Something causing redirects to very suspicious site!

This is the place to discuss the Wiki contents, forum issues, themes and to propose site-related features and ideas.
Locked
User avatar
lgromanowski
Site Admin
Posts: 1193
Joined: 05 Aug 2011, 22:21
Location: Wroclaw, Poland
Contact:

Something causing redirects to very suspicious site!

Post by lgromanowski »

Rhys wrote: Hiya,
:!:
Something somewhere is occasionally causing me to quickly be redirected to another website when clicking links in the forum:

I will get redirected to the following (without the *'s) after clicking "board index"
htt*p://syntaxswitch.*ru/invisible*/index.php*

"index.php" is replaced with the other relevant page "address" from the forum
as in "index.php?i=pm&folder=inbox"
or "index.php?f=14&t=389"

Which then redirects to other various hack/malware looking sites (what I saw all had .co.cc domain suffix), some with warnings from google, other which seem to start to load something and I close immediately. Some of the pages have titles like "system scanner" and weird addresses at .co.cc


So far I have only experienced this at this forum. I think I first noticed after going to "View unread posts" or "View new posts"

Anyone have some idea :?:
swick wrote: same here. When I copy and past the original adress a new windows twice, I come to the site I wanted.
sir_herrbatka wrote: The same here.

It seems that we are under attack. :roll:

EDIT
Don't worry, we went through the hell of botwars and nothing can't stop us now ;-)
Lordrea wrote: Can someone delete their cache and see if it's still there? I think I cleared it up.

Fucking spammers.
Mordicus wrote: Hi,

The forum is still hacked. For example, click on "view unanswered posts" or "view active topics", then on any topic, and you will be redirected toward a Russian website (http://programm-profit.ru/....).

PS: the same thing happens if you click on "View unread posts | View new posts | View your posts" first, then click on any topic.
Peppe wrote: Clearing caches should not help, unless it cares about some cookies or somthing. This is server side.

Looking at traffic between me and 69.89.31.86

Code: Select all

GET /forum/viewtopic.php?f=15&t=443 HTTP/1.1

Host: openmw.com

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.19) Gecko/20110430 Iceweasel/3.5.19 (like Firefox/3.5.19)

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://openmw.com/forum/search.php?search_id=unreadposts

Cookie: phpbb3_gu83i_u=158; phpbb3_gu83i_k=value; phpbb3_gu83i_sid=someSidValue; style_cookie=null; MANTIS_VIEW_ALL_COOKIE=7; MANTIS_STRING_COOKIE=myCookie; MANTIS_BUG_LIST_COOKIE=138%2C31%2C81%2C91%2C9%2C13%2C15%2C16%2C17%2C19%2C20%2C21%2C22%2C8%2C158%2C157%2C156%2C155%2C12%2C139%2C154%2C2%2C153%2C152%2C141%2C25%2C27%2C26%2C151%2C150%2C149%2C148%2C147%2C146%2C145%2C144%2C140%2C143%2C142%2C137%2C10%2C7%2C24%2C134%2C136%2C130%2C135%2C133%2C49%2C128; PHPSESSID=mySession; MANTIS_secure_session=1



HTTP/1.1 301 Moved Permanently

Date: Sat, 18 Jun 2011 08:42:05 GMT

Server: Apache

Location: http://programm-profit.ru/include/index.php?f=15&t=443

Content-Length: 326

Keep-Alive: timeout=10, max=30

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1



<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://programm-profit.ru/include/index.php?f=15&t=443">here</a>.</p>
<hr>
<address>Apache Server at openmw.com Port 80</address>
</body></html>
Lordrea wrote: This appears to be a security flaw in phpBB, that has not as of yet been patched.

I haven't been able to find a solution, or how they are causing the redirect, but I am still looking into it.
raevol wrote:
Lordrea wrote:This appears to be a security flaw in phpBB, that has not as of yet been patched.
Oh... damn. :(
Rhys wrote: Looks like some others experiencing similar very recently:
From the little I understand - not only phpbb.
http://pkp.sfu.ca/support/forum/viewtop ... f=8&t=7640
http://translate.google.com.au/translat ... Fp%3D64012
Lordrea wrote: ... better now? I found one source of the hack and removed it.
Rhys wrote: Seems to be better so far, a 404 goes to a correct page and the whole forum seems more responsive too, cool :D
Do you know how it found its way in?



Btw did it delete the user avatars?
Lordrea wrote: I have to restore the avatars, yeah.

Still not sure how it found its way in, but I know the effect. Keeping a stricter eye on things now.

Either way, headache. Stupid hackers.
Mordicus wrote: Yes, much better, it sounds to have disappeared.
Husaco wrote: You likely know this, but in case you didn't, openmw.com/wiki/ and by extension openmw.com display the following error message:

Code: Select all

Database error
A database error has occurred
Query: SELECT lc_value FROM `mw_l10n_cache` WHERE lc_lang = 'en' AND lc_key= 'deps' LIMIT 1
Function: LCStore_DB::get
Error: 1146 Table 'rpaddict_mdw2.mw_l10n_cache' doesn't exist (localhost)
Zini wrote: I know. I PMed Lordrea about.

Actually, it is not only the wiki. Forum and tracker were slow the whole morning and even had some downtime. Seems we are not out of trouble yet.
lgro wrote: There is same problem with http://openmw.com - there is strange redirect to: http://clearfight.ru/fortran/index.php
sir_herrbatka wrote: Go away and hack something else :roll:
lgro wrote:
sir_herrbatka wrote:Go away and hack something else :roll:
What do you mean? I just reported what I saw.
werdanith wrote:
lgro wrote:
sir_herrbatka wrote:Go away and hack something else :roll:
What do you mean? I just reported what I saw.
He was referring to whoever is screwing with our server, hopefully not you. :D

Anyway, I had this issue yesterday as well, it seems fixed now.
sir_herrbatka wrote:
He was referring to whoever is screwing with our server
yes

I mean... What this damn asshole wants to? Attacking us won't bring glory, fun or money. :?

@Igro
Please stay and hack some more! Unless you get so bored to devastate our website :roll:

PS
@Lordrea: Administrator job is harder than I thought.
Greendogo wrote:
sir_herrbatka wrote:@Igro
Please stay and hack some more! Unless you get so bored to devastate our website :roll:
This may not sound as much like sarcasm as you think it does Herrbatka ;)

Yay, hopefully this problem will be fixed soon. I'm tired of hackers. Everything is getting hacked! My Gmail account was hacked a few weeks ago!!! And searching on Google was hacked for me for a while too! Yay!
sir_herrbatka wrote: Well... If even RSA can't defend itself â?? nothing can.
This may not sound as much like sarcasm as you think it does Herrbatka
I need to train more. ;-)
Lordrea wrote: Will be back home Saturday, and will get the wiki fixed then.

Hopefully.

For good.

Maybe.

(Fucking hackers.)
Zini wrote: How is it going? I don't like the idea of having a release with the main site down, but if it will take longer to fix the wiki, then there is little point in waiting.
lgro wrote:
Lordrea wrote:Will be back home Saturday, and will get the wiki fixed then.

Hopefully.

For good.

Maybe.

(Fucking hackers.)
Is there any progress with the wiki?
Zini wrote: Good question. The wiki being down is starting to become a problem. Can we have any kind of ETA?
Hircine wrote: is the database for the Wiki Dead?

if there is a backup or it can be recovered, why not just reinstall the wiki and overwrite the new db with the old one,

if we have to start from scratch then so be it. I'm sure it won't take that much time to redo info, with a good selection of people working on it.

if you need help with it all, let me know in a pm.
Husaco wrote: In the meantime, perhaps we should set openmw.com/ to display the forum. A casual observer might think the project defunct if the link to the webpage shows an error message.
Zini wrote: Not a bad idea (assuming sorting out the wiki issues will take longer). How about adding a simple page, stating that the main site is currently down because of technical problems and listing a few important links (forum, source repository on github and download site)?
Hircine wrote: anyone else get a site down error in the last 3 or so hours?
Zini wrote: It was down for a while a couple of hours ago.
Lordrea wrote: I'll be working on getting it back online as soon as possible.

Sorry for not being around the last couple of weeks. I've been out of town, and what time I've been working on the computer has been dedicated to my IA-32 Assembly class.

Worse case I restore a backup, and anything lost will just have to be redone. I'll attempt to restore what I can though, and I've a hope that it can be simply repaired instead. Most of the tables seem to be intact, but I need to repair a few, like the cache table listed.

Until then, I've made openmw.com direct to the forums.
Zini wrote: Out of interest, how old is the newest backup?
lgro wrote: If wiki / main site will be unavailable in longer period I can prepare (of course if there will be no objections)
some temporary wordpress and mediawiki based site on my Rootnode shell account (I'm an administrator
of other mediawiki + phpbb website and preparing such site won't be any problem for me).
Zini wrote: Thanks for the offer, but that wouldn't be of much help at this stage unfortunately, because it would still not get us our wiki content back. We really need a statement from our site admin, but he seems to be unavailable at the moment.
Zini wrote: *push*

Any news? If not an ETA, then at least an answer to my question a few posts above?
Out of interest, how old is the newest backup?
ap0 wrote: The wiki is still dead :<
Hircine wrote: Should we create an external Wiki on wikia and re-build the more important parts, such as dev-environment, the intro & the roadmap...

thoughts?
Zini wrote: Clear no to Wikia. I absolutely hate their new skin. The roadmap has been integrated into the tracker.
As for the rest, I think there is simply too much content to rebuild it completely from scratch. We really need a statement from Lordrea before we can do anything about it. He wrote that he has a backup. In the last few weeks before the wiki went down there were not many changes. Maybe we can use it without losing much (depending on how old it is)
Zini wrote: * push * ? That that this thread needs any pushing (it's still at the top of the forum). But *push* anyway.
Locked