Jump to content
  • 0

Linkjacking / Redirect to Phishing Site occuring


drudkh

Question

Hiya,

 

On separate computers (one being my work machine where a handful of measure are taken to prevent malware) I have experienced a redirect to a couple of domains attempting to phish credentials.  Other users seem to have experienced this as well.

 

It is of course entirely possible that my computer has been infected prior (or other user error), but please consider the possibility as well that STEP may be serving some content/script that may be causing this. 

 

An example of what occurs:

 

To prevent this from occurring again, I have modified my HOSTS file to not allow those two domains to resolve.

0.0.0.0 q54w.redirect00002.net
0.0.0.0 x0z01i16003.info

A full description of HOSTS file modifications is available at https://www.howtogeek.com/howto/27350/beginner-geek-how-to-edit-your-hosts-file/

 

So to the admins I ask that you take a bit of time to review how this may be occurring and take steps to address it.

 

Thank you!

-drudkh

Link to comment
Share on other sites

  • Answers 48
  • Created
  • Last Reply

Top Posters For This Question

Recommended Posts

  • 0

You don't need to know the criteria that the malware is using to activate the redirection. You know the infection exists. You know what code should be in your scripts... The fault isn't elsewhere. It's very likely in your skin_cache directory. Please read this post (I know, it's long, but I swear you'll learn something) and see if it will help you track it down.

 

https://peter.upfold.org.uk/blog/2013/01/15/cleaning-up-the-ip-board-url4short-mess/

 

The exploit you're looking for may use different variable names, and it may reside elsewhere, but from the way it looks this is the kind of exploit you need to locate.

 

I'm not trying to be an ass here, but all of us who own sites have minimum responsibilities that need to be observed, and allowing something like this to go on for months is not appropriate. It's not the kind of thing you can just put off pending some future renovation of the site.

 

This really shouldn't take more than an hour or two to fix, depending how well it's hidden.

 

That's funny, I posted this exact link earlier in the thread.

 

Great find.

 

I actually saw some base 64 encoded stuff in the STEP code when I was looking around, though I think what I saw was probably just part of IPB.  I think this is quite likely to be the exact issue here though.

 

EDIT: This article which is linked from there is much more in-depth, definitely something we should do to investigate this Tech & Z: https://peter.upfold.org.uk/blog/2013/01/15/cleaning-up-the-ip-board-url4short-mess/

 

I don't have server access, else I would be able to provide more information about the steps taken to address this issue.  Also, per the post you shared removing the malicious code does not permanently solve the problem.  The code got there via some kind of vulnerability in IPB* (yes, not PHPBB, I got them confused for a moment.  their acronyms are kind of similar and both run on PHP).  Removing the malicious code will only solve the problem until the attacker re-applies the exploit.

 

I agree with you that being a responsible host should involve fixing this issue.  It sounds to me like z929669 looked for this exploit per the article on peter upfold's blog, but wasn't able to find it.  At the time we thought it was because I had re-cached the skin files, which peter upfold mentions as a possible solution.  It's possible z wasn't able to find the exploit at the time, and that purging the skin cache didn't fix the problem OR the attacker re-applied their exploit through the IPB vulnerability after we had resolved the problem.  Right now we don't know which of these is the case, but we do know the only way to truly protect ourselves from this exploit is to upgrade IPB to a newer version with security improvements.  That's what we've been working on.

Link to comment
Share on other sites

  • 0

I re-cached the templates again and will try to do so once a week until we release the dev work.

 

@SleepsInSun

The main issue here is the license we have for the current version of the forum software is not owned by STEP. It's owned by the old server admin, which went MIA on us. This means we don't have access to update the current forums to fix the vulnerability...so it's only a matter of time before we're infected again. We have taken steps to ensure losing staff never puts us in this situation again.

 

As Mator mentioned, the only option we truly have at this point is to push through the development of our site redesign, which comes with fully updated software across the board. The only other option is to completely shut down the forums, which is no option at all.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Guidelines, Privacy Policy, and Terms of Use.