Linkjacking / Redirect to Phishing Site occuring

[drudkh]

Hiya,

 

On separate computers (one being my work machine where a handful of measure are taken to prevent malware) I have experienced a redirect to a couple of domains attempting to phish credentials.  Other users seem to have experienced this as well.

 

It is of course entirely possible that my computer has been infected prior (or other user error), but please consider the possibility as well that STEP may be serving some content/script that may be causing this. 

 

An example of what occurs:

• I search (generally with DuckDuckGo) for something that I care about on the STEP forum, such as DynDoLod resources. https://duckduckgo.com/?q=dyndolod+resources+sse&t=ffab&ia=web
• I click on a link that I can see takes me to https://forum.step-project.com/topic/11462-dyndolod-2xx-full-update-post/
• After clicking that link, I (used to, see bottom) get redirected to https://q54w.redirect00002.net/?nihifa=flow
• Which in turn redirects me to https://x0z01i16003.info/en/?id=KzEgKDg4OCkgMjg2LTY1ODU
• The above links can create a bunch of awful noise and will ask you for credentials, I don't recommend clicking them.  That said, you can visit them and because you're not downloading / executing random code from the internet, it's not the end of the world.

 

To prevent this from occurring again, I have modified my HOSTS file to not allow those two domains to resolve.

0.0.0.0 q54w.redirect00002.net
0.0.0.0 x0z01i16003.info

A full description of HOSTS file modifications is available at https://www.howtogeek.com/howto/27350/beginner-geek-how-to-edit-your-hosts-file/

 

So to the admins I ask that you take a bit of time to review how this may be occurring and take steps to address it.

 

Thank you!

-drudkh

[Mator]

I re-cached skins and languages from the Admin CP.  This might have fixed the problem.  Let me know if it's still happening.

[DoubleYou]

Well, I haven't gotten it for a while now, but I'm not sure if it isn't just lurking, or if running CCleaner (hadn't run it in ages) to delete my browser cookies/cache/etc., didn't remove it, or the recaching of the skin files. I ran a ton of the antivirus programs mentioned in this thread and it found nothing. I guess all's well that ends well.

[Mator]

Well, I haven't gotten it for a while now, but I'm not sure if it isn't just lurking, or if running CCleaner (hadn't run it in ages) to delete my browser cookies/cache/etc., didn't remove it, or the recaching of the skin files. I ran a ton of the antivirus programs mentioned in this thread and it found nothing. I guess all's well that ends well.

I'd like to think re-caching the skin files fixed the problem, but I will wait to hear from some other users before saying it's solved.  It's also only a temporary solution, the attacker probably can just use the same vector to re-attach their code at any time.

[paradoxbound]

Can I suggest you run something like OpenVAS once a month or more against your servers to make sure you aren't drifting into the long tail of vulnerability. You can run it from a VirtualBox install from a half decent laptop. Please note that you should check with your service provider, if, when and how they would want to be informed of any pen (penetration) testing.
https://www.openvas.org/

[Mator]

Can I suggest you run something like OpenVAS once a month or more against your servers to make sure you aren't drifting into the long tail of vulnerability. You can run it from a VirtualBox install from a half decent laptop. Please note that you should check with your service provider, if, when and how they would want to be informed of any pen (penetration) testing.

https://www.openvas.org/

Great suggestion, hadn't heard of this software before.  Per Tech, only Z has server access right now, so he'd have to be the one to do this.

[z929669]

I looked into the affected php code, and did not see use of the code causing the issue. I think a vulnerability remains, but it was cleaned up by the recaching process. Upgrading IPB should fix the source (coming soon).

[drudkh]

I encountered this again today.  When do you intend to upgrade IPB? 

[z929669]

We will be upgrading the entire site and moving servers within the next few months. Dev is in progress.

[crc64error]

I just created this account to report this same issue.  I will attempt to recreate it with some monitoring active.  I arrived at the site thru a google search, here is the link I clicked.
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&cad=rja&uact=8&ved=0ahUKEwinxcLZ8dPYAhUDRN8KHZoXDCQQFgg8MAM&url=http%3A%2F%2Fforum.step-project.com%2Ftopic%2F8524-q-a-using-fnis-with-mod-organizer%2F&usg=AOvVaw30UOpaUz-ly2FSqb84w1QH

 

I clicked the link, read some of the page.  I left the page open and went to a different application.  I then heard a beeping noise, and went back to the tab.  It was displaying a fake virus notice.  I closed the tab.

 

Unfortunately, the issue did not happen again when I revisited the same link.  But looking at my history, here are the two suspect entries.
 

 

9:25 PM

Google Chrome Tab

x0z03i90004.info

 

9:25 PM

Google Chrome Tab

214.fastandbrave.com

 

I do not know if any of this will help you troubleshoot this issue, but I hope that it does.

 

9:25 PM

 

Google Chrome Tabx0z03i90004.info

 

 

 

 

 

 

9:25 PM

 

Google Chrome Tab214.fastandbrave.com

 

Edited January 13, 2018 by crc64error

[SleepsInSun]

I looked into the affected php code, and did not see use of the code causing the issue. I think a vulnerability remains, but it was cleaned up by the recaching process. Upgrading IPB should fix the source (coming soon).

 

The infection is still present. I just encountered it. I'm pissed that you've known about this for two months and think "recaching templates" is going to solve your problem! I'm reporting this site as an attack site to Mozilla, Google, etc as you don't seem qualified or interested in cleaning it up. This is a very serious issue. You cannot go on serving malware to your users and just plead ignorance.

 

This site should get someone who has a clue about maintaining a website and server. 2 months! It shouldn't have taken 2 hours!

 

At the very least you have an ethical duty to shut down the infected portions of the site so as to limit further spread of this malware.

Edited January 21, 2018 by SleepsInSun

[Mator]

The infection is still present. I just encountered it. I'm pissed that you've known about this for two months and think "recaching templates" is going to solve your problem! I'm reporting this site as an attack site to Mozilla, Google, etc as you don't seem qualified or interested in cleaning it up. This is a very serious issue. You cannot go on serving malware to your users and just plead ignorance.

 

This site should get someone who has a clue about maintaining a website and server. 2 months! It shouldn't have taken 2 hours!

 

At the very least you have an ethical duty to shut down the infected portions of the site so as to limit further spread of this malware.

That's kind of a misrepresentation.  I understand that people don't like it when they get directed to seemingly malicious sites, but STEP isn't spreading malware.  There is malicious code getting inserted in STEP through some kind of exploit in PHPBB software which is executing in your browser, but it's hardly "malware" and has no effect outside of your web browser on your machine.  The website that you get redirected to could download malware, but a website itself isn't malware (though it can be malicious).  It's possible that website could download malicious software to your machine if you let it do what it wanted, but I haven't seen any actual proof that it downloads malicious software.

 

The issue here is that the malicious code is very subjective.  I use STEP almost daily and I never get redirected to the fishy website.  The same is true for the majority of people here.  This makes it extremely difficult to assess the infection.  STEP's main webmaster is no longer available, and there isn't really a way to protect the website against this attack anyways asides from updating the PHPBB forum software because it's exploiting a vulnerability in proprietary software which we don't know anything about.  The attack itself is presumed to operate through inserting malicious code in a cached template file, so recaching the templates should remove the malicious code, requiring the attacker to attack the website and again and re-attach it.

 

We're doing our best here, but migrating the website to the updated PHPBB software isn't something that can be done overnight, but I will urge the development team to prioritize it due to this issue.

[SleepsInSun]

This site doesn't run on phpBB, it runs on ipb. phpBB hasn't been vulnerable to this kind of garbage for years.

 

Redirecting users to a site that serves malware is no better than serving it up yourselves. The particulars are irrelevant. The site owners are aware of the issue and refuse to address it properly.

 

There is nothing at all difficult about finding and cleaning up this kind of exploit. If they can't do it, they should hire someone. If they can't do that, they should disable the affected script.

 

This isn't rocket science.

[GrantSP]

This site doesn't run on phpBB, it runs on ipb. phpBB hasn't been vulnerable to this kind of garbage for years.

Correct

 

Redirecting users to a site that serves malware is no better than serving it up yourselves. Maybe.

The particulars are irrelevant. Correct.

The site owners are aware of the issue and refuse to address it properly. Incorrect.

 

There is nothing at all difficult about finding and cleaning up this kind of exploit. If they can't do it, they should hire someone. If they can't do that, they should disable the affected script.

I am on this site everyday, and have been for many years now, and I have never once been redirected anywhere. All indications are pointing to the exploit coming from somewhere else and only targeting STEP via some other means, perhaps a browser plugin that all the affected users have in common, I don't know.

If it was as simple as just disabling a specific script then that would have taken place. We take our responsibilities very seriously and accusing the STEP team of serving up malware is very poor attempt to get some attention.

We know it is frustrating when it happens but the fault is elsewhere.

 

This isn't rocket science.

 

Please remain calm. STEP is moving forward with new hosting and a new look very soon.

[SleepsInSun]

You don't need to know the criteria that the malware is using to activate the redirection. You know the infection exists. You know what code should be in your scripts... The fault isn't elsewhere. It's very likely in your skin_cache directory. Please read this post (I know, it's long, but I swear you'll learn something) and see if it will help you track it down.

 

https://peter.upfold.org.uk/blog/2013/01/15/cleaning-up-the-ip-board-url4short-mess/

 

The exploit you're looking for may use different variable names, and it may reside elsewhere, but from the way it looks this is the kind of exploit you need to locate.

 

I'm not trying to be an ass here, but all of us who own sites have minimum responsibilities that need to be observed, and allowing something like this to go on for months is not appropriate. It's not the kind of thing you can just put off pending some future renovation of the site.

 

This really shouldn't take more than an hour or two to fix, depending how well it's hidden.

[GrantSP]

Thank you. That actually looks very helpful.