Description:
Infection that targets mainly outdated vBulletin sites with the VBSEO plugin. It redirects visitors coming from search engines to one of the following sites: myfilestore[.]com, filestore72[.]info, file2store[.]info, url2short[.]info, filestore123[.]info, url123[.]info, dollarade[.]com
The tell-tale sign of this infection is this script in the header of web pages:
<script type="text/javascript" src=hxxp://<site-domain>/forums/misc.php?v=420&js=js"></script>
Specifically this path /misc.php?v=<NNN>&js=js or /misc.php?v=<NNN>&g=js, where <NNN> is a random 3-digit number, tells that the forum is infected. That's the script that loads the redirect code.
Cleanup:
You should remove the malicious PHP code from the vBulletin database and/or the /includes/datastore/datastore_cache.php file. You should be searching them for the following keywords: "= preg_replace(" and "strtr". The malicious code usually consists of 5-6 lines that end with something like this (variable names may vary)
$gpu = preg_replace($baseline, strtr($arrvb, $ajx, $ajx2), "vbseo");
Don't forget to remove the VBSEO plugin (it is not supported for a long time) and update the rest software.
For more information check this pages:
Vbulletin myfilestore hack - Find the traces and remove them
vBulletin Still Redirecting to Myfilestore .com
Affecting: vBulletin forums