Jump to content

Suspect page


Avengers7
 Share

Recommended Posts

There was some trouble earlier with the LFACC page, and I guess that's why Norton marked the page. This should fix itself when they do the next update, but I'll pass it on.

EDIT: Got it confirmed, this will pass next time Norton makes a scan.

Edited by Queen_Sindel
Link to comment
Share on other sites

  • 2 weeks later...

We have to wait until Norton scans the page new. As stated above, there is nothing we can do about this, sorry. I don't know what pages you are looking at here, but so far there have been no other trouble reports. I have Norton on one of the computers I'm using and I definitely do not get any suspect page warnings.

Link to comment
Share on other sites

  • 2 weeks later...

Sheffield *forum* part or Sheffield event website? You were always speaking of the forum, but that now sounds like you mean the event website.

 

No one else has reported problems with either one. I just tried myself - with Norton - and I am not getting a warning. Maybe it's an issue with your computer.

Link to comment
Share on other sites

I'm getting some errors when I access through work. I always google Showmasters Forums, the first link that I click (the forum index), redirects me to a filestore321.com/download.php?id=96b3a580 pop up dodgy looking page.

 

If I click the second link (which goes to the LFCC '14 forum) it works okay.

 

Thought I'd mention it in case it helps at all :smile:

 

 

ETA: Just checked it, and that dodgy redirect website comes up whichever link I click first

Edited by Tourniquet
Link to comment
Share on other sites

I'm getting some errors when I access through work. I always google Showmasters Forums, the first link that I click (the forum index), redirects me to a filestore321.com/download.php?id=96b3a580 pop up dodgy looking page.

 

If I click the second link (which goes to the LFCC '14 forum) it works okay.

 

Thought I'd mention it in case it helps at all :smile:

 

 

ETA: Just checked it, and that dodgy redirect website comes up whichever link I click first

 

That part should be fixed now - if you clean cache and cookies the problem should go away.

 

It's been reported to Invision, unfortunately this is something we can only fix temporarily. The final fix needs to come from them. If it shows up again post here or let me know by e-mail (address is in my profile) and I'll get the temporary fix done again.

 

Avengers, if you clean cache and cookies this should mean your error should disappear too. If it doesn't I need a clear description of what's happening please. I can't really determine what's going on from your prior posts.

 

If you're really getting pop ups this is not caused by the error that's now been fixed and there's been nothing found that would make pop ups appear. I recommend you run a virus scan and then get Adblock or a similar programme, depending on what browser you are using.

Link to comment
Share on other sites

Instead of making a new thread I'll just reply here.

 

On some occasions, when I search for 'Showmasters forums' on Google and click on the first link, I am greeted to an adult website showing a naked woman.

 

When I click back onto the link from Google it directs me to the correct page (forums).

 

Is anyone else getting this?

 

This just happened whilst I'm at work. :eek:

 

 

EDIT: I think you guys were talking about the same thing.

Edited by Graphic_Delusions
Link to comment
Share on other sites

That's the issue that we thought we had temporarily fixed and which needs a final fix by Invision. Though the sites showing up so far were no adult pages, so you got especially unlucky there. There's been the site Tourniquet mentioned and I ended up on a site promotion hair extensions myself.

 

I am understanding you correctly, this happened again today? I'll see that I get the fix applied again. My apologies, we really thought it would last a little longer than 2.5 days. >< Unfortunately Invision isn't quite putting a lot of priority on this problem.

 

Adblock seems to help, I don't know if that's an option for your computer.

Link to comment
Share on other sites

That's the issue that we thought we had temporarily fixed and which needs a final fix by Invision. Though the sites showing up so far were no adult pages, so you got especially unlucky there. There's been the site Tourniquet mentioned and I ended up on a site promotion hair extensions myself.

 

I am understanding you correctly, this happened again today? I'll see that I get the fix applied again. My apologies, we really thought it would last a little longer than 2.5 days. >< Unfortunately Invision isn't quite putting a lot of priority on this problem.

 

Adblock seems to help, I don't know if that's an option for your computer.

 

Yeah, this happened today at just before the time I posted my reply (12.30pm).

 

To be honest, I have never seen any other page other than the adult/naked one. This also happened last weekend at a friend's house when I wanted to show them these forums.

 

Quite embarrassing having to explain to them that I wasn't accessing any naughty websites :laugh:

Edited by Graphic_Delusions
Link to comment
Share on other sites

These two webpages might be of interest to you guys, it explains what is happening and how to remove it.

 

http://blog.sucuri.net/2015/02/analyzing-malicious-redirects-in-the-ip-board-cms.html?

http://peter.upfold.org.uk/blog/2013/01/15/cleaning-up-the-ip-board-url4short-mess/

 

It is also a known problem for a number of years across different forums and CMS.

 

But very briefly what is happening, is that when you are accessing the board it is executing a bit of coding to redirect you to another website. At the same time it sets a cookie on your computer for X time. After that initial redirect, when you next access the board on the same computer it will not redirect you but keep you on the board. If you access the website from another computer, it will automatically redirect you.

 

cap

Link to comment
Share on other sites

Thank you for the links. Yes, that's the problem. We keep resetting the skins, but it keeps coming back. We don't know why they are targeting us. Until Invision provides a permanent fix (and the date of those articles again confirms they are in no hurry) the only thing we can do is keep deleting.

Link to comment
Share on other sites

It could be a number of things, somebody have uploaded a PHP file to the server that is run remotely or on a cron. Somebody got or had access to the ACP etc.

 

Things I would consider, firstly move the ACP out of the default folder. There is a configurable option to tell the board where the ACP is located. So if you move the folder, the board is still able to access it.

 

Consider having a two stage verification to the ACP if you haven't already done it. It is easy to set up and what it means is that if one of the admin accounts gets hacked they will still need to enter in another username/password to gain access to the ACP.

 

FTP into the server and check all the directories to see if there is any strange PHP files that shouldn't be there. If there is, remove them. There is a function within the ACP that lets you run a check for suspect files within the forum directories.

 

Inspect the server logs to see if you can narrow down the location of the PHP or the command that is being run to execute the php to update the skins. If you know the rough time that it happens at, it will narrow the search down.

 

Look at the plugins to make sure that there is none in there that you don't know about.

 

Check the taskings to see if anything is being run that it shouldn't be.

 

It might take a little while, but remember the famous saying:

 

 


Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth

 

cap

Link to comment
Share on other sites

It could be a number of things, somebody have uploaded a PHP file to the server that is run remotely or on a cron. Somebody got or had access to the ACP etc.

 

Things I would consider, firstly move the ACP out of the default folder. There is a configurable option to tell the board where the ACP is located. So if you move the folder, the board is still able to access it.

 

Consider having a two stage verification to the ACP if you haven't already done it. It is easy to set up and what it means is that if one of the admin accounts gets hacked they will still need to enter in another username/password to gain access to the ACP.

 

FTP into the server and check all the directories to see if there is any strange PHP files that shouldn't be there. If there is, remove them. There is a function within the ACP that lets you run a check for suspect files within the forum directories.

 

Inspect the server logs to see if you can narrow down the location of the PHP or the command that is being run to execute the php to update the skins. If you know the rough time that it happens at, it will narrow the search down.

 

Look at the plugins to make sure that there is none in there that you don't know about.

 

Check the taskings to see if anything is being run that it shouldn't be.

 

It might take a little while, but remember the famous saying:

 

 

Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth

 

 

cap

 

Excellent advice.

Most likely cause is suspect PHP files but would also check new or edited htaccess files as well.

Had a similar problem on another forum but was restricted to mobile devices only. Took an age to resolve.

 

Turns out that the redirect was used to increase the volume of traffic to other sites where a pay per click operation was in place.

Sending the unsuspected to these sites generated revenue for the guilty party.

 

After extensive searching three or four offending files were found and removed but still the issue remained (some were very well hidden).

Our final solution was to delete core operating files on server - everything got deleted (database with actual forum content was unaffected so remained).

All passwords were then changed including FTP access.

Forum operating files then reloaded from a known clean version from backup.

All latest security patches installed.

That finally fixed it.

 

Advice then given to forum members to clear all cache's and install and run maleware protection programs.

 

Not had a problem since but was a proper pain so you have my every sympathy.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...