Jump to content
You are not logged in ▶️ Click to sign-up or login ×

Possible Hack

RedCardinal

By RedCardinal
in IT and Computers

 Share

Recommended Posts

draftvader Platinum Member

draftvader

Posted
Posted

still happening, just first click on any tv link then after ok.

...and seemingly only happens when you have the

index.php?ipbv=fb1e456bf3ebbbe8ca294c236beceaf2&g=js

call on the URL. When googling for the

fb1e456bf3ebbbe8ca294c236beceaf2

section I am taken to the script responsible for the "pop-up" when hovering over a username or this thread. I have had a quick read through the script and can see the only URL calls in the script are pointing to the script author's forum. People have mentioned that this has happened to other forums, can we see whether they use the same pop-up code?

Link to comment
Share on other sites
  • Replies 78
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

jpinx Platinum Member

jpinx

Posted
Posted

well, I have had some much more knowledgeable folks than I look at the problem and they say your site has been hacked 100%. They also gave we a way to stop the redir using software I have that we are forbidden by forum rules to discuss.

My filter match - Replace text: |document.location="http://url4short.info/bc675f2f"| [http://www.thaivisa....36beceaf2&g=js]

They told me the problem is a simple text search and replace function that is happening on your site.

Here is the line that needs to be removed from TVF

<script type='text/javascript' src='http://www.thaivisa.com/forum/index.php?ipbv=fb1e456bf3ebbbe8ca294c236beceaf2&g=js'></script>

that alone is responsible

Since I'm now able to block it on my end.. I'll stop working on this and leave it to the site admins to sort it.

Any possibility of a quick how-to on how to block it? I use firefox with noscripts and ghostery. tia :)

Link to comment
Share on other sites
Jayman Platinum Member

Jayman

Posted
Posted (edited)

well, I have had some much more knowledgeable folks than I look at the problem and they say your site has been hacked 100%. They also gave we a way to stop the redir using software I have that we are forbidden by forum rules to discuss.

My filter match - Replace text: |document.location="http://url4short.info/bc675f2f"| [http://www.thaivisa....36beceaf2&g=js]

They told me the problem is a simple text search and replace function that is happening on your site.

Here is the line that needs to be removed from TVF

<script type='text/javascript' src='http://www.thaivisa.com/forum/index.php?ipbv=fb1e456bf3ebbbe8ca294c236beceaf2&g=js'></script>

that alone is responsible

Since I'm now able to block it on my end.. I'll stop working on this and leave it to the site admins to sort it.

Any possibility of a quick how-to on how to block it? I use firefox with noscripts and ghostery. tia smile.png

Any discussion of such things is against forum rules.. sorry.

All I can say is that to block this redir I have a filter setup to block

thaivisa.com/forum/index.php?ipbv=

Edited by Jayman
Link to comment
Share on other sites
somchaismith Gold Member

somchaismith

Posted
Posted

If a punter trys to get to the TV 'forum' via google, using internet explorer. One is redirected to a site called tinyurl.com.

Are you sure about that? You would be now reporting a new hijack if what you say is true.

Yes, I'm sure. It also happens using FF. Although, I got the url wrong. It's url4short.com or something similar.

Link to comment
Share on other sites
katana Platinum Member

katana

Posted
Posted

I had a similar issue this morning coming in from Google using the search term : Thai Visa forum

The only time I have ever had that.

When I clicked on http://www.thaivisa.com/forum in Google it took me to a website that appear to be in Chinese and red color and appeared to have many ads on it. (I do not see it in the history of Chrome)

On my second attempt it took me to //deleted bad link// just dragged it out of the history)

3rd attempt I got the TV forum page about 8am BKK time this morning.

Using chrome, Win7 via 3BB.

I have www.google.com/ncr set to my home page in Chrome that diverts to https://www.google.com/ for the search.

Hope that helps someone !

I just did the same search and the first attempt went to the url4short page.

Just got the same redirect on clicking on a Google search result for the Thaivisa forum. Reading some articles on this, would seem the forum software/server has been hacked through some exploit.

Link to comment
Share on other sites
draftvader Platinum Member

draftvader

Posted
Posted

By any chance is TVF using the vbulletin server software? If so, I believe I found the way to remove the infection from your server. Feel free to PM me if you want to discuss it.

Compromised server software would explain our inability to pin this down. It does happen so early in the serving process AND doesn't happen every time the site is accessed. If this were a compromised header call then some people would see it every time they moved to a new page within the site. It does behave like a cookie:

Have I been seen my this address within the last x minutes?

No, then here I am.

Link to comment
Share on other sites
draftvader Platinum Member

draftvader

Posted
Posted

We have applied a security patch. Issue should be resolved by now.

With complete respect to your online presence (i.e. please pm if you feel this is too sensitive), and now knowing that this is a GPL (General Public Licence) issue related to 3rd party software, can we get an idea of how close we were. It is difficult to know when you don't have all the buttons to press and I know that myself and Jayman have been endlessly bothered by this over Christmas. Call it our Christmas present from TV :)

My bet was on the javascript application used to provide the pop-ups for user profiles being compromised and the developer being out of contact for the Christmas period (nice timing from the script kiddie...wonder what they got out of it..)

Link to comment
Share on other sites
Tywais Star Member

Tywais

Posted
Posted

With complete respect to your online presence (i.e. please pm if you feel this is too sensitive), and now knowing that this is a GPL (General Public Licence) issue related to 3rd party software, can we get an idea of how close we were. It is difficult to know when you don't have all the buttons to press and I know that myself and Jayman have been endlessly bothered by this over Christmas. Call it our Christmas present from TV smile.png

You can peek at the IPB board patches here = http://community.invisionpower.com/topic/375885-ipboard-31x-32x-33x-34x-critical-security-update/

  • Like 1
Link to comment
Share on other sites
george Legendary Member

george

Posted
Posted

This info is the only official info we got:

http://community.inv...ecurity-update/

The patch was tested and applied this morning.

We have applied a security patch. Issue should be resolved by now.

With complete respect to your online presence (i.e. please pm if you feel this is too sensitive), and now knowing that this is a GPL (General Public Licence) issue related to 3rd party software, can we get an idea of how close we were. It is difficult to know when you don't have all the buttons to press and I know that myself and Jayman have been endlessly bothered by this over Christmas. Call it our Christmas present from TV smile.png

My bet was on the javascript application used to provide the pop-ups for user profiles being compromised and the developer being out of contact for the Christmas period (nice timing from the script kiddie...wonder what they got out of it..)

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.





×
×
  • Create New...