites like Kapersky and Symantec from Google and Yahoo. I could access them okay. The locally invasive form of this exploit (based on what I've seen), once installed will also keep the user from accessing sites like this, or from running programs like AMWB and S&D.
Could others who've seen this to try and run scans on ther own machines to see if anything got installed?
I just got hijacked and redirected to a site that said the file or resource did not exist, with a further popup in front and behind it, sorry I didnt take more note of the content, as I closed it and the popup behind it straight away. I was clicking on a google link to a thread here. I clicked again after closing the windows and it linked me fine. i'm on Mac OS Lion using firefox.
Nobody (to my knowledge) has reported anything malicious being forced onto their PC from this re-direct.
I tried Kaspersky too, and also scans with MSE that I use and all were clean.
I tried Kaspersky too, and also scans with MSE that I use and all were clean.
Sorry for the slow update on this, it hasn't been simple to resolve and we're taking some extra measures to ensure the best result. In the meantime, you might like to add "myfilestore.com 127.0.0.1" to your hosts file (you can follow the example here for Windows but but replace myfilestore.com with the ebay.com which is used in the example).
The bug has been squashed. Thanks Chris719 for the link. According to that site thousands of vBulletin websites have been affected by this in the last few days.
My apologies that this was not fixed quicker. The problem was reported just as I was getting on a 12 hour flight, my connecting train that was meant to have wifi didn't (iCE), and the internet sim card I got refuses to tether (Ortel).
Today after seeing that the malware links weren't in the HTML source I assumed this was going to be worse than it was (think "Darkleech", which has consumed 20,000 websites recently) and blew several hours with forensics, web server recompiles and hatch battening that weren't necessary at all.
My apologies that this was not fixed quicker. The problem was reported just as I was getting on a 12 hour flight, my connecting train that was meant to have wifi didn't (iCE), and the internet sim card I got refuses to tether (Ortel).
Today after seeing that the malware links weren't in the HTML source I assumed this was going to be worse than it was (think "Darkleech", which has consumed 20,000 websites recently) and blew several hours with forensics, web server recompiles and hatch battening that weren't necessary at all.
- Status
- Not open for further replies.