Page 3 of 3 FirstFirst 123
Results 21 to 30 of 30

Thread: Forums hacked?

      
  1. #21

    Resident Club Coach
    didds's Avatar

    Soc/Assoc
    N/A
    Grade
    Club Coach
    Join Date
    27 Jan 04
    Posts
    9,520
    Thanks (Received)
    58
    Likes (Received)
    885

    Default Re: Forums hacked?

    interesting... 1) i tried in a cache cleared etc firefox browser (I normally sue opera when reading this forum) - all OK.

    then the others I did in my normal opera browser... the FIRST time I clicked on number 3, I got that FS72 page. But subsequent clicks in that number 3 link were fine.

    then I tried the URL in 3) (right click, copy link address then pasted into FF bar) I get FS72. Second time I try it (no cache clear, its fine)

    didds
    Last edited by Robert Burns; 02-02-17 at 05:02.

  2. #22

    Referees in New Zealand
    Ian_Cook's Avatar

    Soc/Assoc
    Retired player and referee
    Grade
    Level 2
    Join Date
    12 Jul 05
    Posts
    13,195
    Thanks (Received)
    104
    Likes (Received)
    1422

    Default Re: Forums hacked?

    Quote Originally Posted by didds View Post
    interesting... 1) i tried in a cache cleared etc firefox browser (I normally sue opera when reading this forum) - all OK.

    then the others I did in my normal opera browser... the FIRST time I clicked on number 3, I got that FS72 page. But subsequent clicks in that number 3 link were fine.

    then I tried the URL in 3) (right click, copy link address then pasted into FF bar) I get FS72 Second time I try it (no cache clear, its fine)

    didds
    OK, so what is happening there is that the initial page is loading from the cache not from rugbyrefs.com. Your browser is "remembering" what was loaded last time you asked and is reloading it rather that referencing the actual page you are wanting because it sees that the page has not changed since the last time. Loading it again, or loading it in a new tab can sometimes force the browser to go fetch the actual page, and this refreshes its cache.

    This website will explain it better than I can.

    http://www.ghacks.net/2014/08/11/fin...force-reloads/
    Last edited by Robert Burns; 02-02-17 at 05:02.
    "Never underestimate the power of the Internet to lend unwarranted credibility to the colossally misinformed"
    - Jay "Utah" Windley

  3. #23

    Referees in America
    Rank Bajin!
    SimonSmith's Avatar

    Soc/Assoc
    Virginia (USA)
    Grade
    B3
    Join Date
    27 Jan 04
    Posts
    8,332
    Thanks (Received)
    48
    Likes (Received)
    710

    Default Re: Forums hacked?

    (Ian - thanks for dealing with this in as much detail as you are. I'm not sure how many of the Mods could help in this way. Cheers - Simon)
    The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane.
    Marcus Aurelius

    Man may do as he will; he may not will what he wills
    Arthur Schopenhauer

    Tullamore Dew, the Afghan Wigs, and many, many strippers - how to get over your ex. How true.

  4. #24

    Referees in New Zealand
    Ian_Cook's Avatar

    Soc/Assoc
    Retired player and referee
    Grade
    Level 2
    Join Date
    12 Jul 05
    Posts
    13,195
    Thanks (Received)
    104
    Likes (Received)
    1422

    Default Re: Forums hacked?

    Quote Originally Posted by SimonSmith View Post
    (Ian - thanks for dealing with this in as much detail as you are. I'm not sure how many of the Mods could help in this way. Cheers - Simon)
    No problemo!
    "Never underestimate the power of the Internet to lend unwarranted credibility to the colossally misinformed"
    - Jay "Utah" Windley

  5. #25

    Promises to Referee in France
    L'irlandais's Avatar

    Soc/Assoc
    CT Alsace-Lorraine
    Grade
    EdR + LCA
    Join Date
    11 May 10
    Posts
    4,180
    Thanks (Received)
    36
    Likes (Received)
    203

    Arrow Re: Forums hacked?

    Quote Originally Posted by Ian_Cook View Post
    Tell me what happens with the following...
    ...
    4. When you type "rugbyrefs" into a Google search and click on he top result (see attached file)
    ...
    Tell me what the circumstances are that lead you to the redirect page.
    Hello Ian,
    Thanks for the détailled reply.
    As you suggested 4 weeks ago I updated my device (Adobe flash player, etc..) I also cleared the cache, then rebooted my device. (Each time I close the browser it clears internet history, I believe.) Following the forums going offline, then everything went swimmingly, until about a week ago, google started redirecting me again.

    symptomatic :
    When I google RRF, generally it offers me two choices, the front page and the forums page. Clicking on either of them, 7 times out of ten redirects me to FS72, following which clicking on the other I can access the website.
    Following the steps in your #18( after clearing cache) only option 4 redirected me.
    In my browser, previously visited links show in a different colour, so once cache has been cleared, a blue coloured link means not previously visited (i.e. Not from cache, though I am no expert in that field.)

    To be honest, I be happy for it to be a problem with my browser, since the alternative sounds like a lot of work for you guys.
    Last edited by Robert Burns; 02-02-17 at 05:02.
    "We demand strict proof for opinions we dislike, but are satisfied with mere hints for what we’re inclined to accept."
    John Henry Newman

  6. #26

    Referees in England
    Balones's Avatar

    Soc/Assoc
    Leics
    Grade
    NP Performance Reviewer
    Join Date
    24 Oct 06
    Posts
    707
    Thanks (Received)
    30
    Likes (Received)
    174

    Default Re: Forums hacked?

    I can concur that what L'irlandais outlines does happen. It does not happen when I use my bookmarked home page. Only when you go through Google (and IE) does it happen. Tried on other devices and it usually happens but not always.

  7. #27

    Resident Club Coach
    didds's Avatar

    Soc/Assoc
    N/A
    Grade
    Club Coach
    Join Date
    27 Jan 04
    Posts
    9,520
    Thanks (Received)
    58
    Likes (Received)
    885

    Default Re: Forums hacked?

    Quote Originally Posted by Ian_Cook View Post
    OK, so what is happening there is that the initial page is loading from the cache not from rugbyrefs.com. Your browser is "remembering" what was loaded last time you asked and is reloading it rather that referencing the actual page you are wanting because it sees that the page has not changed since the last time. Loading it again, or loading it in a new tab can sometimes force the browser to go fetch the actual page, and this refreshes its cache.

    This website will explain it better than I can.

    http://www.ghacks.net/2014/08/11/fin...force-reloads/
    Yup - I get all that (its sort od my job as well, how lucky am I?!)

    but that doesn't explain why if you clean your cache etc etc etc (shift-ctrl-delete, select everything and tick all the boxes then click OK, restart the browser - which is also non-proxied) and load

    then the FIRST hit is FS72, but subsequent ones (which now have that FS72 in its cache etc) then load the proper page.

    So the actions seen actually are in reverse to what would be expected if anything.

    didds
    Last edited by Robert Burns; 02-02-17 at 05:02.

  8. #28
    Rugby Club Member Flish's Avatar

    Soc/Assoc
    Durham
    Grade
    Level 9
    Join Date
    02 Sep 13
    Posts
    715
    Thanks (Received)
    10
    Likes (Received)
    151

    Default Re: Forums hacked?

    This is complex, but basically at some point a vulnerability has compromised the site and allowed code to be Injected server side into the pho scripts that power the site.

    The injected code has some logic that says 'if the visitor has come from a search engine and this is their first visit then inject this JavaScript code into the page' - the injected code redirects us to the dodgy site, and is why we can't see it by viewing source and most of us are unaware, but if you kill cookies and run a script to capture output by pretending to have been referred by google you can capture the code.

    The fix is for the site owners server side, vulnerability needs fixing and the php scripts cleaned up, good news it's fairly obvious to a capable Deb what the dodgybcode is, bad news is it could have been injected into 100's of files, *sometimes* you can automate cleanup, but it will happen again if you don't fix the entry point

    not sure who to signpost this too, but happy to help if someone reaches out

  9. #29

    Referees in Canada
    RugbyRefs.com Webmaster


    Soc/Assoc
    Ontario/Toronto
    Grade
    Every Grade
    Join Date
    10 Nov 03
    Posts
    9,644
    Thanks (Received)
    15
    Likes (Received)
    54
    Blog Entries
    2

    Default Re: Forums hacked?

    Hi all,

    Apologies for that, but hopefully it is now all resolved.

    Cpanel upgraded
    LiteSpeed server upgraded
    PHP upgraded.
    Site software upgraded
    All server side passwords have been changed.

    So hopefully we are all back to normal. If anyone see's anything dodgy, feel free to report it. The Mods all have my email address.

    I can confirm it was a redirect file in the structure not an SQL injection, still not sure how they got it in the file structure, but it's gone now. You'll see that all references to the file name have been changed, I then downloaded a dump of the database and did a search, so I know we were not infected database side.

    I've done a google search and clicked all the links and only come here. I urge all members to clear their cache on their browsers.

    If you want to be belt & braces safe a password change is never a bad thing, though as I said before, I am content that they did not breach the database, and so no information was lost.

    Once again, apologies for the inconvenience.
    Last edited by Robert Burns; 02-02-17 at 05:02.
    "This is not Soccer!" ©Nigel Owens
    ------------------------------
    Robert Burns
    RugbyRefs.com Webmaster
    ------------------------------

  10. #30
    Rugby Club Member Flish's Avatar

    Soc/Assoc
    Durham
    Grade
    Level 9
    Join Date
    02 Sep 13
    Posts
    715
    Thanks (Received)
    10
    Likes (Received)
    151

    Default Re: Forums hacked?

    Had a quick look and yes that looks to clear it up, can confirm in my experience these redirect injections are automated and opportunist (no skill involved) and purpose is to redirect to some end game, I've never yet seen one that actually involved any user data compromise or anything malicious, just annoying (and all a pit pointless IMO!)

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •