Jump to content


Photo

Linkjacking / Redirect to Phishing Site occuring


  • Please log in to reply
31 replies to this topic

#16 drudkh

drudkh

    Prisoner

  • Members
  • 9 posts

Posted 13 November 2017 - 11:57 AM

I believe that the IP Board forum or its plugins may also be worth examining.  In fact, here are two other IP Board forums suffering the same problem:

 

http://www.focusrsoc...ty-issue/page-7

http://customsforge....-when-on-forum/

 

I could not find anything related to 'x0z01i15003'.

 

I'll run Avast, but to be clear, the only executables that I run on my machine are from reputable modding sites or trusted third parties.


Edited by drudkh, 13 November 2017 - 11:58 AM.

  • 0

#17 alt3rn1ty

alt3rn1ty

    Thane

  • Mod Authors
  • PipPipPipPipPipPip
  • 424 posts

Posted 13 November 2017 - 12:26 PM

@Mator - Not sure about detection rates either, but really whatever free anti-mal anyone uses doesnt matter, it will prevent the majority of threats just as well as any paid for product. Nothing is invulnerable.

 

TeamViewer is good for remoting if you havent heard of it before, I help family and friends from afar with that software solve many issues.


Edited by alt3rn1ty, 13 November 2017 - 12:27 PM.

  • 0

#18 TechAngel85

TechAngel85

    Akatosh

  • Administrators
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 12,104 posts

Posted 13 November 2017 - 02:21 PM

How and where is this site hosted?  For example, are you paying for a VPS and you took the time to install the forum software yourself?  What third party plugins are installed on the forum?  Could any of them be out of date?  What third party scripts are attempted to be loaded?  Are any on non-reputable CDNs?

This is not information that we would typically release to the public. I do understand that you're looking for a point of entry for malware on the site. However, I'm with Kabepo. If this was coming directly from our website, then everyone would be experiencing it and we'd have a ton more reports about it. Not only that, but our hosting provider would also likely catch on to the activity. The only reason this wouldn't be widespread and still coming from our website is if it was a very targeted attack (region, browser app, search engine, etc). Else, the most likely explanation is as Kabepo says; a local issue on the local system.

 

My first recommendation here is to run SuperAntiSpyware. I've used it for years while doing freelance computer repair. Download the portable version, run your system in Safe Mod without Networking, then run the scan. Clean up anything it finds. I personally do not care for MalwareBtyes.


Edit:

I personally use MS Security Essentials and just run SuperAntiSpyware once every couple months. Good practices is where it's at. I never have any issues because the common tracking cookies. I once used Avast, but found it unnecessary.



#19 drudkh

drudkh

    Prisoner

  • Members
  • 9 posts

Posted 13 November 2017 - 03:43 PM

https://blog.sucuri....-board-cms.html

 

I will run each scan suggested to me.  In turn, please review the above.  It fits this scenario quite well.


  • 0

#20 Mator

Mator

    Jarl

  • Mod Authors
  • PipPipPipPipPipPipPipPipPip
  • 540 posts

Posted 13 November 2017 - 03:46 PM

https://blog.sucuri....-board-cms.html

 

I will run each scan suggested to me.  In turn, please review the above.  It fits this scenario quite well.

Great find.

I actually saw some base 64 encoded stuff in the STEP code when I was looking around, though I think what I saw was probably just part of IPB.  I think this is quite likely to be the exact issue here though.

 

EDIT: This article which is linked from there is much more in-depth, definitely something we should do to investigate this Tech & Z: https://peter.upfold...url4short-mess/


Edited by Mator, 13 November 2017 - 03:59 PM.

  • 0

#21 TechAngel85

TechAngel85

    Akatosh

  • Administrators
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 12,104 posts

Posted 13 November 2017 - 04:00 PM

It'll be on Z. I don't have the access to sever files on this server.

 

It should be noted that I deleted all my cookies, cleared my caches, closed the browser, opened the browser, searched the forums on Google, clicked a link, and...nothing. Worked as it should. Same thing with Firefox and Chrome.



#22 drudkh

drudkh

    Prisoner

  • Members
  • 9 posts

Posted 13 November 2017 - 04:16 PM

The nature of the vulnerability prevents every user from seeing it.  Like you, if I clear cookies and come back, it doesn't happen.  Nor an incognito window.

 

Mator, can you grep for $mds?  If you're on Windows, you can get a CLI grep replacement, or (way easier) Agent Ransack is good freeware that does the same thing.


Edited by drudkh, 13 November 2017 - 04:29 PM.

  • 0

#23 drudkh

drudkh

    Prisoner

  • Members
  • 9 posts

Posted 13 November 2017 - 04:22 PM

You can view additional vulnerabilities in IPB at http://www.cvedetail...vendor_id=10268


  • 0

#24 Mator

Mator

    Jarl

  • Mod Authors
  • PipPipPipPipPipPipPipPipPip
  • 540 posts

Posted 13 November 2017 - 05:02 PM

The nature of the vulnerability prevents every user from seeing it.  Like you, if I clear cookies and come back, it doesn't happen.  Nor an incognito window.

 

Mator, can you grep for $mds?  If you're on Windows, you can get a CLI grep replacement, or (way easier) Agent Ransack is good freeware that does the same thing.

I don't have server access either, so it's not something I can address at the moment.


  • 0

#25 DoubleYou

DoubleYou

    Wiki Stepper

  • Super Moderators
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 4,480 posts

Posted 14 November 2017 - 11:12 AM

And when it happened to you, how was you accessing the site?


Via the View New Content button. Only happens when I access STEP website, which is why I think it is on your end. I can browse for hours on other websites with no trouble. Windows Defender detects no problems on my Windows 10 computer. I will try looking at the source code in the browser next time it happens and see if I can see anything. I will try and see if Microsoft Edge behaves the same.

#26 DoubleYou

DoubleYou

    Wiki Stepper

  • Super Moderators
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 4,480 posts

Posted 14 November 2017 - 08:11 PM

Tested with Microsoft Edge. Steps I used:

 

1. Used Bing to search for "step project forum"

2. Clicked the link to the forum.

3. Within a few seconds I was transferred to the phishing site.

 

So if it is on my side, it infected both Chrome and Edge.



#27 Mator

Mator

    Jarl

  • Mod Authors
  • PipPipPipPipPipPipPipPipPip
  • 540 posts

Posted 14 November 2017 - 09:36 PM

Tested with Microsoft Edge. Steps I used:

 

1. Used Bing to search for "step project forum"

2. Clicked the link to the forum.

3. Within a few seconds I was transferred to the phishing site.

 

So if it is on my side, it infected both Chrome and Edge.

If it was a local piece of malware the browser you use wouldn't matter.  I'm fairly convinced it's not a local piece of malware though, and that it's something that inserted itself into the IPB assets via some kind of vulnerability in IPB per drudkh's previous posts.


  • 0

#28 kabepo

kabepo

    Citizen

  • Members
  • Pip
  • 63 posts

Posted 15 November 2017 - 11:28 AM

Funny, that's exactly what he used/uses!

 

I personally use Avast and Spybot S&D, but I haven't done much research lately into detection rates.  EDIT: Here's the most recent report I could find about detection rates, though I'd like to find more reports.  Always good to have multiple sources.  But this reflects what I had found previously several years ago.  Though MalwareBytes AntiMalware is incredibly popular, its detection rate for malicious software is sub-par.

These are some sites for virus detection rates:

https://www.av-comparatives.org/

https://www.av-test.org/en/

Although I think people obsess a bit too much over which antivirus "is the best". More important is being careful of what you click on, what you install, and which emails you open.

 

Malwarebytes version 2 was not very good for real-time protection, but that was not its main focus. It was very, very good for cleaning up infected machines.

Malwarebytes version 3 has improved real-time protection.


  • 0

#29 kabepo

kabepo

    Citizen

  • Members
  • Pip
  • 63 posts

Posted 15 November 2017 - 11:38 AM

Tested with Microsoft Edge. Steps I used:

 

1. Used Bing to search for "step project forum"

2. Clicked the link to the forum.

3. Within a few seconds I was transferred to the phishing site.

 

So if it is on my side, it infected both Chrome and Edge.

If you are interested to know if the infection is on your side, or to prove that it is most probably a webserver infection, then follow this procedure and report the results.

 

https://malwaretips....redirect-virus/


  • 0

#30 drudkh

drudkh

    Prisoner

  • Members
  • 9 posts

Posted 17 November 2017 - 05:36 PM

Tech, Mator, Z: Have there been any attempts to verify this?


  • 0


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users