aris Posted January 5, 2013 Report Share Posted January 5, 2013 I will PM you an HTTP trace of the issue- might help you track down which bit of code on your site is compromised. Quote Link to comment Share on other sites More sharing options...
aris Posted January 5, 2013 Report Share Posted January 5, 2013 http://www.tackleunderground.com/community/index.php?/topic/25612-re-directed-from-tu-site/ Similar issue - also on IP.board - so you may want to concentrate your efforts there. Note that it does not re-direct every time you search from google - it is either random, or one some sort of timer to prevent people from constantly being re-directed (presimably so that the trojan stays around longer). Quote Link to comment Share on other sites More sharing options...
aris Posted January 5, 2013 Report Share Posted January 5, 2013 Looks like some Javascript may have been inserted somewhere in ipbard to do random redirects but only when the http referer is not pigeonwatch.co.uk. Crafty! Quote Link to comment Share on other sites More sharing options...
Gee. Posted January 5, 2013 Report Share Posted January 5, 2013 I've had that url4short.info page several times - usually when following a link from a google search leadding to pigeonwatch.co.uk. Ditto, only off Google search tho. Quote Link to comment Share on other sites More sharing options...
reddan Posted January 5, 2013 Report Share Posted January 5, 2013 Managed to resolve my 401 unauthorised when opening a browser. However, I just clicked on the email link to bring me to the latest posts in this thread and got the same ad site again. Quote Link to comment Share on other sites More sharing options...
Teal Posted January 5, 2013 Report Share Posted January 5, 2013 Thanks for the information guys- great detective work - yes it seems when a link from Google to a page on the forums is clicked it delivers this problem. I am urgently looking into this and will let you know when it is resolved. Thanks again for bringing it to our attention Quote Link to comment Share on other sites More sharing options...
RED BEARD Posted January 5, 2013 Report Share Posted January 5, 2013 I get stuff pop up if google searching it. First happened on my dads computer and accused him of looking at stuff he shouldnt. I now get it on mine. so your as dirty as the old fella then Quote Link to comment Share on other sites More sharing options...
reddan Posted January 5, 2013 Report Share Posted January 5, 2013 Thanks Teal. I just to be clear I am getting it from the link in the reply notification emails not Google. dan Quote Link to comment Share on other sites More sharing options...
aris Posted January 5, 2013 Report Share Posted January 5, 2013 Thanks Teal. I just to be clear I am getting it from the link in the reply notification emails not Google. dan I suspect the trojan looks at the http referrer (basically the site of the link you clicked on) - if it is not pigeonwatch.co.uk, then you (possibly randomly) see the redirect to the spam ads. Quote Link to comment Share on other sites More sharing options...
reddan Posted January 5, 2013 Report Share Posted January 5, 2013 that makes sense. Quote Link to comment Share on other sites More sharing options...
Teal Posted January 6, 2013 Report Share Posted January 6, 2013 You guys are right, it's a sneaky little code insertion that redirects to url4short.info for example when a link is clicked and the referrer is a search engine Google. Which is exactly why we couldn't replicate it at our end to find out what you guys were experiencing. I think that I have resolved it now - but please try and let me know, Quote Link to comment Share on other sites More sharing options...
aris Posted January 6, 2013 Report Share Posted January 6, 2013 You need to plug the vulnerability which allowed them to insert that code in the first place, or it will be back. Quote Link to comment Share on other sites More sharing options...
reddan Posted January 6, 2013 Report Share Posted January 6, 2013 You guys are right, it's a sneaky little code insertion that redirects to url4short.info for example when a link is clicked and the referrer is a search engine Google. Which is exactly why we couldn't replicate it at our end to find out what you guys were experiencing. I think that I have resolved it now - but please try and let me know, I have restarted my machine and clicked on the link in a new browser > no redirect so that points to it being fixed. I guess now the question is how it got there. Maybe a cross site scripting weakness, ftp or cp compromise? Quote Link to comment Share on other sites More sharing options...
Teal Posted January 6, 2013 Report Share Posted January 6, 2013 You need to plug the vulnerability which allowed them to insert that code in the first place, or it will be back. Should have said the gap in Invision should be closed but just wanted to confirm that the re-direct has gone. Invision released a security patch about a week ago and I installed it pretty pretty but seems like the code insert happened just before the patch was applied. I'll definitely keep a close eye on things in case there is something else going on. Thanks for checking into it reddan - appreciated Quote Link to comment Share on other sites More sharing options...
reddan Posted January 6, 2013 Report Share Posted January 6, 2013 You need to plug the vulnerability which allowed them to insert that code in the first place, or it will be back. We had a similar thing on the website my brother in law runs this week. A Blackhole exploit kit. Found loads of JS that had been added in. I overworte the files and contacted host but it was hard to work out where it had come from. Just changed and strengthened all the log in credentials in the end. FTP was my bet, it was a little weak . Daily checking shows it hasn't come back. Apparently its the fastest growing exploit at the moment. Dan Quote Link to comment Share on other sites More sharing options...
aris Posted January 10, 2013 Report Share Posted January 10, 2013 I got re-directed again - not seen this since you last fixed it. Have you been re-infected? I clicked on a thread update link from e-mail. Quote Link to comment Share on other sites More sharing options...
Mangled99 Posted January 10, 2013 Report Share Posted January 10, 2013 It's still there and has been for some weeks it redirects you to URL4Short.info its easy to detect, just search on google for pigeon watch and keep clicking the links it will eventually redirect you. Quote Link to comment Share on other sites More sharing options...
Mangled99 Posted January 10, 2013 Report Share Posted January 10, 2013 Some info on it here http://www.austinreefclub.com/topic/24906-anyone-else-getting-redirected-to-url4short-addresses/ Quote Link to comment Share on other sites More sharing options...
aris Posted January 11, 2013 Report Share Posted January 11, 2013 I'm still getting this. Quote Link to comment Share on other sites More sharing options...
aris Posted January 14, 2013 Report Share Posted January 14, 2013 Still getting this occasionally. Quote Link to comment Share on other sites More sharing options...
Cranfield Posted January 14, 2013 Report Share Posted January 14, 2013 We are back in discussion with IP Board about this problem, they assured us it was fixed, but we are aware that there are still random instances of it recurring. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.