So... What the hell happened to the Forums?

[Sam]

Still? Google is not reporting any malware or anything, and I can't see anything suspicious. WHere is the malware warning coming from?

[tomvale13]

Would clearing browser cookies maybe help at this point for those getting the warning? (just thinking from a remnants perspective)

[Impurist]

Yes, still.

I don't use Chrome often, so I just opened it up, cleared all browsing history, cookies, saved whatevers.

I went to Google, searched for "Toymods MA61 Part Numbers" and clicked on the result that leads directly to the thread "Thread: MA61 Part Numbers & General Infomation - Toymods" and got redirected to MyFilestore.com - Your File Hosting as always.

Same result in Firefox, for what it's worth, I just thought I'd test the caching/cookies theory using Chrome.

[ivandude]

^ I get this all the time, in Firefox or Chrome, for the better part of the last few months. Try to visit Toymods via a Google, click a link, starts loading (you can see it in the browser header/status bar) actual Toymods related page and information seems to load, but before anything shows on the white canvas you are redirected to some spam site.

Hit back to Google and then open link again, 50% of the time it will work okay... Lol.

Coming directly to Toymods forum via Bookmark/typing URL never has problems. Not sure why but the malware/virus sitting on the Toymods web-host server is only acting when you click a link via GOogle. Should be easy to trouble shoot this and remove said mal ware...

[boxh34d]

I run Kaspersky Internet Security, it still won't let me open the site, says its trying to download something.

Same for me on the work laptop also.

[oldcorollas]

Yes, still.

I don't use Chrome often, so I just opened it up, cleared all browsing history, cookies, saved whatevers.

I went to Google, searched for "Toymods MA61 Part Numbers" and clicked on the result that leads directly to the thread "Thread: MA61 Part Numbers & General Infomation - Toymods" and got redirected to MyFilestore.com - Your File Hosting as always.

Same result in Firefox, for what it's worth, I just thought I'd test the caching/cookies theory using Chrome.

just tried it.. did same.

google link is http:// www.google. com.au/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&cad =rja&ved=0CDEQFjAA&url=http%3A%2F%2Fwww.toymods.or g.au%2Fforums%2Ftech-conversions%2F8214-ma61-part-numbers-general-infomation.html&ei=qFD6UcCyNo-AkgWtsIDwCw&usg=AFQjCNHeBoj1A8E3Oi1X92ybmAzPPOz1NQ &sig2=zmuITos8yt8ttW29OCDwLw

it's a google link problem?

[Impurist]

It's a piece of malicious code in the forum software that hijacks incoming links from google and redirects to myfilestore which (I think/assume) is a rapidshare style file storage site, where it attempts to download and execute a piece of malicious code on the user's computer (called a drive-by download attack)... on certain web browsers and certain versions of windows this will mean people visiting toymods are getting viruses just from visiting the forum.

You can tell it's a problem with toymods and not with google because the redirect happens after google passes the browser over to toymods. You'll see toymods in the URL/location bar in your browser, then the toymods server redirects the browser to the site hosting the attack code.

It's really sloppy that this hasn't been taken care of. I'm sympathetic to an extent, but this has been going on for well over a year (people have been complaining about URL redirect/drive-by download attacks hosted on toymods since at least 2011) and the "myfilestore bug" is pretty well documented elsewhere on the internet. It's pretty fucked up that the site continues to basically provide a vector for people's computers to get infected.

[TERRA Operative]

It's reallllyy not a good look for potential new members who find Toymods via Google either. I know I would run away if it were me, (and have done so from other forums, who knows what you're going to get infecting your computer....).

[Lambolica]

Pheobe,

As far as I know there is no permanent fix for this issue, or at least none that I can find on VB or VBSEO other than taking the forums down. Pretty much everything appears to be temporary.

I'm going to shut off the VBSEO plug in which seems to be the common denominator in everything I have read. and see if that solves the issue.

Cheers
Simon

[Impurist]

From what I've read in the url123 and myfilestore linkjacking threads it is possible to remove it, but it is a HUGE pain in the arse. Like, there's no one single solution to kill it because it infects multiple things and is good at re-infecting if you don't clear out all the modified code. But there would be a permanent fix, ultimately, unless vBulletin is so riddled with bugs that it just keeps getting exploited in new ways over and over.. which isn't out of the question, but I'm pretty sure they've closed most of the initial security holes that would have allowed this code to infect the forum in the first place.

Like I said in the earlier post, I am sympathetic, because it's not like it's an easy "download a patch and apply it" solution. But just ignoring it for a year really downplays the severity of having someone else accessing your server and doing whatever they want with it.

Hopefully disabling VBSEO stops the current redirect thing. If it does work at least you'll know where to start looking to remove it properly, if anyone has the time to do it, anyway.

[Lambolica]

It's been on going argument about the way VBSEO hooks into VB. VB blames VBSEO and visa versa.

Sam, looking at his recent comments, isn't a fan of VBSEO either.

I've switched off VBSEO, and cleared my cache, and I haven't seen the redirect as yet.

Interestingly it looks a lot like VBSEO is shutting down, particularly in light of VB5 basically doing what VBSEO did.

[oldcorollas]

the MA61 part number example above is not redirecting for me

[mynameisrodney]

myfilestore problem appears to be gone for me too.

[ivandude]

The link-jacking problem is definitely gone for me too ^_^ rejoice!

If the malicious code didnt reproduce itself onto other plug-ins/sections of the website/forum/server, that would be very lucky considering how long this error has lived on in Toymods lol.

[tomvale13]

So..

just a weird bug I've noticed.. I keep seeing the 86 thread in my usercp page, showing Vito as having made a post:



Weird thing is, I look at it every day - multiple times yesterday and there's never a new post..

There's a post from Cruzida 3 minutes prior to the timestamp of the post it says Vito made..



But there's no post from Vito at 2:13pm like it states in usercp..

and the thread stays on my usercp as being unread.. even just now I clicked Settings and it's still there..

weird? Maybe he mod edited a post or something?



edit3: and now editing this post, you click 'Save' and it just loads and loads and never appears to post the changes.. if I refresh the changes are there but it's strange it just sits there loading until you forceably refresh.

edit4: yep, it still does it.. here, have a look:

http://screencast.com/t/ErktbgNKw1u