Trojan spyware on pigeonwatch?

[aris]

I will PM you an HTTP trace of the issue- might help you track down which bit of code on your site is compromised.

[aris]

http://www.tackleunderground.com/community/index.php?/topic/25612-re-directed-from-tu-site/

 

Similar issue - also on IP.board - so you may want to concentrate your efforts there.

 

Note that it does not re-direct every time you search from google - it is either random, or one some sort of timer to prevent people from constantly being re-directed (presimably so that the trojan stays around longer).

[aris]

Looks like some Javascript may have been inserted somewhere in ipbard to do random redirects but only when the http referer is not pigeonwatch.co.uk. Crafty!

[Gee.]

I've had that url4short.info page several times - usually when following a link from a google search leadding to pigeonwatch.co.uk.

 

Ditto, only off Google search tho.

[reddan]

Managed to resolve my 401 unauthorised when opening a browser. However, I just clicked on the email link to bring me to the latest posts in this thread and got the same ad site again.

[Teal]

Thanks for the information guys- great detective work - yes it seems when a link from Google to a page on the forums is clicked it delivers this problem. I am urgently looking into this and will let you know when it is resolved. Thanks again for bringing it to our attention

[RED BEARD]

I get stuff pop up if google searching it. First happened on my dads computer and accused him of looking at stuff he shouldnt. I now get it on mine.

so your as dirty as the old fella then

[reddan]

Thanks Teal. I just to be clear I am getting it from the link in the reply notification emails not Google.

 

dan

[aris]

Thanks Teal. I just to be clear I am getting it from the link in the reply notification emails not Google.

 

dan

 

I suspect the trojan looks at the http referrer (basically the site of the link you clicked on) - if it is not pigeonwatch.co.uk, then you (possibly randomly) see the redirect to the spam ads.

[reddan]

that makes sense.

[Teal]

You guys are right, it's a sneaky little code insertion that redirects to url4short.info for example when a link is clicked and the referrer is a search engine Google. Which is exactly why we couldn't replicate it at our end to find out what you guys were experiencing. I think that I have resolved it now - but please try and let me know,

[aris]

You need to plug the vulnerability which allowed them to insert that code in the first place, or it will be back.

[reddan]

You guys are right, it's a sneaky little code insertion that redirects to url4short.info for example when a link is clicked and the referrer is a search engine Google. Which is exactly why we couldn't replicate it at our end to find out what you guys were experiencing. I think that I have resolved it now - but please try and let me know,

 

I have restarted my machine and clicked on the link in a new browser > no redirect so that points to it being fixed. I guess now the question is how it got there. Maybe a cross site scripting weakness, ftp or cp compromise?

[Teal]

You need to plug the vulnerability which allowed them to insert that code in the first place, or it will be back.

Should have said the gap in Invision should be closed but just wanted to confirm that the re-direct has gone. Invision released a security patch about a week ago and I installed it pretty pretty but seems like the code insert happened just before the patch was applied. I'll definitely keep a close eye on things in case there is something else going on.

 

Thanks for checking into it reddan - appreciated

[reddan]

You need to plug the vulnerability which allowed them to insert that code in the first place, or it will be back.

 

We had a similar thing on the website my brother in law runs this week. A Blackhole exploit kit. Found loads of JS that had been added in. I overworte the files and contacted host but it was hard to work out where it had come from. Just changed and strengthened all the log in credentials in the end. FTP was my bet, it was a little weak . Daily checking shows it hasn't come back. Apparently its the fastest growing exploit at the moment.

 

Dan

[aris]

I got re-directed again - not seen this since you last fixed it. Have you been re-infected? I clicked on a thread update link from e-mail.

[Mangled99]

It's still there and has been for some weeks it redirects you to URL4Short.info its easy to detect, just search on google for pigeon watch and keep clicking the links it will eventually redirect you.

[Mangled99]

Some info on it here

 

http://www.austinreefclub.com/topic/24906-anyone-else-getting-redirected-to-url4short-addresses/

[aris]

I'm still getting this.

[aris]

Still getting this occasionally.

[Cranfield]

We are back in discussion with IP Board about this problem, they assured us it was fixed, but we are aware that there are still random instances of it recurring.