Jump to content

Trojan spyware on pigeonwatch?


goldeneye243
 Share

Recommended Posts

http://www.tackleunderground.com/community/index.php?/topic/25612-re-directed-from-tu-site/

 

Similar issue - also on IP.board - so you may want to concentrate your efforts there.

 

Note that it does not re-direct every time you search from google - it is either random, or one some sort of timer to prevent people from constantly being re-directed (presimably so that the trojan stays around longer).

Link to comment
Share on other sites

Thanks for the information guys- great detective work - yes it seems when a link from Google to a page on the forums is clicked it delivers this problem. I am urgently looking into this and will let you know when it is resolved. Thanks again for bringing it to our attention

Link to comment
Share on other sites

Thanks Teal. I just to be clear I am getting it from the link in the reply notification emails not Google.

 

dan

 

I suspect the trojan looks at the http referrer (basically the site of the link you clicked on) - if it is not pigeonwatch.co.uk, then you (possibly randomly) see the redirect to the spam ads.

Link to comment
Share on other sites

You guys are right, it's a sneaky little code insertion that redirects to url4short.info for example when a link is clicked and the referrer is a search engine Google. Which is exactly why we couldn't replicate it at our end to find out what you guys were experiencing. I think that I have resolved it now - but please try and let me know,

Link to comment
Share on other sites

You guys are right, it's a sneaky little code insertion that redirects to url4short.info for example when a link is clicked and the referrer is a search engine Google. Which is exactly why we couldn't replicate it at our end to find out what you guys were experiencing. I think that I have resolved it now - but please try and let me know,

 

I have restarted my machine and clicked on the link in a new browser > no redirect so that points to it being fixed. I guess now the question is how it got there. Maybe a cross site scripting weakness, ftp or cp compromise?

Link to comment
Share on other sites

You need to plug the vulnerability which allowed them to insert that code in the first place, or it will be back.

Should have said the gap in Invision should be closed but just wanted to confirm that the re-direct has gone. Invision released a security patch about a week ago and I installed it pretty pretty but seems like the code insert happened just before the patch was applied. I'll definitely keep a close eye on things in case there is something else going on.

 

Thanks for checking into it reddan - appreciated :good:

Link to comment
Share on other sites

You need to plug the vulnerability which allowed them to insert that code in the first place, or it will be back.

 

We had a similar thing on the website my brother in law runs this week. A Blackhole exploit kit. Found loads of JS that had been added in. I overworte the files and contacted host but it was hard to work out where it had come from. Just changed and strengthened all the log in credentials in the end. FTP was my bet, it was a little weak :blush:. Daily checking shows it hasn't come back. Apparently its the fastest growing exploit at the moment.

 

Dan

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...