SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware.forum_redirect.1


Infection that targets mainly outdated vBulletin sites with the VBSEO plugin. It redirects visitors coming from search engines to one of the following sites: myfilestore[.]com, filestore72[.]info, file2store[.]info, url2short[.]info, filestore123[.]info, url123[.]info, dollarade[.]com

The tell-tale sign of this infection is this script in the header of web pages:

<script type="text/javascript" src=hxxp://<site-domain>/forums/misc.​php?v=420&js=js"></script>

Specifically this path /misc.php?v=<NNN>&js=js or /misc.php?v=<NNN>&g=js, where <NNN> is a random 3-digit number, tells that the forum is infected. That's the script that loads the redirect code.

You should remove the malicious PHP code from the vBulletin database and/or the /includes/datastore/datastore_cache.php file. You should be searching them for the following keywords: "= preg_replace(" and "strtr". The malicious code usually consists of 5-6 lines that end with something like this (variable names may vary)

$gpu = preg_replace​($baseline, strtr​($arrvb, $ajx, $ajx2), "vbseo");

Don't forget to remove the VBSEO plugin (it is not supported for a long time) and update the rest software.

For more information check this pages:
Vbulletin myfilestore hack - Find the traces and remove them
vBulletin Still Redirecting to Myfilestore .com

Affecting: vBulletin forums