Threat Has Being Detected. Have You Been Maliciously Attacked!

The December FOTM Contest Poll is open!
FishForums.net Fish of the Month
🏆 Click to vote! 🏆

Status
Not open for further replies.
What generally happens in these cases is not the forum itself but some piece of content brought into the forum. A link to an image usually is the culprit. 
We have that twice that I can remember. Once was from an ad and the other time was from an image a member linked to in a post. 
Fortunately the forum itself has never been compromised. Meaning we've never had a virus or malware actually on our server. 
 
Whichever it is we'll hunt it down and kill it. 
 
Has the link which was provided above not led you to any results yet Chad? I thought that would have fixed it for you. 
 
 


The condensed, I-just-want-to-fix-my-site version:
On your server, try:
grep ‐ri \$mds /wherever/your/website/folder/is
to locate the injected code, and while file it resides in. You can then go into that file and remove it.
Also try re-caching all the skins and languages in the Admin Control Panel. Make sure all IP.Board updates and patches are applied to prevent the compromise happening again.
Reset your passwords and keys. Take measures to detect and continue detecting other infiltrations.
 

There is recent posts in there from April 2014 saying that this has also fixed the problem for them. What I also did was looked at an example where this guy had found this on his website, put his into Google and lone behold it truly had fixed it. I think this could be the culprit just needs someone with access to the htaccess folders. 
 
http://peter.upfold.org.uk/blog/2013/01/15/cleaning-up-the-ip-board-
url4short-mess/
 
Just now tried to get on this website but it took me to this site that redirected me to App Store so I just got out of it, quit the page and joined again... And it worked! But if I join again it probably redirect me again. Anyone know how to fix it? Thanks

-NyanKat
 
Heya Nyan, there isn't anything wrong with your computer its something the forum administrators are looking into.
 
Just got the same thing when I tried to access tff from a google search. Weird.
 
Wow, that is bizarre. Hope you can figure it out. After reading this thread, on my pristine work laptop (I really don't have much stuff on it - it is only a few months old), I opened up Chrome, when to www.google.com, and typed "tropical fish forum". The google results showed www.fishforums.net at the top, and the link even showed that I had been to it before (it was a different color). But when I clicked on it I got redirected to a different spammy site that asked me to update my video software. I closed the browser before I could see what web site it was.
 
I tried it a second time, same exact steps, and I got to the forum just fine.
 
Very strange. 
 
Huh...I just tried that specific search, for tropical fish forum in chrome. Indeed, Avast doesn't like it for some reason when searching for "tropical fish forum" with that exact wording, although without quotes. I didn't have to click anything, just do the search and a warning popped up. And...it redirects to a bonkers site that is not TFF when clicking on the one that should be for this site. I can't reproduce this with any other search, including "fishforums.net" in quotes like that - which gives this site as the first one and everything is safe. The problem does not exist in Firefox.
 
EDIT: have tried it again after asking chrome to search for some other things and can't reproduce it a second time with the same search. But it absolutely did it the first time. 
 
I am glad I wasn't the only one affected by this issue and others have seen it for themselves. I do strongly believe the article on the Peter Upfold should fix this problem as if you look at the example they have on the website for the forums, there is no issue at all giving it a Google search. This has being cross-browser, multi-platform and on all search engines to my testing so far. No mater what sort of search term you use. But it is simply a redirect at the start and then as soon as you head back and come back it is up and running again directly to the website. You can hit straight onto the website if you use the address without problem which I have being until this is fixed. 

 
Temporarily disabled Javascript and the pop-up will then not appear. Re-enable and it is back. So time to hunt through your JS files and see which one it is contained with. This reinforces the statement here:
 
"An additional JavaScript file was being referenced on the generated HTML page itself, which went to/forums/index.php?ipbv=[normal caching string]&g=js. That request itself looks (almost) quite normal, and something that is part of IPB.

However, the server’s response to this request for the extra JavaScript file was most definitely the thing we were looking for:"
 
 
okay i also got this same thing, but only for the first time of googling this site, can i just open this out this problem would 100% deter people from coming here new people i am just saying, they google fish forum's click on the link and get a strange site, click back and then click on another forums site instead of this one but if they clicked on this site again they would go directly here, can i suggest this is not a problem with your PC's nor is it a problem with this site but a problem with google it self? i am running on a MAC, have antivirus and all the anti spam software running also i am running Ghostery which blocked trackers, aka advertising google analytical data and other stuff that is able to track and trace me or anyone else, so that is not the cause as i still got redirected to that bogus site, strange maybe Tcamos you should get in contact with google? and ask about this as personal this must be effecting the amount of people coming to this site i know this site itself is not making money from people joining but the advertisers may loose out because of that? i personal think this site is much less active than it used to be and this could be a cause to that?
 
if you need any info about this let me know and i can try and provide what i can about this
 
forgot to mention i am using safari not chrome, i did try it in chrome before i tried it in safari and it worked first time in chrome.
 
Zikofski said:
okay i also got this same thing, but only for the first time of googling this site, can i just open this out this problem would 100% deter people from coming here new people i am just saying, they google fish forum's click on the link and get a strange site, click back and then click on another forums site instead of this one but if they clicked on this site again they would go directly here, can i suggest this is not a problem with your PC's nor is it a problem with this site but a problem with google it self? i am running on a MAC, have antivirus and all the anti spam software running also i am running Ghostery which blocked trackers, aka advertising google analytical data and other stuff that is able to track and trace me or anyone else, so that is not the cause as i still got redirected to that bogus site, strange maybe Tcamos you should get in contact with google? and ask about this as personal this must be effecting the amount of people coming to this site i know this site itself is not making money from people joining but the advertisers may loose out because of that? i personal think this site is much less active than it used to be and this could be a cause to that?
 
if you need any info about this let me know and i can try and provide what i can about this
 
forgot to mention i am using safari not chrome, i did try it in chrome before i tried it in safari and it worked first time in chrome.
 
Most of the above is thereabout correct here Ziko. 
 
But as you say the issue isn't with any bodies computer individually, however it is not the search engine itself at fault. It is just this hidden bit of javascript which the link I posted a while back with >>>fix<<< should solve the problem. You can try it on Bing, safari, internet explorer, you get the same result each time on whatever web browser or search engine. Disable javascript and it will go away.  
 
There is as far as I am aware a cookie script expire set to a day each time as well in this javascript. As it will only appear once and then not again for the rest of the day which is pretty simple to code along the line "; expires="+date.toGMTString();. 
 
Someone who has access to the index files and server files will be able to hunt this down using the link provided. Or even try a quick search term in the full directory url4short. See if you can spot the document.location file or redirect. I don't know who has the power to do that here though. 
 
As you say this problem needs addressing ASAP because it is a big driver to loss of traffic for new users/first time visitors onto the website. Bounce rate will spike because they aren't even physically getting here and will just think it is a spammy website. 
 
If I didn't know about this and was a new user, searching for a website on Google and my antivirus flags it up like this one, I wouldn't go back. I'd just close and get shut. lol 
 
aah that explains why it worked on my chrome i have JavaScript turned of :)
 
I get the same message when clicking on a link from google too.  Here is a screenshot:
 
 
Untitled.jpg
 
  
 
Could this gave anything to do with the new Shellshock virus?
 
Status
Not open for further replies.

Most reactions

Back
Top