All,

Google search flags our site as "This site may be hacked". I already
noticed this behavior some months ago (when I clicked on the "SetupBuilder
Community" search link) but thought that someone hijacked our Google search
and paid for it.

Our hosting company pair Networks have completed several scans of our
server, and believe there is some malicious code hidden somewhere in the
vBulletin Board database which is causing this behavior. They never
"hacked" our vBulletin account nor the server.

The vBulletin support guys are working on it and I'll keep you posted.

Friedrich

"Sheep farming is the way to go..."

BTW, this is caused by a newer version of the "redirection issue" that seems
to be infecting thousands of vBulletin sites.

Friedrich

Hi Friedrich -

Sorry this is happening.

Maybe a new domain for your support forum would be good? Even a
separate ISP might be prudent.

vBulletin seems to be causing you some increasingly major issues that
don't necessarily need to be interrelated. These are issues that could
affect your business's livelihood.

Since you don't know when a fix might be made, moving vBulletin might
be something to consider, anyway.

Another quicker thing to consider is temporarily nixing vBulletin from
your system with a sad note that it will be back ASAP.

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

https://i.imgflip.com/ughdv.jpg

>
>The vBulletin support guys are working on it and I'll keep you posted.

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

>
> https://i.imgflip.com/ughdv.jpg
>

<ROFL> Absolutely ;-)

I am knee deep into it right now. Would not have been possible without your
excellent investagation and analysis. I still have no idea how you found
out all this. I am more than impressed :-)

Friedrich

I have manipulated the PHP code a bit and it should not redirect any longer.
But I am afraid this is only a temporary workaround.

IMO, vBulletin are not going to find compromised code.

Friedrich

Seems to have helped, Friedrich.

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

Hi Jeff,

>
> Seems to have helped, Friedrich.
>

Without your absolutely amazing information ("v=422" in your 01_s.txt
analysis file was the key to success) it would not have been possible for me
to find a temporary workaround. I really can't thank you enough for all the
help! THANK YOU!

Friedrich

Aww shucks. You're most welcome.

I am glad it helped. :)

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

Friedrich, sorry for the pain.
We had a couple of vBulllentin sites that got hacked a few times and we
eventually moved to XenForo. Have been okay for a few years with this
forum software, but suspect its a matter of time. Last month I had a
WordPress site hacked (well it was been used to spam, and then your in
danger of getting black listed). I'm left with the feeling that sql
injection and php web sites are too exposed (especially well known
packages).

>
>>
>> The vBulletin support guys are working on it and I'll keep you posted.
>

John Taylor

That happened to one of my WP sites too. I shut it down.

Had I maintained to the latest releases, I suspect this wouldn't have
happened, but I didn't and it did.

> Last month I had a
>WordPress site hacked (well it was been used to spam, and then your in
>danger of getting black listed). I'm left with the feeling that sql
>injection and php web sites are too exposed (especially well known
>packages).

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

> That happened to one of my WP sites too. I shut it down.
>
> Had I maintained to the latest releases, I suspect this wouldn't have
> happened, but I didn't and it did.

If you install the latest WordPress, it will automatically update from now
on (unless you specifically tell it not to). I have had this enabled on my
WP sites for many months now and it seems to be working well.

Another fairly easy thing to do that will bump up your site security is to
install the free version (or the Pro - even better) Plugin of iThemes
Security.

https://wordpress.org/plugins/better-wp-security/

You can get the Pro version here:
https://ithemes.com/security/

It has a wizard that will allow you to quickly and easily lock down your
WordPress site in over 30 ways.

It will also send you an e-mail daily that tells you how many individual
hosts or IP addresses were locked out of your site for trying to hack it.

There are a few other things that can be done to improve the security, but
for an "out of the box" solution, the free Plugin takes care of most of the
holes that are usually exploited.

I like the fact that it will lockout hosts or even IP addresses when they
start brute force attacking your site.


:-)

Charles





--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ImageEx, ProScan, ProImage, ProPath and other
Clarion developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

> Friedrich, sorry for the pain.
> We had a couple of vBulllentin sites that got hacked a few times and we
> eventually moved to XenForo. Have been okay for a few years with this
> forum software, but suspect its a matter of time. Last month I had a
> WordPress site hacked (well it was been used to spam, and then your in
> danger of getting black listed). I'm left with the feeling that sql
> injection and php web sites are too exposed (especially well known
> packages).

Thank you, John !!!

My workaround worked fine, but the vBulletin support team guys have updated
our site to new build. I gave them full access to analyze our SQL database
and all vBulletin files. No files were compromised or malicious. I believe
it was caused by SQL injection. It's working fine even without our
workaround now.

I'll backup the forum database once per day and monitor Google search
results on a regular basis. I really did not pay enough attention to the
fact that the Google search result links were directing traffic away from
our site. I thought one of our competitors have "hijacked" the search
results. That is definitely a lesson learned the hard way :-(

Friedrich

All,

Google search still flags the site as "This site may be hacked", but
VirusTotal is cool now (including Yandex Safebrowsing). I have requested a
Google review. But this process might take weeks.

Friedrich

Looks like you're no longer knowingly hacked. :)

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

Jeff,

> Looks like you're no longer knowingly hacked. :)

Things must be different on your side of the country!<g>

Still mentioned when I looked just now... sadly! Stupid Google!!!

Lee White

Thanks. I was using "setupbuilder signtool". I think it used to show
the hacked thing too. So maybe it's just a little better.

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

>
> Looks like you're no longer knowingly hacked. :)
>

Yes and no <g>.

It still reports "This site may be hacked" for the root of the
lindersoft.com domain. But this was never "hacked", only the 'forums'
folder was involved in the redirection issue.

Google, this does not make much sense <g>

Friedrich

One time, google sent me (as the webmaster of my domain) an email that
one of my sites was compromised, and it was. I had warez on my site,
and everything.

I thought that was pretty cool, as the only thing that google had to
do with it was that they crawled the site.

But to get rid of the scarlett letter is a different thing.

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

> It still reports "This site may be hacked" for the root of the
> lindersoft.com domain. But this was never "hacked", only the 'forums'
> folder was involved in the redirection issue.
>
> Google, this does not make much sense <g>

I'm sure you have, but did you go through the steps listed here under
"Remove this message from your site"?

https://support.google.com/websearch/answer/190597?p=ws_hacked&hl=en&visit_id=0-636210610740573017-3241103606&rd=1

If not, then maybe the left hand does not know what the right hand is doing
at Google.

.... or their new AI is handling this sort of thing now and it knows better
than we do about these sort of things<g>...


Charles



--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ImageEx, ProScan, ProImage, ProPath and other
Clarion developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

Hi Charles,

> I'm sure you have, but did you go through the steps listed here under
> "Remove this message from your site"?

Yes, I requested a review in the Security Issues section in Search Console
(their Webmaster tools). They said "...it might take some weeks..." :-(

Friedrich

They're waiting for a shipment of Braille keyboards to arrive so they
can get to work.

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

> Yes, I requested a review in the Security Issues section in Search Console
> (their Webmaster tools). They said "...it might take some weeks..." :-(

Amazing!

They can add you to the list of suspected sites in a second, but it takes
weeks to get a review to get off of it...

OMG - Google must really be ran by the Government!


:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ImageEx, ProScan, ProImage, ProPath and other
Clarion developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

I'd reveal google's secrets, Charles.
But then I'd have to shoot you.
Or at least tell the NSA.

Ah... nuts....

OK, you win.

Here are their secrets: https://archive.google.com/pigeonrank/

-;)

jf

> I'd reveal google's secrets, Charles.
> But then I'd have to shoot you.
> Or at least tell the NSA.
>
> Ah... nuts....
>
> OK, you win.
>
> Here are their secrets: https://archive.google.com/pigeonrank/

LOL - one of my favorites!

I don't even have to go to the URL to know what is there<g>.


:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ImageEx, ProScan, ProImage, ProPath and other
Clarion developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

Seems to be fixed now (I hope it's a worldwide fix). Took them eight days.
Yeah! <g>

Friedrich

Looks good here too. Now you can get back to saving the world. <g>

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

> Looks good here too. Now you can get back to saving the world. <g>

+1

Looking good from here too!


:-)

Charles

--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ImageEx, ProScan, ProImage, ProPath and other
Clarion developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------