Jump to content



Possible Hack


RedCardinal

Recommended Posts

  • Replies 78
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Makes it more probable so that this is a TV issue so.

Not really. As I said above if I use US Google through a US VPN the thaivisa links are fine and no re-directs. More of an issue with Google Thailand.

I got this issue direct from google.com but from true in Thailand. I did not go through a vpn to google.com but went there direct as I have all google.co.th disabled on my end.

Link to comment
Share on other sites

Some wierdness when I get a link in an email like this.....

The post that was quoted can be found here:

http://www.thaivisa....ost__p__5960080

..... it sometimes connects me to this page......

// malware link removed //

Not sure if it's a TV problem or gmail or what,,,,


My system is Debian stable linux, security updated this morning, connection by phone modem through Dtac gprs, Browser is swiftfox (possibly not 100% secure) with noscripts and ghostery running

Edited by metisdead
: Malware link removed.
Link to comment
Share on other sites

FYI, this is not limited to google Thailand. I am in the States and the same redirect to url4short just happened to me this morning. I thought I clicked the wrong button initially. But it is the same problems everyone else is having.

It looks like it is not limited to Thaivisa either. Quite a few forums seem to be having the same problem.

Link to comment
Share on other sites

Back to my comment. Maybe it is worth ThaiVisa tech disabling their plug-ins (wibiya, etc) 1 by 1 and testing on a dedicated environment. The order of the attack is that it happens at the VERY beginning of the page loading (if not even before).

Link to comment
Share on other sites

Just re-read george's last comment. I am not questioning the cleanliness of your server, I have NEVER seen anything that would make me think you have a problem. I think that this is either (as suggested) an ISP injection (but we're seeing this across the board...3BB, CAT, TRUE) or one of the many 3rd party applications that the site calls. The list I can see in your header includes:

googleapis

googleaddsense

widgets.amung.us

twitter

facebook

wibiya

effectivemeasure.net

hits.truehits.co.th

gravatar

and more, but my Christmas dinner is in the oven and I'm the chef round here ;)

One of these 3rd party js calls in your header could easily be compromised. This would explain the behaviour (but not exclusively) in that these are called before the page is visible so that the page knows how to load. Once the page is loaded once these are cached locally. My only problem with this is that when I clear my browser and go back to thaivisa using my bookmark this behaviour is not observed.

Checking your 3rd party add-ons 1 by 1 then contacting your hosting company with your results might yield wonderful results. Remembering that people have seen this on other forums I'm hedging my bets on a compromised widget/js call.

Link to comment
Share on other sites

From whats been posted here its most likely a DNS server poisoning attack.

This is a possibility as well, however I would imagine that we are using a wide variety of DNS servers. I am using google DNS 1, 2 then 3BB in 3. Most people will use their ISP default (i.e. not define a DNS server). I might help if people can let TV know the following when reporting this.

ISP (i.e. TRUE, CAT, 3BB)

DNS Server (if custom)

Browser type (i.e. iE, FF, Chrome, etc)

This might help identify the issue.

Link to comment
Share on other sites

When we click on the links from google we are 100% being taken to TVF before the hijack occurs that takes us to the url4short link.

I tend to agree that it's one of your advertisers that has been compromised and is causing the hijacking.

As you can see from the logs I posted above, I'm taken from google to TVF and then redirected to the malware link.

Link to comment
Share on other sites

I've been getting this also, but get the redirect from emails I receive in Yahoo! mail in FF for new topics in forums I'm following. When I click on the TVF link for the topic, I get the redirect page the first time, but not the second. I have bitdefender installed and up to date, no virus alerts or anything. I've just upped the level of protection to the highest.

Link to comment
Share on other sites

^ Interested in andrews response.

The guy was part correct and part wrong.

I'll send him a PM to clarify things.

Please help if you can. Your opinion on what is programming (agreed, it isn't BASIC, COBOL or C) is valid in one light, but for the internet the languages I mentioned underpin the larger percentage of website design and realisation, much to Microsoft's chagrin. This was not about your view on programming, but about a number of people trying to get to the bottom of a problem that could have damaging consequences to TV posters. If you have something to add then jump right in, a number of us worked on through Christmas to try and help out, it would have been good to have more experienced hands on deck. There is no way any one person knows everything about the internet and computers, though some would like to think so. It is just that these are problems that I have to deal with from time to time, so my thinking processes tend towards solving them.

Please do not PM me with passive/aggressive messages. I would rather not block you (to date I have only blocked one person and I really don't miss them. I have seen valuable contributions from you so I don't want to miss out on that) as I don't want to remove the open feel of this forum.

Thanks.

Edited by draftvader
Link to comment
Share on other sites

Whatever was causing the page hijack seems to have been stopped as I'm no longer able to reproduce it.

Does anyone else still have this problem? Was it TVF that sorted the problem or was ot the advertiser that was compromised that finally sorted it?

Would be very interested to know who the culprit in all this was.

Link to comment
Share on other sites

If a punter trys to get to the TV 'forum' via google, using internet explorer. One is redirected to a site called tinyurl.com.

Are you sure about that? You would be now reporting a new hijack if what you say is true.

Link to comment
Share on other sites

Whatever was causing the page hijack seems to have been stopped as I'm no longer able to reproduce it.

Does anyone else still have this problem? Was it TVF that sorted the problem or was ot the advertiser that was compromised that finally sorted it?

Would be very interested to know who the culprit in all this was.

Nope - Still happening dam_n it.

Link to comment
Share on other sites

well, I have had some much more knowledgeable folks than I look at the problem and they say your site has been hacked 100%. They also gave we a way to stop the redir using software I have that we are forbidden by forum rules to discuss.

My filter match - Replace text: |document.location="http://url4short.info/bc675f2f"| [http://www.thaivisa....36beceaf2&g=js]

They told me the problem is a simple text search and replace function that is happening on your site.

Here is the line that needs to be removed from TVF

<script type='text/javascript' src='http://www.thaivisa.com/forum/index.php?ipbv=fb1e456bf3ebbbe8ca294c236beceaf2&g=js'></script>

that alone is responsible

Since I'm now able to block it on my end.. I'll stop working on this and leave it to the site admins to sort it.

Edited by Jayman
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.