PDA

View Full Version : Forums hacked?



L'irlandais
01-01-17, 22:01
I have been redirected to a malware site when attempting to log in on RRF.
For a while I thought my laptop was infected, However it appears that is probably not the case.
Anybody else been have trouble?

Lots of advice available online, on the vbulletin website for example
...fs72 malware supposedly only executes when someone comes from a search engine ... it may have infected your datastore cache. ....Check all of your plugins and hooks and I recommend overwriting all vbulletin files with fresh files downloaded from vbulletin.com.Thanks.

Lee Lifeson-Peart
01-01-17, 22:01
No issues here.

Ian_Cook
01-01-17, 23:01
No trouble here.

I have checked the both the site Login and Homepage for incursions and have found nothing

Sounds to me like malware has hijacked your browser. Try accessing from a different computer and/or using a different browser.

UPDATE

There is a problem when you try to log in from a link provided by Google. If you open a Google page, type in "rugbyrefs.com" and click search, the first result has a warning that "The site has been hacked"

I'll try to contact Robbie as I think he is the only Admin who can fix this


UPDATE 2

When you try to log in you get redirected to a malware page "fs72". This only happens of you are LOGGED OUT when clicking on the Google search result. If you are permanently LOGGED IN, you don't get redirected and you go straight to the forum without any problem.

IMPORTANT

Anyone who has ended up being redirected to the fs72 website should take the following steps ASAP.

1. Update your Adobe Flash Player to the latest version.

2. Delete your internet cache and your browser history.

L'irlandais
02-01-17, 08:01
Cheers Ian,
I only realized when I started using my mini iPad to login. It seems the redirect is only when I use google to find the website. On my PC I didn't notice it.
I will do as you suggest for flash player and browser history.

[strikethrough]What's internet cache and how do I delete it?[/strikethough].
Strike that, i found how to clear the cache under settings.

L'irlandais
02-01-17, 09:01
found how to do strike out What's internet cache and how do I delete it?Presumably the would be hacker could see forum activity?
Definition of a hacker: Billy no mates who can write a bit of code, sad individuals who give little thought to the inconvenience they cause others. Remember this hacker matey one day soon the anonymity will be gone, and we will be able to knock on your front door for a face to face. You may yet live to regret your foolishness, thinking you could hide behind IP addresses.

crossref
02-01-17, 10:01
if anyone has encountered this sounds like they have revealed their rugbyrefs.com username and password.

no big deal -- unless you use the same username and password on other sites...

Ian_Cook
02-01-17, 11:01
Robbie has fixed the problem with vBulletin and has applied to Google for a change in status


if anyone has encountered this sounds like they have revealed their rugbyrefs.com username and password.

no big deal -- unless you use the same username and password on other sites...

No. There have been no passwords compromised. The redirect happens before the login attempt. This redirect malware (DDS Redirect) is designed to drive business to the perpetrator's file hosting service.

Usernames can't be compromised since on this site, your login name is also your public username, anyone can see your username

If you are worried about you password security, just change it

Settings > My Account > Edit Email & Password

Taff
02-01-17, 11:01
.... This redirect malware (DDS Redirect) is designed to drive business to the perpetrator's file hosting service.
So you know who the sod is?

Ian_Cook
02-01-17, 11:01
So you know who the sod is?


Whoever owns the dodgy website

OB..
02-01-17, 12:01
Thanks for all that,Ian.

didds
02-01-17, 15:01
whois lookup

doesn't show any identification details.

its registered via a company in arizona, but TBH that means nothing.

Its Ip is 66.199.231.59, which appears to be located in Bleford, New Jersey. That may not be definitive either, but merely a front end/reverse proxy arrangement intended to obfuscate.

didds

leaguerefaus
02-01-17, 19:01
If Russia all of a sudden start taking Rugby seriously, I have a good idea who might be behind this...

L'irlandais
11-01-17, 21:01
So was the forum going down today related to this hack in any way?

Balones
11-01-17, 22:01
Some of my links are now going to FS72. Particularly historic links to other threads.

L'irlandais
11-01-17, 22:01
vbulletin problem has been around for a while now. Admin are aware.

L'irlandais
18-01-17, 15:01
:sad: Sorry to be the bearer of bad news, only FS72 redirect is redirecting again.

L'irlandais
30-01-17, 14:01
Robbie has fixed the problem with vBulletin and has applied to Google for a change in status...Ian,
Can somebody inform Robbie's mate, that the quick fix worked for a short time only, but now we are in need of a lasting solution. Which presumably, takes a bit longer to implement.

Ian_Cook
30-01-17, 18:01
Tell me what happens with the following

1. When you physically type "www.rugbyrefs.com" into the address bar of your browser and hit ENTER.

2. When you click on this link - http://www.rugbyrefs.com

3. When you click on this link - https://www.google.co.nz/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjpwJDYtOrRAhVFF5QKHVMjCoUQFggYMAA&url=http%3A%2F%2Fwww.rugbyrefs.com%2F&usg=AFQjCNH-IDC7Xc_8MpFHdspWWT1MgLUFEQ&sig2=QnkFLxvcWRAHIK8p_5CgbA

4. When you type "rugbyrefs" into a Google search and click on he top result (see attached file)

https://dl.dropboxusercontent.com/u/98915197/RugbyRefs/Hacked.png

If any of the above takes you to the "FS72" redirect page, clear your cookies and your cache from your browser history, restart tour browser and try again.

Tell me what the circumstances are that lead you to the redirect page.

crossref
30-01-17, 19:01
for me
typing [rugbyrefs.com] into google search bar, and clicking the first link is a re-direct

https://www.google.co.uk/?gws_rd=ssl#q=rugbyrefs.com

Ian_Cook
30-01-17, 20:01
for me
typing [rugbyrefs.com] into google search bar, and clicking the first link is a re-direct

https://www.google.co.uk/?gws_rd=ssl#q=rugbyrefs.com


Try right clicking on that first link, and opening the page in a new tab. What happens?

didds
30-01-17, 23:01
interesting... 1) i tried in a cache cleared etc firefox browser (I normally sue opera when reading this forum) - all OK.

then the others I did in my normal opera browser... the FIRST time I clicked on number 3, I got that FS72 page. But subsequent clicks in that number 3 link were fine.

then I tried the URL in 3) (right click, copy link address then pasted into FF bar) I get FS72. Second time I try it (no cache clear, its fine)

didds

Ian_Cook
31-01-17, 00:01
interesting... 1) i tried in a cache cleared etc firefox browser (I normally sue opera when reading this forum) - all OK.

then the others I did in my normal opera browser... the FIRST time I clicked on number 3, I got that FS72 page. But subsequent clicks in that number 3 link were fine.

then I tried the URL in 3) (right click, copy link address then pasted into FF bar) I get FS72 Second time I try it (no cache clear, its fine)

didds

OK, so what is happening there is that the initial page is loading from the cache not from rugbyrefs.com. Your browser is "remembering" what was loaded last time you asked and is reloading it rather that referencing the actual page you are wanting because it sees that the page has not changed since the last time. Loading it again, or loading it in a new tab can sometimes force the browser to go fetch the actual page, and this refreshes its cache.

This website will explain it better than I can.

http://www.ghacks.net/2014/08/11/find-out-if-websites-get-loaded-from-cache-and-how-to-force-reloads/

SimonSmith
31-01-17, 00:01
(Ian - thanks for dealing with this in as much detail as you are. I'm not sure how many of the Mods could help in this way. Cheers - Simon)

Ian_Cook
31-01-17, 02:01
(Ian - thanks for dealing with this in as much detail as you are. I'm not sure how many of the Mods could help in this way. Cheers - Simon)

No problemo!

L'irlandais
01-02-17, 09:02
Tell me what happens with the following...
...
4. When you type "rugbyrefs" into a Google search and click on he top result (see attached file)
...
Tell me what the circumstances are that lead you to the redirect page.Hello Ian,
Thanks for the détailled reply.
As you suggested 4 weeks ago I updated my device (Adobe flash player, etc..) I also cleared the cache, then rebooted my device. (Each time I close the browser it clears internet history, I believe.) Following the forums going offline, then everything went swimmingly, until about a week ago, google started redirecting me again.

symptomatic :
When I google RRF, generally it offers me two choices, the front page and the forums page. Clicking on either of them, 7 times out of ten redirects me to FS72, following which clicking on the other I can access the website.
Following the steps in your #18( after clearing cache) only option 4 redirected me.
In my browser, previously visited links show in a different colour, so once cache has been cleared, a blue coloured link means not previously visited (i.e. Not from cache, though I am no expert in that field.)

:sad: To be honest, I be happy for it to be a problem with my browser, since the alternative sounds like a lot of work for you guys.

Balones
01-02-17, 10:02
I can concur that what L'irlandais outlines does happen. It does not happen when I use my bookmarked home page. Only when you go through Google (and IE) does it happen. Tried on other devices and it usually happens but not always.

didds
01-02-17, 10:02
OK, so what is happening there is that the initial page is loading from the cache not from rugbyrefs.com. Your browser is "remembering" what was loaded last time you asked and is reloading it rather that referencing the actual page you are wanting because it sees that the page has not changed since the last time. Loading it again, or loading it in a new tab can sometimes force the browser to go fetch the actual page, and this refreshes its cache.

This website will explain it better than I can.

http://www.ghacks.net/2014/08/11/find-out-if-websites-get-loaded-from-cache-and-how-to-force-reloads/

Yup - I get all that (its sort od my job as well, how lucky am I?!)

but that doesn't explain why if you clean your cache etc etc etc (shift-ctrl-delete, select everything and tick all the boxes then click OK, restart the browser - which is also non-proxied) and load

then the FIRST hit is FS72, but subsequent ones (which now have that FS72 in its cache etc) then load the proper page.

So the actions seen actually are in reverse to what would be expected if anything.

didds

Flish
01-02-17, 21:02
This is complex, but basically at some point a vulnerability has compromised the site and allowed code to be Injected server side into the pho scripts that power the site.

The injected code has some logic that says 'if the visitor has come from a search engine and this is their first visit then inject this JavaScript code into the page' - the injected code redirects us to the dodgy site, and is why we can't see it by viewing source and most of us are unaware, but if you kill cookies and run a script to capture output by pretending to have been referred by google you can capture the code.

The fix is for the site owners server side, vulnerability needs fixing and the php scripts cleaned up, good news it's fairly obvious to a capable Deb what the dodgybcode is, bad news is it could have been injected into 100's of files, *sometimes* you can automate cleanup, but it will happen again if you don't fix the entry point

not sure who to signpost this too, but happy to help if someone reaches out

Robert Burns
02-02-17, 04:02
Hi all,

Apologies for that, but hopefully it is now all resolved.

Cpanel upgraded
LiteSpeed server upgraded
PHP upgraded.
Site software upgraded
All server side passwords have been changed.

So hopefully we are all back to normal. If anyone see's anything dodgy, feel free to report it. The Mods all have my email address.

I can confirm it was a redirect file in the structure not an SQL injection, still not sure how they got it in the file structure, but it's gone now. You'll see that all references to the file name have been changed, I then downloaded a dump of the database and did a search, so I know we were not infected database side.

I've done a google search and clicked all the links and only come here. I urge all members to clear their cache on their browsers.

If you want to be belt & braces safe a password change is never a bad thing, though as I said before, I am content that they did not breach the database, and so no information was lost.

Once again, apologies for the inconvenience.

Flish
02-02-17, 07:02
Had a quick look and yes that looks to clear it up, can confirm in my experience these redirect injections are automated and opportunist (no skill involved) and purpose is to redirect to some end game, I've never yet seen one that actually involved any user data compromise or anything malicious, just annoying (and all a pit pointless IMO!)