Jump to content


Linkjacking / Redirect to Phishing Site occuring

  • Please log in to reply
48 replies to this topic

#46 GrantSP


    The antipodean

  • Super Moderators
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 4,333 posts

Posted 21 January 2018 - 06:59 PM

Thank you. That actually looks very helpful.

#47 Mator



  • Mod Authors
  • PipPipPipPipPipPipPipPipPip
  • 614 posts

Posted 21 January 2018 - 07:52 PM

You don't need to know the criteria that the malware is using to activate the redirection. You know the infection exists. You know what code should be in your scripts... The fault isn't elsewhere. It's very likely in your skin_cache directory. Please read this post (I know, it's long, but I swear you'll learn something) and see if it will help you track it down.




The exploit you're looking for may use different variable names, and it may reside elsewhere, but from the way it looks this is the kind of exploit you need to locate.


I'm not trying to be an ass here, but all of us who own sites have minimum responsibilities that need to be observed, and allowing something like this to go on for months is not appropriate. It's not the kind of thing you can just put off pending some future renovation of the site.


This really shouldn't take more than an hour or two to fix, depending how well it's hidden.


That's funny, I posted this exact link earlier in the thread.


Great find.

I actually saw some base 64 encoded stuff in the STEP code when I was looking around, though I think what I saw was probably just part of IPB.  I think this is quite likely to be the exact issue here though.


EDIT: This article which is linked from there is much more in-depth, definitely something we should do to investigate this Tech & Z: https://peter.upfold...url4short-mess/


I don't have server access, else I would be able to provide more information about the steps taken to address this issue.  Also, per the post you shared removing the malicious code does not permanently solve the problem.  The code got there via some kind of vulnerability in IPB* (yes, not PHPBB, I got them confused for a moment.  their acronyms are kind of similar and both run on PHP).  Removing the malicious code will only solve the problem until the attacker re-applies the exploit.

I agree with you that being a responsible host should involve fixing this issue.  It sounds to me like z929669 looked for this exploit per the article on peter upfold's blog, but wasn't able to find it.  At the time we thought it was because I had re-cached the skin files, which peter upfold mentions as a possible solution.  It's possible z wasn't able to find the exploit at the time, and that purging the skin cache didn't fix the problem OR the attacker re-applied their exploit through the IPB vulnerability after we had resolved the problem.  Right now we don't know which of these is the case, but we do know the only way to truly protect ourselves from this exploit is to upgrade IPB to a newer version with security improvements.  That's what we've been working on.

  • 0

#48 TechAngel85



  • Administrators
  • PipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPipPip
  • 12,514 posts

Posted 21 January 2018 - 08:32 PM

I re-cached the templates again and will try to do so once a week until we release the dev work.



The main issue here is the license we have for the current version of the forum software is not owned by STEP. It's owned by the old server admin, which went MIA on us. This means we don't have access to update the current forums to fix the vulnerability...so it's only a matter of time before we're infected again. We have taken steps to ensure losing staff never puts us in this situation again.


As Mator mentioned, the only option we truly have at this point is to push through the development of our site redesign, which comes with fully updated software across the board. The only other option is to completely shut down the forums, which is no option at all.

#49 mcshame



  • Members
  • PipPipPipPip
  • 332 posts

Posted 24 March 2018 - 11:08 AM

I was on Neo Witcher 3 forum and I got taken to a warning screen with voice that I had been infected.  Seen this in the past, looks like it is back...

  • 0

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users