Gonna actually bump this to use ublock origin (chrome and firefox) and just block all 3rd party scripts and what not on the site. I do not think ABP can do this without messing with the language it uses to block by site, it is all or nothing or henpecking the content as it arrives.
I hate to say it this way as it also prohibits the REAL adverts for the site as well. I think ublock though can green light certain things. Make sure to google how the columns work. I managed to block third party and retain the google ads with the following URL info.
I have been using ublock on my tablet as ABP is utter crap on android, no element blocks no custom filters just some lame vpn like behavior that chews up ram and cycles leading to eating the battery in less than a hour. Takes a while to figure out what does what but eh it works so far.
I use adblock for firefox, but had to include the coin URL. I hope they could put a wordpress forum/social platform of some sort...at least they cold relied on stronger security plugins.
As said elsewhere or maybe here it is the issue of vbulletin not supporting older software to which this site runs on. Google vbulletin hack or vbulletin security hole. Plugs have nothing to do with it.
As for the urls yeah someone aught to report all those crud tumblr ones and all the ones that randomly show up. Also note do not search sfm via google or a search engine as that will send you to a redirect of some sort which is a common hack as well.
As mentioned I would use a script or adblocker that can block all 3rd party scripts or frames. And can selectively block or allow specific elements or scripts. In that image you can see the red on the right in 3rd party means anything no matter what if it does not contain the sfm url on it it wont run.
Also note adblockers do not necessarily block hacks bad scripts etc just adverts. Most have subscriptions that allow you to add exploits hacks etc or bad urls. I would technically use a hosts file to block those as well. Known evil urls and stop them loading on the system from any application. Like all those damned adobe hive/botnet urls and ips.
To note in the past I recommended ABP but that app starts to gloat like mad and does not always block frames or elements you select. Worse is if you use a tab manager or other tool to load last tabs or windows from the last session ABP will not be in effect on any pages loading in focus or behind other tabs. This is a new behavior for it either it is something Firefox broke or it is ABP playing games or a limitation. So far Ublock Origin is the cleanest and fastest evcen with my HUGE list of ABP custom blocks and subscribing to a tonne of ublock subs. Onbly complain is the pop ups and element blocking is cludgy vs ABPs add ins.
Heh that list of crappy Russian image sites has grown.
The first crypto-miner was pretty easy to find and remove (it was encrypted but stuck out), but I haven't even figured out where this one is injected yet. You can circumvent the issue by adding crypto-loot.com to your adblock or whatever you're running (My ublock actually blocked it on its own).
Pretty sure the Turkish SEO crap on the index has been there ever since the last hack, but I haven't figured out where it gets added to the index. The file integrity checker is useless and I don't actually have access to default vbulletin files that I know 100% to be clean. As far as I can tell, it doesn't really do anything other than lurk right off the page trying to generate search engine rankings (which it probably isn't, since this blackhat SEO bull**** isn't supposed to work anymore).
The redirects are a bigger issue, but like MKF said, they are very complicated to fix on our version of vBulletin.
I realize this isn't ideal, and we really are working on something big to fix this, but in the meantime here are a couple of things to work around the biggest issues:
1. Read the previous post from MKF. Good information there.
2. The two crypto miners spotted so far are cloudcoins.co (which I'm pretty sure I removed) and crypto-loot.com (which I'm furiously looking for). Add both to your ad-blocker, if they're not there already.
3. You should probably run an ad-blocker here (I run ublock origin). Some form of no-script might be a good idea too, but may mess with actual site functionality
4. Onlly access the site by typing in the complete URL or use a bookmark or whatever. Don't enter through a search engine, and access the forum index directly (www.scifi-meshes.com/forums/) to avoid most redirects.
5. Maybe don't access the site on mobile for the time being
Ok, spent better part of a working day digging through some very suspicious suspicious files. SEO crap and crypto-miner should be gone, at least for the time being, and I managed to track down and close down some security holes along the way. Redirects will need more research.
I'm a little worried that the fixes I made are temporary, so you should keep your eyes open in any case, but at least we'll have a better handle on what happens if/when suspicious stuff appears on the index again.
well it lasted all but a day? least the loot thing isnt there atm just the others. Interesting thing is it is only on the new posts results vs inside of any one thread.
heh they come and go. Anyhow I had posted something saying thanks but it seems it got eaten or something so thanks for thew work at cleaning things up.
Hmm... I can't seem to replicate that. I'm only getting the google things, and those are supposed to be there, as far as I know. Where did you find those and do they show up in the page source as well?
I have not seen anything direct but I am assuming it is injected through some css or what not. That or directly through the dns but that wouldn't fit the original hack. I have eliminated my machine as I see these on 4 other pcs and a public IP and they show up. Only once in say 3 searches I would say. I have yet to get them to show up in the root url or while browsing anymore.
I will try to gram the source code next time I see them, but if it is generated in some outside resource it wont show.
Yeah, I've read some of the redirectsonly run once a day, try to hide themselves from admin accounts, and do all kinds of sneaky **** to avoid detection, which makes them really tricky to pin down. An element name or some similar clue would narrow down the code to sift through.
I'll check the search related stuff. Seems like a good place to start.
Monitoring is warning about naughty javascript again (probably a myfilestore redirect), but I haven't been able to locate anything in the usual suspects yet.
Let me know, if you spot any weirdness and try to make note of when and how it occurred, to hopefully narrow down the code I have to sift through a little.
My file store is the one that screws up search engine results IE search for anything about sfm or click any outside links to SFM and it redirects you to some crap spam site.
I haven't read this all the way through but it might help? A bit old though 2013. There seems to be a lot out there as it seems fairly common to the abandonware editions of vB.
Posts
https://coinhive.com/*
another url to block.
there are some other fishy things as well like "blob:http://*"
I hate to say it this way as it also prohibits the REAL adverts for the site as well. I think ublock though can green light certain things. Make sure to google how the columns work. I managed to block third party and retain the google ads with the following URL info.
https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-quick-guide
I have been using ublock on my tablet as ABP is utter crap on android, no element blocks no custom filters just some lame vpn like behavior that chews up ram and cycles leading to eating the battery in less than a hour. Takes a while to figure out what does what but eh it works so far.
As for the urls yeah someone aught to report all those crud tumblr ones and all the ones that randomly show up. Also note do not search sfm via google or a search engine as that will send you to a redirect of some sort which is a common hack as well.
As mentioned I would use a script or adblocker that can block all 3rd party scripts or frames. And can selectively block or allow specific elements or scripts. In that image you can see the red on the right in 3rd party means anything no matter what if it does not contain the sfm url on it it wont run.
Also note adblockers do not necessarily block hacks bad scripts etc just adverts. Most have subscriptions that allow you to add exploits hacks etc or bad urls. I would technically use a hosts file to block those as well. Known evil urls and stop them loading on the system from any application. Like all those damned adobe hive/botnet urls and ips.
To note in the past I recommended ABP but that app starts to gloat like mad and does not always block frames or elements you select. Worse is if you use a tab manager or other tool to load last tabs or windows from the last session ABP will not be in effect on any pages loading in focus or behind other tabs. This is a new behavior for it either it is something Firefox broke or it is ABP playing games or a limitation. So far Ublock Origin is the cleanest and fastest evcen with my HUGE list of ABP custom blocks and subscribing to a tonne of ublock subs. Onbly complain is the pop ups and element blocking is cludgy vs ABPs add ins.
Heh that list of crappy Russian image sites has grown.
dunno what that crap does short of exist in the code. It is only on the site's root so shrug.
Pretty sure the Turkish SEO crap on the index has been there ever since the last hack, but I haven't figured out where it gets added to the index. The file integrity checker is useless and I don't actually have access to default vbulletin files that I know 100% to be clean. As far as I can tell, it doesn't really do anything other than lurk right off the page trying to generate search engine rankings (which it probably isn't, since this blackhat SEO bull**** isn't supposed to work anymore).
The redirects are a bigger issue, but like MKF said, they are very complicated to fix on our version of vBulletin.
I realize this isn't ideal, and we really are working on something big to fix this, but in the meantime here are a couple of things to work around the biggest issues:
1. Read the previous post from MKF. Good information there.
2. The two crypto miners spotted so far are cloudcoins.co (which I'm pretty sure I removed) and crypto-loot.com (which I'm furiously looking for). Add both to your ad-blocker, if they're not there already.
3. You should probably run an ad-blocker here (I run ublock origin). Some form of no-script might be a good idea too, but may mess with actual site functionality
4. Onlly access the site by typing in the complete URL or use a bookmark or whatever. Don't enter through a search engine, and access the forum index directly (www.scifi-meshes.com/forums/) to avoid most redirects.
5. Maybe don't access the site on mobile for the time being
Join our fancy Discord Server!
I'm a little worried that the fixes I made are temporary, so you should keep your eyes open in any case, but at least we'll have a better handle on what happens if/when suspicious stuff appears on the index again.
Join our fancy Discord Server!
heh they come and go. Anyhow I had posted something saying thanks but it seems it got eaten or something so thanks for thew work at cleaning things up.
Join our fancy Discord Server!
http://www.scifi-meshes.com/forums/search.php?do=getnew&contenttype=vBForum_Post
I have not seen anything direct but I am assuming it is injected through some css or what not. That or directly through the dns but that wouldn't fit the original hack. I have eliminated my machine as I see these on 4 other pcs and a public IP and they show up. Only once in say 3 searches I would say. I have yet to get them to show up in the root url or while browsing anymore.
I will try to gram the source code next time I see them, but if it is generated in some outside resource it wont show.
I'll check the search related stuff. Seems like a good place to start.
Join our fancy Discord Server!
Join our fancy Discord Server!
Let me know, if you spot any weirdness and try to make note of when and how it occurred, to hopefully narrow down the code I have to sift through a little.
Join our fancy Discord Server!
https://club.myce.com/t/vbulletin-myfilestore-hack-find-the-traces-and-remove-them/304794
I haven't read this all the way through but it might help? A bit old though 2013. There seems to be a lot out there as it seems fairly common to the abandonware editions of vB.
Anyway, located the dodgy code in datastore and removed it. Scans are showing up clean, so I guess we're good until the next time.
Join our fancy Discord Server!
Join our fancy Discord Server!
Join our fancy Discord Server!