PDA

View Full Version : vBulletin Redirect w/ Chrome?



Jeph
September 9th, 2013, 07:45 AM
Tony Rex was having all manner of trouble earlier today. He keeps getting redirected to spam sites. Even a fresh install on chromes did not resolve the issue. He can't function on the board so I am posting on his behalf. I had some strange issues earlier, but no redirects and they (my issues) appear to have gone away.

He reports that forum.php and search.php are unseable and was using misc.php to type in chat.

I kept trying to load pages from test-host.biz

79spitfire
September 9th, 2013, 10:20 AM
I just tried it here, and in Chrome it's slow as molasses in January. I can get to the forum in Chrome quickly, but main site won't come up, Try 'www.fpgeeks.com/forum' that seems to work, but 'www.fpgeeks.com' never loads (again only in Chrome) Good luck!

Wait there is something going on, I'm seeing messages about test-host.biz and something .tv in the status for Firefox as well. I don't remember these :help:

Is this a part of a Vbulleten 'upgrade'?

test-host.biz is a Russian language website, and platform.twitter.com is an improperly coded XML site.

I'd say someone is trying to hijack fpgeeks much like they did to fountain pen network!

DAN! HELP!!!!:spy:

cwent2
September 9th, 2013, 10:27 AM
working normally for me on chrome Version 29.0.1547.66 m at 12:26 pm est.

Jeph
September 9th, 2013, 10:32 AM
I am still seeing test-host.biz pages trying to load, but the forum works fine.
When the test-host.biz is loading I get massive lag until it goes away, usually less than 10 seconds.

cwent2
September 9th, 2013, 10:35 AM
I am not experiencing any issues at all - no pages trying to load. Could you have a Trojan?

jar
September 9th, 2013, 10:42 AM
Working with Chrome here.

dannzeman
September 9th, 2013, 10:43 AM
Looking into it. I'll let you know if I find anything.

AndyT
September 9th, 2013, 10:50 AM
Everything running smoothly, but I do see a lot of test-host.biz components in the page info - mostly .gifs and one .ico. This looks interesting:

5273

I'm using Firefox.

Flounder
September 9th, 2013, 11:05 AM
Everything running smoothly, but I do see a lot of test-host.biz components in the page info - mostly .gifs and one .ico. This looks interesting:


I'm using Firefox.

I'm seeing a lot of "waiting for test-host.biz" / "connecting to test-host.biz" navigating between pages, and while logging out too. I'm also using Firefox.

KrazyIvan
September 9th, 2013, 11:10 AM
In Chrome now. No issues.

jacksterp
September 9th, 2013, 11:31 AM
I am still seeing test-host.biz pages trying to load, but the forum works fine.
When the test-host.biz is loading I get massive lag until it goes away, usually less than 10 seconds.

Same here, although not a 10 second lag - more like 3-5.

test-host.biz is VERY suspicious!

http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=test-host.biz

Tony Rex
September 9th, 2013, 08:50 PM
Thanks Jeph. I'm on my mobile browser here, because no matter what I kept getting redirected to maciunbermanos.com or something unresolved dot com after a while. I have tried clearing chrome cache and cookies, disconnecting sync, fresh chrome install, resetting network on the iPad, rebooting router, switching to Google name server, all the same. So, it must be from the server side; I suspect from the vbulletin somewhere because it happens on a page without any image/avatar.. And pedantic browsers will just keep on resolving the injected code until time out. Tony.

RuiFromUK
September 10th, 2013, 01:21 AM
No problems here on iPad and at work with IE. As I am at home at the moment I cannot check the version of IE at work but I think it is a fairly old version. Now that I think of it yesterday when I tried to use the forum's search engine it came up with a message to reload the previous page as the history cookie was old or something similar.

AndyT
September 10th, 2013, 01:58 AM
Something's changed overnight, I guess Dan's been busy. Pages finish loading much more quickly, though there are still some test-host.biz elements.

Can't say that any of this has caused a problem, in fact it would probably have gone unnoticed by me if it weren't for this thread. I'm wondering if this is specifically a Chrome thing.

Jeph
September 10th, 2013, 02:21 AM
I only run IE.

ardgedee
September 10th, 2013, 05:40 AM
I'm seeing a variety of reports about forums running vBulletin 4 are hosting tracking bugs from test-host.biz. This might mean (but does not necessarily guarantee) that the site has been compromised. (It might also mean that a few users' browsers have been hijacked by browser trojans from other sites, and the trojan's effects are simply more noticeable when they visit this site.)

FPG's admins should make sure the software running on the host (Apache, PHP, database) be kept up-to-date, that server accounts be limited to the least necessary privileges (eg, the BBS software should not use admin-level database privs), and that the site's template files be checked for unexpected recent changes in Javascript or HTML.

If necessary, template files should be purged and replaced with fresh copies (not from backups), and all host account passwords (both human and software) should be changed. The BBS software itself should be sanitizing all user inputs, but check vBulletin's version history information to see if there have been any improvements or bugfixes relevant to this; if so, upgrade immediately.


(I am a web developer, but I am not this site's developer.)

ardgedee
September 10th, 2013, 06:14 AM
Well, this might also be a problem (http://fpgeeks.com/forum/announcement.php?f=&a=8). (content at link not worksafe)
(EDIT: Do not follow that link; It may be loading undesirable third-party content.)

Paul-H
September 10th, 2013, 06:14 AM
Could this be anything to do with the Site is Hacked post by the Admin with zero posts

This one

http://fpgeeks.com/forum/announcement.php?f=6

ardgedee
September 10th, 2013, 06:17 AM
More likely the same flaw in the site is being exploited by different attackers. It's probably best if Dan shuts things down, upgrades the site software to the latest version, and purges anything suspicious.

Paul-H
September 10th, 2013, 06:17 AM
Great minds thinking alike there

jacksterp
September 10th, 2013, 06:49 AM
Well, this might also be a problem (http://fpgeeks.com/forum/announcement.php?f=&a=8). (content at link not worksafe)
(EDIT: Do not follow that link; It may be loading undesirable third-party content.)

Seems the integrity of the site has been compromised.

Might be best to stay off for a while.

Tony Rex
September 10th, 2013, 06:21 PM
All good now. No more random redirection on chrome/iPad combo. It seems we're back on business. Kudos to Dan!

Okay, first things first.. change yer password :-)

Tony

jacksterp
September 10th, 2013, 06:30 PM
All good now. No more random redirection on chrome/iPad combo. It seems we're back on business. Kudos to Dan!

Okay, first things first.. change yer password :-)

Tony

Thanks Tony for the reminder.

Just changed.

ardgedee
September 10th, 2013, 07:35 PM
We don't know whether the user data has been compromised or not, but it's safer to assume it has.

This means that not only should you change your password here, but you should change your password on any site where you used the same username/password combo as here.

You shouldn't reuse your passwords anyway...

RuiFromUK
September 12th, 2013, 12:32 AM
There still seems to be a problem. After relogging with a new password, I posted a greeting in chat and a post with a new pen acquisition. Going back to chat box I got logged off. Logged in again and posted in chat and got logged off again.

jar
September 12th, 2013, 06:43 AM
you get logged out of chat based on time.

On the far left of the text entry line is a small circle. If you are logged into chat it will be green, if you have timed out it will be an empty circle. Clicking on the empty circle logs you back into chat and catches up entries made while you were timed out.

blopplop
September 14th, 2013, 04:55 PM
Chrome... IE? What's that? :)