Symptoms of the filestore vbulletin hack:

When the forum based on the vbulletin script is accessed normally from any website or directly, no issue.

But when one time/first time accessed vbulletin forum from Google search results page, im redirected to some site like adultfriend finder, myfilestore.com, filestore72.info or similar. Simply forum is infected, hacked somehow... i did not found any last modiffied files, but i found tutorials on how to remove redirect and prevent it in future.

What worked to remove so called "filestore vbulletin hack"?

How i solved this: password protect your admincp directory (it is vbulletin forum script directory of the forum administrator), password must be different from ones used previously for vbulletin

Then go to vBulletin AdminCP, Plugins & Products, Manage Products
and disable some plugin (i disabled VBSEO) and enable it again. That should reset mysql based so called vbulletin datastore.

Then forum should no longer be redirecting Google visitors. One can veriffy by accessing forum from google search results page (search your domain name in google) and click link to some topic, not main page, main page may not be redirected, just veriffy it all goes thru. You MUST use Anonymity mode of your browser as hack might be using cookies. Chrome has Anonymity mode window and Firefox too. To clear "cache", close anonymous window and open it again. I would make sure no javascript blocking plugins are enabled in browser.

Now as you protected admincp, hack should not happen again, but schedule reminder after like 1 month to veriffy forum is not redirected when accessing from Google.

Hope that helped


------------------
Rest of this page are things i tried to avoid the hack, but it not helped

1)
edit vbseo.php file in the forum root directory and add following code after first line (after <?php)


Code:
if (strpos($_SERVER["QUERY_STRING"],'%00')) die;
2)
disable writting permission to the vbseo configuration file:


chmod 544 vbseo/resources/xml/config.xml

3)
edit vbseo/functions_vbseo_hook.php


find in that file:
Code:
$vbulletin->options['bburl'].'/'.$_GET['vbseourl']
replace by:
Code:
$vbulletin->options['bburl'].'/'.preg_replace('#[\x00-\x1F]#', '', $_GET['vbseourl']) :
(above should prevent future attacks)

4)
edit misc.php file and add following line of code to the second line in that misc.php file:


Code:
if($_GET['g']=='js') die;
Then schedule an recurring event that after lets say a few weeks you will again check google and your domain in it if the malicious redirect is not there again. Bookmark this topic and if its there, an idea is to check last modiffied files. Example linux commands:
Code:
cd /home/myusername/www
find . -type f -path /home/virtfs -prune -o -name "*.*" -newermt 2015-01-20 ! -newermt 2015-02-20
(it will find files modiffied from January 20 to February 20)
In my case the site was re-infected again, but no modiffied files found, it can mean it is an mysql infection, not file based.
next try can be to list accesslog for your domain, in my case linux command: cat /usr/local/apache/domlogs/mydomain.tld | grep POST | grep -v register | grep -v mobiq | grep -v login | grep -v misc.php

Another thing to try: password protect your admincp directory, password must be different from ones used previously for vbulletin

Another thing to try, install vBuleltin plugin that rebuilds datastore once base64 string is found in datastore. http://www.vbulletin.org/forum/showthread.php?t=265866
c4h.zip
Code:
$infections = $vbulletin->db->query_read("SELECT title FROM " . TABLE_PREFIX . "datastore WHERE data LIKE '%base64%'");
But on my infected site when i exported datastore mysql table, only base64 i found was Tapatalk plugin one:
<a href="http://tapatalk.com/tapatalk_image.php?img=\\''.urlencode(base64_encode($matches[2].\\''/original\\''.$matches[3])).\\''" target="_blank" class="externalLink">

regarding "http" phrasse, i did not found anything strange

My 4 vB forums re-infection history and steps i did to prevent it
First check (March 8, 2015)
--- ILF - password protected admincp directory and disabled VBSEO plugin, lets wait
--- GT - not re-infected
--- CBB - disabled vbseo plugin, renamed vbseo directory + changed vseo path in file vbseo.php to reflect new directory name ( "vbseo/" to "vbseo_myrandomphrasse/" )
--- ZF - no infect.
Second check (March 25, 2015)
--- ILF - no re-infect
--- GT - re-infected, no main page, but forumdisplay.php . so lets password protect admincp, and disabe/enable some plugin from admincp and see next check
--- CBB - got re-infected. so lets password protect admincp, and i enabled VBSEO in admin cp + rename vbseo folder, + edit vbseo.php to reflect new name. lets see next check
--- ZF - no infect.
Third check (April 10, 2015)
--- ILF - no re-infect
--- GT - no re-infect
--- CBB - no re-infect
--- ZF - no re-infect
Fourth check (May 8, 2015)
--- ILF - no re-infect
--- GT - no re-infect
--- CBB - no re-infect
--- ZF - no re-infect
X check (....)
--- none of the sites got reinfected again so far, if they do, i will update this

If re-infected after a few weeks/month... try rename admincp directory and password protect it by some different password, then disable/enable some plugin to refresh data strore.. (try grep eval,base64 from domain accesslogs as mentioned above) + wait some weeks and check periodically.


More reading:
http://club.myce.com/f20/vbulletin-myfilestore-hack-find-traces-remove-them-332219
http://www.blackberryos.com/off-topic-discussion/39854-how-fix-vbulletin-redirecting-filestore72-info-url123-info-etc-redirect-google.html - many ideas there

source of this tutorial here