Jump to content


Photo

Linkjacking / Redirect to Phishing Site occuring


  • Please log in to reply
39 replies to this topic

#31 TechAngel85

TechAngel85

    Akatosh

  • Administrators
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 12,206 posts

Posted 18 November 2017 - 12:38 PM

Tech, Mator, Z: Have there been any attempts to verify this?

No, sorry. Z is the only one with server level access on this host and he's been fairly busy in RL.

#32 Mator

Mator

    Jarl

  • Mod Authors
  • PipPipPipPipPipPipPipPipPip
  • 553 posts

Posted 19 November 2017 - 06:44 PM

I re-cached skins and languages from the Admin CP.  This might have fixed the problem.  Let me know if it's still happening.


  • 0

#33 DoubleYou

DoubleYou

    Wiki Stepper

  • Super Moderators
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 4,494 posts

Posted 23 November 2017 - 11:31 AM

Well, I haven't gotten it for a while now, but I'm not sure if it isn't just lurking, or if running CCleaner (hadn't run it in ages) to delete my browser cookies/cache/etc., didn't remove it, or the recaching of the skin files. I ran a ton of the antivirus programs mentioned in this thread and it found nothing. I guess all's well that ends well.



#34 Mator

Mator

    Jarl

  • Mod Authors
  • PipPipPipPipPipPipPipPipPip
  • 553 posts

Posted 23 November 2017 - 01:14 PM

Well, I haven't gotten it for a while now, but I'm not sure if it isn't just lurking, or if running CCleaner (hadn't run it in ages) to delete my browser cookies/cache/etc., didn't remove it, or the recaching of the skin files. I ran a ton of the antivirus programs mentioned in this thread and it found nothing. I guess all's well that ends well.

I'd like to think re-caching the skin files fixed the problem, but I will wait to hear from some other users before saying it's solved.  It's also only a temporary solution, the attacker probably can just use the same vector to re-attach their code at any time.


  • 0

#35 paradoxbound

paradoxbound

    Guard

  • Contributors
  • PipPip
  • 125 posts

Posted 24 November 2017 - 06:39 AM

Can I suggest you run something like OpenVAS once a month or more against your servers to make sure you aren't drifting into the long tail of vulnerability. You can run it from a VirtualBox install from a half decent laptop. Please note that you should check with your service provider, if, when and how they would want to be informed of any pen (penetration) testing.
http://www.openvas.org/


  • 0

#36 Mator

Mator

    Jarl

  • Mod Authors
  • PipPipPipPipPipPipPipPipPip
  • 553 posts

Posted 24 November 2017 - 01:53 PM

Can I suggest you run something like OpenVAS once a month or more against your servers to make sure you aren't drifting into the long tail of vulnerability. You can run it from a VirtualBox install from a half decent laptop. Please note that you should check with your service provider, if, when and how they would want to be informed of any pen (penetration) testing.
http://www.openvas.org/

Great suggestion, hadn't heard of this software before.  Per Tech, only Z has server access right now, so he'd have to be the one to do this.


  • 0

#37 z929669

z929669

    Ixian Inventor

  • Administrators
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 9,260 posts

Posted 26 November 2017 - 05:57 PM

I looked into the affected php code, and did not see use of the code causing the issue. I think a vulnerability remains, but it was cleaned up by the recaching process. Upgrading IPB should fix the source (coming soon).



#38 drudkh

drudkh

    Prisoner

  • Members
  • 10 posts

Posted 17 December 2017 - 08:32 AM

I encountered this again today.  When do you intend to upgrade IPB? 


  • 0

#39 z929669

z929669

    Ixian Inventor

  • Administrators
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 9,260 posts

Posted 17 December 2017 - 03:28 PM

We will be upgrading the entire site and moving servers within the next few months. Dev is in progress.



#40 crc64error

crc64error

    Prisoner

  • Members
  • 1 posts

Posted 12 January 2018 - 09:34 PM

I just created this account to report this same issue.  I will attempt to recreate it with some monitoring active.  I arrived at the site thru a google search, here is the link I clicked.
https://www.google.c...z-ly2FSqb84w1QH

 

I clicked the link, read some of the page.  I left the page open and went to a different application.  I then heard a beeping noise, and went back to the tab.  It was displaying a fake virus notice.  I closed the tab.

 

Unfortunately, the issue did not happen again when I revisited the same link.  But looking at my history, here are the two suspect entries.
 

 

9:25 PM

Google Chrome Tab

x0z03i90004.info

 

9:25 PM

Google Chrome Tab

214.fastandbrave.com

 
I do not know if any of this will help you troubleshoot this issue, but I hope that it does.

9:25 PM
 
Google Chrome Tabx0z03i90004.info
 
 
 
 
 
 
9:25 PM
 
Google Chrome Tab214.fastandbrave.com
 

Edited by crc64error, 12 January 2018 - 09:43 PM.

  • 0


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users