Jump to content
  • Member Statistics

    17,611
    Total Members
    7,904
    Most Online
    NH8550
    Newest Member
    NH8550
    Joined

Russian Popups?


Casualbrain

Recommended Posts

2 hours ago, Wow said:

Ok. Yes, the guest box with a couple of ads should be there.

The popups after clicking links was the big clue.  Had an old account called Viglink still running that alters link redirects for certain key words. I've removed the old script.. I guess someone had hacked the old code and injecting the malicious crap into them.

Just tested, it's not fixed.

Link to comment
Share on other sites

  • Replies 141
  • Created
  • Last Reply

 

The malicious code is hard to find as it is encrypted and appears under certain conditions only.

The malicious code looks like this (virus is framed red)

447F1C15-D8A9-4452-912E-32CB39E8CE96.thumb.png.01d9f1e21e9cf60d52e80ee3b0c769d1.png

Usually it is injected in the main template (in the database) and in the template cached copy (in the file)

The malicious code can be detected by searching for “strstr($mds”, “preg_replace($i” or “#c#.substr” within database dump or skin cache files.

Forum administrators should remove the code from the database and then clean skin cache to completely remove the malware from the site.

 

Do not delete the code in cached skins only as it’ll appear again upon cache rebuild.

Link to comment
Share on other sites

I never cleared the cache so that may be the issue.  Just did.  At worst all I ever got was a single pop-up on first click of any link while logged out and ad block disabled. Thereafter, never got anything.  Seems it acts differently for everyone.

Link to comment
Share on other sites

1 hour ago, birdsofprey02 said:

Nice, thank you...  was it anything similar to what I posted above?  

It wasn't php code, but a modified HTML language that the template bits use to eval php scripts.  Located just before the closing body tag.  Originated from Ukraine based on the IP who hacked into the CP and inserted the code. 

Link to comment
Share on other sites

3 hours ago, Wow said:

It wasn't php code, but a modified HTML language that the template bits use to eval php scripts.  Located just before the closing body tag.  Originated from Ukraine based on the IP who hacked into the CP and inserted the code. 

Nice! Do you know how they got into the CP? (known exploits, default username/password, etc.) and can we confirm there was nothing else comprised like account passwords?

Link to comment
Share on other sites

18 hours ago, Snowden said:

Nice! Do you know how they got into the CP? (known exploits, default username/password, etc.) and can we confirm there was nothing else comprised like account passwords?

The CP logs record every action of anyone who logs into yur CP and all that was done was throwing alteration to the global template coding.  All accounts with access to CP have new passwords in place and additonal security measures have been taken as well.

Link to comment
Share on other sites

  • 3 weeks later...
9 hours ago, nzucker said:

Why do we need pop-ups at all?

Pathetic cash grab.

Well this site doesn't pay for itself.  Costs money to develop and host monthly.  So either you go with ads or you set up a monthly subscription to access.  The owners of this board chose the former.  This being said, all your concerns are duly noted and have been passed on so they can be rectified.

Link to comment
Share on other sites

2 hours ago, Baroclinic Zone said:

Well this site doesn't pay for itself.  Costs money to develop and host monthly.  So either you go with ads or you set up a monthly subscription to access.  The owners of this board chose the former.  This being said, all your concerns are duly noted and have been passed on so they can be rectified.

what was wrong with donation drives?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...