Page Index Toggle Pages: [1] 2 
Topic Tools
Hot Topic (More than 10 Replies) Strange things (Read 4,036 times)
justin bowser
YaBB Newcomer
*
Offline



Posts: 29
Strange things
Oct 9th, 2012 at 6:00pm
Post Tools
Over the past few days when members go to bmwr65.org the page will display for a second then something is redirecting them to dsparking.com, and from there some other random website.  I can't find anything that looks suspicious on the server so was going to post a notice to the members and find I can't make a new post OR reply to an existing post.  At the bottom of the window instead of a "Post Message" button it seems to have turned into a "Wait" button!

None of the membership has complained of this but I can't reply or post even logged in as a different user besides admin.

This is really irritating!

Thanks in advance,

Justin B.
bmwr65.org Forum Zookeeper
  

Justin B.
bmwr65.org Forum Admin
Back to top
 
IP Logged
 
depablo
YaBB Moderators
YaBB Next Team
Beta Testers
***
Offline



Posts: 577
Location: UK

None
Re: Strange things
Reply #1 - Oct 9th, 2012 at 6:26pm
Post Tools
You signed up to google webmaster tools?

Changed all passwords, forum, cPanel, ftp?

Checked htaccess for any changes?

Checked files for edits?

Asked the host to check in case it is server problem?
  

Taking a peek behind the mask Wink
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 4,031
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Strange things
Reply #2 - Oct 9th, 2012 at 6:40pm
Post Tools
Have you tried your forum on a different machine?

If it behaves the same:

Look for a hack in ./Templates/default/default.html.  If you are running a custom theme - look in whatever folder your default site theme comes from, it will be the .html file in that folder.

The 'wait' button is a function of local javascript execution.

Good luck -
Cool


« Last Edit: Oct 9th, 2012 at 6:43pm by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
 
justin bowser
YaBB Newcomer
*
Offline



Posts: 29
Re: Strange things
Reply #3 - Oct 9th, 2012 at 7:19pm
Post Tools
Thanks for the suggestions.

- I have rebooted my PC and "cured" the "wait" button issue. 

- I've checked all of the .htaccess files I can find and none of them have recent dates.

- I have not signed up for google webmaster tools.

If I enter the forums complete address (http://www.bmwr65.org/cgi-bin/yabb2/YaBB.pl) then there are no problems.  If I try to access it by entering just bmwr65.org then it will sometimes redirect but not always. 

Regards,

Justin B.
  

Justin B.
bmwr65.org Forum Admin
Back to top
 
IP Logged
 
Elrick.
Forum Moderator
YaBB Moderators
Beta Testers
*****
Offline



Posts: 165
Location: Edge of the Abyss

YaBB 2.6.1
Re: Strange things
Reply #4 - Oct 9th, 2012 at 7:54pm
Post Tools
Had exactly the same situation today and when I accessed cpanel>file-manager> in Directory Selection there were two additional forums/files uploaded beginning with ‘zoas’, There were two accessed events, one from Latvia and another from New Jersey on the same date. Somewhat they logged in and added files.

Once logged in they created the 'zoas' addon domain and added a FTP  user. That FTP user put a file up there to distribute malware (from a  hacked  Dreamhost server). Users are sent from other sites to the  malware  distribution file, which sends them then off to other servers to download the actual malware.

As long as your PC is virus free you will be fine. Those things happen quite often - in some cases it is enough for a visitor to your forum to have an outdated browser and to visit a shady site - that will then try to/start to upload files to the server, then try to guess FTP/email/user passwords, then upload some other files that distribute malware. Those 'breakins' are usually in part automated, and end once you delete the uploaded files.

So check your Directory Selection on cpanel/file manager to make sure there is what it should be and change passwords for cpanel and your email account. Best of lucks.
  

There is no direct experience of reality without interpretation; and all interpretation is corrupted by the cultural and personal prejudices or prejudgments of the interpreter. ~ Elrick
Back to top
 
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,593
Location: UK:Scotland/livingston

None
Re: Strange things
Reply #5 - Oct 9th, 2012 at 8:05pm
Post Tools
ok this is not a yabb prob but here is the fix just the same  Wink
the url http://bmwr65.org/ the html loading here is
Code (HTML)
Select All
<html>
<head>
<title>The Unofficial and Purposely Disorganized R65 Forum</title>
</head>

<frameset rows="100%, 0%">
   <noframes>
      If you are seeing this page, you're web browser does not support frames.  <a href="">Click here</a> to view the forum or upgrade to a browser that supports frames.
   </noframes>
   <frame src="cgi-bin/yabb2/YaBB.pl">
   <frame src="empty.html">
</frameset>

</html> 



the redirecting is happing on this line
Code (HTML)
Select All
<frame src="empty.html"> 

as this part is 404 and then the 404 page is doing the redirecting  Wink



remove the <frame src="empty.html"> code from the index.htm or index.html and the redirecting  will stop i hope  Wink
« Last Edit: Oct 9th, 2012 at 8:06pm by xnoddyx »  

re404.jpg ( 97 KB | 57 Downloads )
re404.jpg

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
justin bowser
YaBB Newcomer
*
Offline



Posts: 29
Re: Strange things
Reply #6 - Oct 9th, 2012 at 8:55pm
Post Tools
1. - I am currently running Yabb 2.3

I removed the <frame src="empty.html"> line from the domain root so we'll see what happens.
  

Justin B.
bmwr65.org Forum Admin
Back to top
 
IP Logged
 
depablo
YaBB Moderators
YaBB Next Team
Beta Testers
***
Offline



Posts: 577
Location: UK

None
Re: Strange things
Reply #7 - Oct 9th, 2012 at 9:10pm
Post Tools
Would the blank file redirect to another site?
  

Taking a peek behind the mask Wink
Back to top
 
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,593
Location: UK:Scotland/livingston

None
Re: Strange things
Reply #8 - Oct 9th, 2012 at 9:34pm
Post Tools
depablo wrote on Oct 9th, 2012 at 9:10pm:
Would the blank file redirect to another site?

the file empty.html is not blank it is just not there so the server sends the 404 page and the 404 also loads ads on it and some times they are setup so if they are in a frame or a iframe it will reload the master/parent page just so the Sponsored Listings show full page the 404 page has this html
Code (HTML)
Select All
<!-- SHTML Wrapper - 404 Not Found -->
<html>
  <head>
    <title>404 Not Found</title>
    <meta name="revisit-after" content="10">
    <meta name="ROBOTS" content="NOINDEX, NOFOLLOW">
    <script type="text/javascript" src="http://cdn.dsultra.com/js/registrar.js"></script>
        <link href="http://www.bluehost.com/media/shared/general/homelayout.css" rel="stylesheet" type="text/css">
    <link rel="stylesheet" href="http://www.bluehost.com/media/shared/general/_bh/homestyle.css" type="text/css">
 



and the part i think doing the reload is
Code (HTML)
Select All
<script type="text/javascript" src="http://cdn.dsultra.com/js/registrar.js"></script> 


i hope i explained myself well if not just ask and will see if i can explain my self better  Smiley
« Last Edit: Oct 9th, 2012 at 9:35pm by xnoddyx »  

re404_show-ads.jpg ( 52 KB | 60 Downloads )
re404_show-ads.jpg

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
justin bowser
YaBB Newcomer
*
Offline



Posts: 29
Re: Strange things
Reply #9 - Oct 9th, 2012 at 10:30pm
Post Tools
Interesting but not what I think is happening.  I never get the BlueHost 202 page what happens is:

1.  The Forum Main Page displays for maybe a second then gets redirected to dsparking.com

2.  dsparking.com then redirects to various sites depending on it's mood I guess.

I use SeaMonkey as a browser and when I go to http://bmwr65.org/ I see a lot of URLs  being processed at the bottom of the browser window, dsparking.com being one of them.  When I go to http://www.bmwr65.org/ I only see the forum address processed at the bottom.

The strange thing is that dsparking does not redirect every time...
  

Justin B.
bmwr65.org Forum Admin
Back to top
 
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,593
Location: UK:Scotland/livingston

None
Re: Strange things
Reply #10 - Oct 10th, 2012 at 12:02pm
Post Tools
justin bowser wrote on Oct 9th, 2012 at 10:30pm:
Interesting but not what I think is happening.  I never get the BlueHost 202 page what happens is:

1.  The Forum Main Page displays for maybe a second then gets redirected to dsparking.com

2.  dsparking.com then redirects to various sites depending on it's mood I guess.

I use SeaMonkey as a browser and when I go to http://bmwr65.org/ I see a lot of URLs  being processed at the bottom of the browser window, dsparking.com being one of them.  When I go to http://www.bmwr65.org/ I only see the forum address processed at the bottom.

The strange thing is that dsparking does not redirect every time...


ok to test i downloaded SeaMonkey and spent over half an hour doing reloads in it and same every time loads fine i also run some website malware scanner and all come back "Verified Clean"

i have also went over the html output with the exception of the news code pushing out the donate and logo
from <div id="fscroller" style="width: 960px;"/> setting it to <div id="fscroller" style="width="48%";"/> will fix this

but apart from that i can't see any more problems so this only leaves your computer that is possibly infected with malware

two of the sites used
http://sitecheck.sucuri.net/results/www.bmwr65.org/
http://www.UnmaskParasites.com/security-report/?page=www.bmwr65.org/
http://www.UnmaskParasites.com/security-report/?page=www.bmwr65.org/cgi-bin/yabb...

so that just leaves the possibility that the computer is infected with malware

so to start

justin bowser wrote on Oct 9th, 2012 at 6:00pm:
Over the past few days when members go to bmwr65.org the page will display for a second then something is redirecting them to dsparking.com, and from there some other random website.


1. does your forum have any more templates besides the default one can you ask the members of your forum that has reported the redirecting to dsparking com what browsers they are using


2. when did this start to happen

3. what os are they on windows mac linux
if windows what what version of windows
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
justin bowser
YaBB Newcomer
*
Offline



Posts: 29
Re: Strange things
Reply #11 - Oct 11th, 2012 at 1:57am
Post Tools
xnoddyx - thanks for looking at this.  I'm pretty sure my computer is clean as I always have MS Security Essentials and StopZilla running and I have had nothing suspicious reported.

I'm now wondering if something got into the BlueHost server, as mentioned by someone earlier, as today there were no redirects and some of the stuff I noticed at the bottom of the browser window yesterday is gone today.  I e-mailed one of my moderators and he said everything seemed back to normal to him today as well.

The first report I had of this issue was on Oct 4 but I didn't have any time to spend on investigating what was happening until 4 days later as I was at work.  I only use the one template and I think the BlueHost servers are running LINUX.  My son takes care of issues with the host as the bmwr65.org domain is under his domain.

Regards,

Justin B.
  

Justin B.
bmwr65.org Forum Admin
Back to top
 
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,593
Location: UK:Scotland/livingston

None
Re: Strange things
Reply #12 - Oct 11th, 2012 at 10:18am
Post Tools
justin bowser wrote on Oct 11th, 2012 at 1:57am:
xnoddyx - thanks for looking at this.  I'm pretty sure my computer is clean as I always have MS Security Essentials

i use that as well but you still get some that gets past it no antivirus is 100% when i do find items thats not ment to be there i use combofix and some more tools and do a system sweep

justin bowser wrote on Oct 11th, 2012 at 1:57am:
I'm now wondering if something got into the BlueHost server, as mentioned by someone earlier, as today there were no redirects and some of the stuff I noticed at the bottom of the browser window yesterday is gone today.  I e-mailed one of my moderators and he said everything seemed back to normal to him today as well.


the only item i see different is the code edit i asked you to make here
xnoddyx wrote on Oct 9th, 2012 at 8:05pm:
ok this is not a yabb prob but here is the fix just the same 
the url http://bmwr65.org/ the html loading here is

Code (HTML)

<html>
<head>
<title>The Unofficial and Purposely Disorganized R65 Forum</title>
</head>

<frameset rows="100%, 0%">
   <noframes>
      If you are seeing this page, you're web browser does not support frames.  <a href="">Click here</a> to view the forum or upgrade to a browser that supports frames.
   </noframes>
   <frame src="cgi-bin/yabb2/YaBB.pl">
   <frame src="empty.html">
</frameset>

</html>

the redirecting is happing on this line

Code (HTML)

<frame src="empty.html">

as this part is 404 and then the 404 page is doing the redirecting   
   

good to see you are back up and running if you have any more questions or that just post back  Wink
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
justin bowser
YaBB Newcomer
*
Offline



Posts: 29
Re: Strange things
Reply #13 - Oct 11th, 2012 at 12:02pm
Post Tools
Yes, I think we are "out of the woods" as far as this episode is concerned.  I appreciate the insight provided by this forum and everybody's willingness to help out.

LONG LIVE YABB!!
  

Justin B.
bmwr65.org Forum Admin
Back to top
 
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,593
Location: UK:Scotland/livingston

None
Re: Strange things
Reply #14 - Oct 11th, 2012 at 1:09pm
Post Tools
justin bowser wrote on Oct 11th, 2012 at 12:02pm:
Yes, I think we are "out of the woods" as far as this episode is concerned.  I appreciate the insight provided by this forum and everybody's willingness to help out.

we are just glad that you are back up and running  Smiley

justin bowser wrote on Oct 11th, 2012 at 12:02pm:
LONG LIVE YABB!!

Smiley and  Smiley
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
Page Index Toggle Pages: [1] 2 
Topic Tools