Possible Hack

[RedCardinal]

Makes it more probable so that this is a TV issue so. Perhaps this should be moved back to forum support board?

Sent from my Nexus 7 using Thaivisa Connect App

[Tywais]

Makes it more probable so that this is a TV issue so.

Not really. As I said above if I use US Google through a US VPN the thaivisa links are fine and no re-directs. More of an issue with Google Thailand.

[Jayman]

Makes it more probable so that this is a TV issue so.

Not really. As I said above if I use US Google through a US VPN the thaivisa links are fine and no re-directs. More of an issue with Google Thailand.

I got this issue direct from google.com but from true in Thailand. I did not go through a vpn to google.com but went there direct as I have all google.co.th disabled on my end.

[chantsurfer]

Sir, mine was through www.google.com/ncr FYI not the Thai Google. I can see this is frustrating for all concerned and some prick is prob sitting back laughing.

[jpinx]

Some wierdness when I get a link in an email like this.....

The post that was quoted can be found here:

http://www.thaivisa....ost__p__5960080

..... it sometimes connects me to this page......

// malware link removed //

Not sure if it's a TV problem or gmail or what,,,,

• 
  

My system is Debian stable linux, security updated this morning, connection by phone modem through Dtac gprs, Browser is swiftfox (possibly not 100% secure) with noscripts and ghostery running

Edited December 27, 2012 by metisdead
: Malware link removed.

[frankold]

From whats been posted here its most likely a DNS server poisoning attack.

[chantsurfer]

Just letting you know that this is still happening guys as of 8:30am X-mass day Bangkok Time. Not posting the link again. Cheers.

[submaniac]

FYI, this is not limited to google Thailand. I am in the States and the same redirect to url4short just happened to me this morning. I thought I clicked the wrong button initially. But it is the same problems everyone else is having.

[whybother]

FYI, this is not limited to google Thailand. I am in the States and the same redirect to url4short just happened to me this morning. I thought I clicked the wrong button initially. But it is the same problems everyone else is having.

It looks like it is not limited to Thaivisa either. Quite a few forums seem to be having the same problem.

[pattayadingo]

I just got directed to that site from an e-mail sent out by ThaiVisa. I clicked the link to read about the Aussies in Phuket and sent to that rogue site.

[draftvader]

Back to my comment. Maybe it is worth ThaiVisa tech disabling their plug-ins (wibiya, etc) 1 by 1 and testing on a dedicated environment. The order of the attack is that it happens at the VERY beginning of the page loading (if not even before).

[draftvader]

Just re-read george's last comment. I am not questioning the cleanliness of your server, I have NEVER seen anything that would make me think you have a problem. I think that this is either (as suggested) an ISP injection (but we're seeing this across the board...3BB, CAT, TRUE) or one of the many 3rd party applications that the site calls. The list I can see in your header includes:

googleapis

googleaddsense

widgets.amung.us

twitter

facebook

wibiya

effectivemeasure.net

hits.truehits.co.th

gravatar

and more, but my Christmas dinner is in the oven and I'm the chef round here

One of these 3rd party js calls in your header could easily be compromised. This would explain the behaviour (but not exclusively) in that these are called before the page is visible so that the page knows how to load. Once the page is loaded once these are cached locally. My only problem with this is that when I clear my browser and go back to thaivisa using my bookmark this behaviour is not observed.

Checking your 3rd party add-ons 1 by 1 then contacting your hosting company with your results might yield wonderful results. Remembering that people have seen this on other forums I'm hedging my bets on a compromised widget/js call.

[draftvader]

From whats been posted here its most likely a DNS server poisoning attack.

This is a possibility as well, however I would imagine that we are using a wide variety of DNS servers. I am using google DNS 1, 2 then 3BB in 3. Most people will use their ISP default (i.e. not define a DNS server). I might help if people can let TV know the following when reporting this.

ISP (i.e. TRUE, CAT, 3BB)

DNS Server (if custom)

Browser type (i.e. iE, FF, Chrome, etc)

This might help identify the issue.

[Jayman]

When we click on the links from google we are 100% being taken to TVF before the hijack occurs that takes us to the url4short link.

I tend to agree that it's one of your advertisers that has been compromised and is causing the hijacking.

As you can see from the logs I posted above, I'm taken from google to TVF and then redirected to the malware link.

[Jayman]

Ok.. further testing shows me that the problem is javascript based. I can reproduce the redir hijack everytime and when I disable javascript in my browser then the hijack does not occur.

[Jayman]

I completely blocked wibya and the redir still happened.. Let me try ad.leadbolt.net and see what happens

[craigt3365]

I've been getting this also, but get the redirect from emails I receive in Yahoo! mail in FF for new topics in forums I'm following. When I click on the TVF link for the topic, I get the redirect page the first time, but not the second. I have bitdefender installed and up to date, no virus alerts or anything. I've just upped the level of protection to the highest.

[Jayman]

It seems the payload had been removed so no one is getting infected but the source of the redirect still needs to be determined and shut down.

[andrew]

^ Interested in andrews response.

The guy was part correct and part wrong.

I'll send him a PM to clarify things.

[draftvader]

^ Interested in andrews response.

The guy was part correct and part wrong.

I'll send him a PM to clarify things.

Please help if you can. Your opinion on what is programming (agreed, it isn't BASIC, COBOL or C) is valid in one light, but for the internet the languages I mentioned underpin the larger percentage of website design and realisation, much to Microsoft's chagrin. This was not about your view on programming, but about a number of people trying to get to the bottom of a problem that could have damaging consequences to TV posters. If you have something to add then jump right in, a number of us worked on through Christmas to try and help out, it would have been good to have more experienced hands on deck. There is no way any one person knows everything about the internet and computers, though some would like to think so. It is just that these are problems that I have to deal with from time to time, so my thinking processes tend towards solving them.

Please do not PM me with passive/aggressive messages. I would rather not block you (to date I have only blocked one person and I really don't miss them. I have seen valuable contributions from you so I don't want to miss out on that) as I don't want to remove the open feel of this forum.

Thanks.

Edited December 26, 2012 by draftvader

[Jayman]

Whatever was causing the page hijack seems to have been stopped as I'm no longer able to reproduce it.

Does anyone else still have this problem? Was it TVF that sorted the problem or was ot the advertiser that was compromised that finally sorted it?

Would be very interested to know who the culprit in all this was.

[somchaismith]

If a punter trys to get to the TV 'forum' via google, using internet explorer. One is redirected to a site called tinyurl.com.

[Jayman]

If a punter trys to get to the TV 'forum' via google, using internet explorer. One is redirected to a site called tinyurl.com.

Are you sure about that? You would be now reporting a new hijack if what you say is true.

[RedCardinal]

Just happened again now. It looks very much like TV is loading, so the redirect is likely coming from something loaded by the page. Whether injected by ISP or otherwise its very annoying.

Sent from my Nexus 7 using Thaivisa Connect App

[nokbird]

Whatever was causing the page hijack seems to have been stopped as I'm no longer able to reproduce it.

Does anyone else still have this problem? Was it TVF that sorted the problem or was ot the advertiser that was compromised that finally sorted it?

Would be very interested to know who the culprit in all this was.

Nope - Still happening dam_n it.

[Jayman]

dam_n.. it is still happening.. when I was looking into it again yesterday and posted it seemed to have stopped but it's definitely happening again now and to the exact same url4short address.

[jpinx]

Yep - still happening but not *every* time.

I reckon it's a question of whch ads happen to be loaded when you do the click-thru

[metisdead]

A post containing an overly large screen shot of data has been removed as it was messing up the page formatting.

[Jayman]

well, I have had some much more knowledgeable folks than I look at the problem and they say your site has been hacked 100%. They also gave we a way to stop the redir using software I have that we are forbidden by forum rules to discuss.

My filter match - Replace text: |document.location="http://url4short.info/bc675f2f"| [http://www.thaivisa....36beceaf2&g=js]

They told me the problem is a simple text search and replace function that is happening on your site.

Here is the line that needs to be removed from TVF

<script type='text/javascript' src='http://www.thaivisa.com/forum/index.php?ipbv=fb1e456bf3ebbbe8ca294c236beceaf2&g=js'></script>

that alone is responsible

Since I'm now able to block it on my end.. I'll stop working on this and leave it to the site admins to sort it.

Edited December 27, 2012 by Jayman

[fasteddie]

still happening, just first click on any tv link then after ok.

Edited December 27, 2012 by fasteddie