Jump to content


Photo

Linkjacking / Redirect to Phishing Site occuring


  • Please log in to reply
48 replies to this topic

#31 TechAngel85

TechAngel85

    Akatosh

  • Administrators
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 12,398 posts

Posted 18 November 2017 - 12:38 PM

Tech, Mator, Z: Have there been any attempts to verify this?

No, sorry. Z is the only one with server level access on this host and he's been fairly busy in RL.

#32 Mator

Mator

    Jarl

  • Mod Authors
  • PipPipPipPipPipPipPipPipPip
  • 597 posts

Posted 19 November 2017 - 06:44 PM

I re-cached skins and languages from the Admin CP.  This might have fixed the problem.  Let me know if it's still happening.


  • 0

#33 DoubleYou

DoubleYou

    Wiki Stepper

  • Super Moderators
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 4,519 posts

Posted 23 November 2017 - 11:31 AM

Well, I haven't gotten it for a while now, but I'm not sure if it isn't just lurking, or if running CCleaner (hadn't run it in ages) to delete my browser cookies/cache/etc., didn't remove it, or the recaching of the skin files. I ran a ton of the antivirus programs mentioned in this thread and it found nothing. I guess all's well that ends well.



#34 Mator

Mator

    Jarl

  • Mod Authors
  • PipPipPipPipPipPipPipPipPip
  • 597 posts

Posted 23 November 2017 - 01:14 PM

Well, I haven't gotten it for a while now, but I'm not sure if it isn't just lurking, or if running CCleaner (hadn't run it in ages) to delete my browser cookies/cache/etc., didn't remove it, or the recaching of the skin files. I ran a ton of the antivirus programs mentioned in this thread and it found nothing. I guess all's well that ends well.

I'd like to think re-caching the skin files fixed the problem, but I will wait to hear from some other users before saying it's solved.  It's also only a temporary solution, the attacker probably can just use the same vector to re-attach their code at any time.


  • 0

#35 paradoxbound

paradoxbound

    Guard

  • Contributors
  • PipPip
  • 125 posts

Posted 24 November 2017 - 06:39 AM

Can I suggest you run something like OpenVAS once a month or more against your servers to make sure you aren't drifting into the long tail of vulnerability. You can run it from a VirtualBox install from a half decent laptop. Please note that you should check with your service provider, if, when and how they would want to be informed of any pen (penetration) testing.
http://www.openvas.org/


  • 0

#36 Mator

Mator

    Jarl

  • Mod Authors
  • PipPipPipPipPipPipPipPipPip
  • 597 posts

Posted 24 November 2017 - 01:53 PM

Can I suggest you run something like OpenVAS once a month or more against your servers to make sure you aren't drifting into the long tail of vulnerability. You can run it from a VirtualBox install from a half decent laptop. Please note that you should check with your service provider, if, when and how they would want to be informed of any pen (penetration) testing.
http://www.openvas.org/

Great suggestion, hadn't heard of this software before.  Per Tech, only Z has server access right now, so he'd have to be the one to do this.


  • 0

#37 z929669

z929669

    Ixian Inventor

  • Administrators
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 9,274 posts

Posted 26 November 2017 - 05:57 PM

I looked into the affected php code, and did not see use of the code causing the issue. I think a vulnerability remains, but it was cleaned up by the recaching process. Upgrading IPB should fix the source (coming soon).



#38 drudkh

drudkh

    Prisoner

  • Members
  • 10 posts

Posted 17 December 2017 - 08:32 AM

I encountered this again today.  When do you intend to upgrade IPB? 


  • 0

#39 z929669

z929669

    Ixian Inventor

  • Administrators
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 9,274 posts

Posted 17 December 2017 - 03:28 PM

We will be upgrading the entire site and moving servers within the next few months. Dev is in progress.



#40 crc64error

crc64error

    Prisoner

  • Members
  • 1 posts

Posted 12 January 2018 - 09:34 PM

I just created this account to report this same issue.  I will attempt to recreate it with some monitoring active.  I arrived at the site thru a google search, here is the link I clicked.
https://www.google.c...z-ly2FSqb84w1QH

 

I clicked the link, read some of the page.  I left the page open and went to a different application.  I then heard a beeping noise, and went back to the tab.  It was displaying a fake virus notice.  I closed the tab.

 

Unfortunately, the issue did not happen again when I revisited the same link.  But looking at my history, here are the two suspect entries.
 

 

9:25 PM

Google Chrome Tab

x0z03i90004.info

 

9:25 PM

Google Chrome Tab

214.fastandbrave.com

 
I do not know if any of this will help you troubleshoot this issue, but I hope that it does.

9:25 PM
 
Google Chrome Tabx0z03i90004.info
 
 
 
 
 
 
9:25 PM
 
Google Chrome Tab214.fastandbrave.com
 

Edited by crc64error, 12 January 2018 - 09:43 PM.

  • 0

#41 SleepsInSun

SleepsInSun

    Prisoner

  • Members
  • 3 posts

Posted 21 January 2018 - 05:18 PM

I looked into the affected php code, and did not see use of the code causing the issue. I think a vulnerability remains, but it was cleaned up by the recaching process. Upgrading IPB should fix the source (coming soon).

 

The infection is still present. I just encountered it. I'm pissed that you've known about this for two months and think "recaching templates" is going to solve your problem! I'm reporting this site as an attack site to Mozilla, Google, etc as you don't seem qualified or interested in cleaning it up. This is a very serious issue. You cannot go on serving malware to your users and just plead ignorance.

 

This site should get someone who has a clue about maintaining a website and server. 2 months! It shouldn't have taken 2 hours!

 

At the very least you have an ethical duty to shut down the infected portions of the site so as to limit further spread of this malware.


Edited by SleepsInSun, 21 January 2018 - 05:20 PM.

  • 0

#42 Mator

Mator

    Jarl

  • Mod Authors
  • PipPipPipPipPipPipPipPipPip
  • 597 posts

Posted 21 January 2018 - 05:47 PM

The infection is still present. I just encountered it. I'm pissed that you've known about this for two months and think "recaching templates" is going to solve your problem! I'm reporting this site as an attack site to Mozilla, Google, etc as you don't seem qualified or interested in cleaning it up. This is a very serious issue. You cannot go on serving malware to your users and just plead ignorance.

 

This site should get someone who has a clue about maintaining a website and server. 2 months! It shouldn't have taken 2 hours!

 

At the very least you have an ethical duty to shut down the infected portions of the site so as to limit further spread of this malware.

That's kind of a misrepresentation.  I understand that people don't like it when they get directed to seemingly malicious sites, but STEP isn't spreading malware.  There is malicious code getting inserted in STEP through some kind of exploit in PHPBB software which is executing in your browser, but it's hardly "malware" and has no effect outside of your web browser on your machine.  The website that you get redirected to could download malware, but a website itself isn't malware (though it can be malicious).  It's possible that website could download malicious software to your machine if you let it do what it wanted, but I haven't seen any actual proof that it downloads malicious software.

The issue here is that the malicious code is very subjective.  I use STEP almost daily and I never get redirected to the fishy website.  The same is true for the majority of people here.  This makes it extremely difficult to assess the infection.  STEP's main webmaster is no longer available, and there isn't really a way to protect the website against this attack anyways asides from updating the PHPBB forum software because it's exploiting a vulnerability in proprietary software which we don't know anything about.  The attack itself is presumed to operate through inserting malicious code in a cached template file, so recaching the templates should remove the malicious code, requiring the attacker to attack the website and again and re-attach it.

 

We're doing our best here, but migrating the website to the updated PHPBB software isn't something that can be done overnight, but I will urge the development team to prioritize it due to this issue.


  • 0

#43 SleepsInSun

SleepsInSun

    Prisoner

  • Members
  • 3 posts

Posted 21 January 2018 - 06:07 PM

This site doesn't run on phpBB, it runs on ipb. phpBB hasn't been vulnerable to this kind of garbage for years.

 

Redirecting users to a site that serves malware is no better than serving it up yourselves. The particulars are irrelevant. The site owners are aware of the issue and refuse to address it properly.

 

There is nothing at all difficult about finding and cleaning up this kind of exploit. If they can't do it, they should hire someone. If they can't do that, they should disable the affected script.

 

This isn't rocket science.


  • 0

#44 GrantSP

GrantSP

    The antipodean

  • Super Moderators
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 4,333 posts

Posted 21 January 2018 - 06:21 PM

This site doesn't run on phpBB, it runs on ipb. phpBB hasn't been vulnerable to this kind of garbage for years.

Correct

 

Redirecting users to a site that serves malware is no better than serving it up yourselves. Maybe.

The particulars are irrelevant. Correct.

The site owners are aware of the issue and refuse to address it properly. Incorrect.

 

There is nothing at all difficult about finding and cleaning up this kind of exploit. If they can't do it, they should hire someone. If they can't do that, they should disable the affected script.

I am on this site everyday, and have been for many years now, and I have never once been redirected anywhere. All indications are pointing to the exploit coming from somewhere else and only targeting STEP via some other means, perhaps a browser plugin that all the affected users have in common, I don't know.

If it was as simple as just disabling a specific script then that would have taken place. We take our responsibilities very seriously and accusing the STEP team of serving up malware is very poor attempt to get some attention.

We know it is frustrating when it happens but the fault is elsewhere.

 

This isn't rocket science.

 

Please remain calm. STEP is moving forward with new hosting and a new look very soon.



#45 SleepsInSun

SleepsInSun

    Prisoner

  • Members
  • 3 posts

Posted 21 January 2018 - 06:49 PM

You don't need to know the criteria that the malware is using to activate the redirection. You know the infection exists. You know what code should be in your scripts... The fault isn't elsewhere. It's very likely in your skin_cache directory. Please read this post (I know, it's long, but I swear you'll learn something) and see if it will help you track it down.

 

https://peter.upfold...url4short-mess/

 

The exploit you're looking for may use different variable names, and it may reside elsewhere, but from the way it looks this is the kind of exploit you need to locate.

 

I'm not trying to be an ass here, but all of us who own sites have minimum responsibilities that need to be observed, and allowing something like this to go on for months is not appropriate. It's not the kind of thing you can just put off pending some future renovation of the site.

 

This really shouldn't take more than an hour or two to fix, depending how well it's hidden.


  • 0


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users