Forum was hacked?

[AceOfAces_Mod]

Tried the link, but blocked by Avast. Something's fishy...

 

[Nathanial]

First off, wait for an official response from anyone before you start drawing conclusions. Panicking never helps anything. Stay calm, this is something I'm already working on fixing. Yes, this is on the forums end. No, you don't have malware. The site you're redirected from by Google might try to get you to install or buy something, but relax for now. Don't click any links on that page and you'll be fine. Just click back if you're landed there by Google searching.

Yes this is something I was made aware of and am looking into it. It wasn't really "hacked" as there was just some code injected into a theme file somewhere by a drive by bot and I just need to figure out where it is. The problem is the code is encrypted so it's a huge mega pain in the ass to find and get rid of and I've already started looking into it when I had to crash out last night. I'm in the process of moving as well so I've been pretty busy. Rest assured I'm looking into it and as long as you're not clicking any links on that site you should be okay.

Basically, this is a more modern version of a problem that's been around awhile. Which also means where injected code is in how-to-remove articles, isn't where it is on our end. Which means I'll have to dig up wireshark and find all that crap out myself. I literally just woke up and have coffee brewing and will tackle it though

I wish to make note that this is a *minor* albeit, annoying problem. It will be taken care of though!

I'll post an update once I have it taken care of. 

For now, stop using Google to search for forum topics and use the forums built in search function.

 

[xonox]

I have been having this this week too. I hadn't visited these forums in a while though but now when i click on links to this forum from a Google search, i get redirected to url4short.info every once in a while.  I am using an up to date anti virus and i also tested my computer with several malware tools, nothing was detected.  When i use Google and visit other sites, i never get this too.

Tried it on another computer and had the same symptoms.  Could it be that the forums are serving ads from a dubious source or that it was hacked ?

Thanks for posting about this, i thought it was just my computers but didn't find anything on my side.

 

[Nathanial]

Okay, I think I may have fixed this but I'm not 100% sure as testing this/getting the redirect isn't always guranteed. 

Since the code injection seems to be time based (you won't always get it) I would love if some people could verify if they're having this issue anymore or not.

 

[cabfe]

I've tried opening a dozen pages from Google, everything worked as usual.

It'd better to have other people test too but it looks like you fixed it, well done

 

[♥SOURCE♥]

Tried the same google links that the antivirus software blocked the last few days and they are now indeed working as usual.

 

[Susan]

Just confirmation from my side that the links from Google to the RPGMakerWeb forums appear to be working as intended.

No redirection has happened since Nathanial's announcement.

Excellent job, Nathanial! Great job and congratulations! ^^

 

[starcrescendo]

I just got a problem while searching for "vx ace follower control" in google, the first result leads me to the forums, and then am redirected to a drive by download page.

I put the link in the spoiler below so nobody unintentionally clicks it, but it is available for Nathanial for debug purposes. Not sure if something was added to particular threads or if there is some DNS issue...

Spoiler

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CB4QFjAA&url=http%3A%2F%2Fforums.rpgmakerweb.com%2Findex.php%3F%2Ftopic%2F598-control-followers-movement%2F&ei=b_O6VJy0EoavggTH9oCYAw&usg=AFQjCNFAZYDTmzDpVMHF39tY3ijQprzDuQ&bvm=bv.83829542,d.eXY&cad=rja

 

[Nathanial]

Thanks for the report starcrescendo

 

[xonox]

I was able to reproduce the problem mentionned by starcrescendo.  Did the same search in Google and the URL4SHORT.INFO page is back.  Seemed fine for a while.

If it was a php injection and the exploit they used to inject the php was not fixed, then maybe some sort of bot attacked the site again ?

I had a problem like this some years ago when i was running a small forum.  Except that *all* the php files of the forum software were injected with obfuscated php code.  Never bothered to de-obfuscate the code as it was obfuscated multiple times and i'm not knowledgeable enough about php to write a script that would do it.

 

[Nathanial]

I already did a fresh file overwrite and checked the database. I think I know what's going on though, I'll just have to sort of... start over. 

 

[Quickdraws]

I did a yahoo search for a rpgmaker forum link and same problem everyone seems to be mentioning google but yahoo searched result the same with the random redirect to url4short..  very annoying been happeneing for the last week or so for me and scanning with maleware software and Norton hasn't seemed to help.

 

[TheoAllen]

Just tried already, and redirected.

Edit :
Second try

Not redirected.

Something fishy

 

[xonox]

I wish the people writing malware would decide to do something else. 

@TheoAllen

The redirect is random, sometimes you get it, sometimes you don't.

I feel your pain Nathanial, having been there previously on my now deceased forum.  (Wait, you're working on a saturday evening.  That's dedication.)

 

[TheoAllen]

Is this something to do with cookies, perhaps? or it is not?

 

[Nathanial]

How often you get redirected has to do with cookies from what I understand, yes. 

I have a COA I plan on doing (sort of extreme and other admins might get annoyed with me) but it should do it.

If not, Invision Power will have to step in and help me look at the forum database to see if the database has something going on and re-infecting files after I apply completely fresh files.

I'll get it sorted out, it's just a hard thing to verify. I think I honestly did clean it, we just got reinfected due to three possible reasons.

I'll be taking the forums offline in a couple of hours to get to work.

Cheers!

 

[xonox]

Whatever you do, i appreciate the hard work you guys and gals do to maintain this forum.  I hope all goes well.

 

[TheoAllen]

Good luck!

So, there will be any scheduled maintenance?

 

[Jomarcenter]

Umm... Cleared the catch, using a newer browser... Still getting the problem.

But what is the current version of this forums. I know there is a patch that was release a year ago to prevent this problem.

If this getting way out of the Tech control... Will the forums going to be re-install or something?

Hope this will be fixed since it is a major security issue with the possibility of profit loss anyways.

 

[Nathanial]

Umm... Cleared the catch, using a newer browser... Still getting the problem.

But what is the current version of this forums. I know there is a patch that was release a year ago to prevent this problem.

If this getting way out of the Tech control... Will the forums going to be re-install or something?

[SIZE=13.63636302948px]Hope this will be fixed since it is a major security issue with the possibility of profit loss anyways.[/SIZE]

Please read any of the above posts made before yours. 

And this is a new variant of a problem "fixed years ago". 

I reinstalled the forums last night. [SIZE=13.63636302948px]I'm always up to date on patches.[/SIZE] There's something deeper that needs to be addressed, most likely something in the database and it just needs to be found. It takes time.

Several IP Board forums have been hit with this recently just by browsing a bunch via Google. This isn't isolated to just us.

And no report of losses as far as I'm aware over a few day issue that only SOMETIMES causes redirects (and only once every 10 hours when it does for an individual)

Between your PMs to me and your forum posts, give me a break here.