Malicious Attack

For comments about the UNoT website and its player guides.
hologramblue
Huggy Chickens
Huggy Chickens
Posts: 307
Joined: Nov 13, 2012 5:07 pm
Contact:

Post  Posted:

i haven't been hit with anything because avast is blocking the malicious urls, but i've been redirected to shady-looking links when trying to access the ucp.
boh
Anonymous Fish

Post  Posted:

Even if you have an ad blocker it still will redirect you. This has affected me before and I thought it was just me because I didn't notice anybody else post about this. I have a good anti-virus on my computer (sunbelt VIPRE). I have deep-scanned my computer and found nothing. On top of that my computer is automatically set to do a quick-scan every night.

I usually receive the redirects when I click on the portal at the top here for the update page since the forum is bookmarked for me.

I've gotten random pages before and even gotten redirected to a porn website :/ I tend to keep away nowadays.
User avatar
Ru-Ne Ni-Chaan
Ultimate Farming Fanatic
Ultimate Farming Fanatic
Posts: 1216
Joined: Nov 03, 2011 12:34 am

Post  Posted:

hologramblue wrote:i haven't been hit with anything because avast is blocking the malicious urls, but i've been redirected to shady-looking links when trying to access the ucp.
Uhh, like this?
Spoiler:
Image
User avatar
WorMzy
Huggy Chickens
Huggy Chickens
Posts: 270
Joined: Sep 22, 2008 4:19 pm
Contact:

Post  Posted:

Well that's an unconvincing ad, Windows uses backslashes for directory paths. *shakes head*
User avatar
Raven Mist
Spinich Bodyguard
Spinich Bodyguard
Posts: 626
Joined: Oct 09, 2005 7:07 pm

Post  Posted:

It was happening on mine's too while logging in... :/
Yaneci
Wacky Weed Puller
Wacky Weed Puller
Posts: 135
Joined: Aug 22, 2010 2:37 pm

Post  Posted:

Vann Borakul wrote:I was redirected to porn after clicking the back fence o_O
My OS is like a day old

I think it happened right after the website told me a plugin on this website said I needed to install a java runtime environment thing. I'm pretty sure the redirect happened before it finished

I can PM the urls or something if that helps. The URLs are gibberish, but link to ushi
A friend posted this on another forums, in a thread we both frequent. If everyone who's having the issue has updated java then maybe that's it?
[align=center]HEY GUYS

Friendly PSA from your local computer nerd!
[/align]

There's a really bad exploit for Java that was released into the wild that uses a known security hole in order to remotely install software on your machine. This means that someone could install and run software on your computer without you even knowing about it. Everyone who uses Windows should disable Java on all of their internet browsers ASAP.

Here's some more information:
http://www.us-cert.gov/cas/techalerts/TA13-010A.html
http://www.kb.cert.org/vuls/id/625617
http://news.yahoo.com/government-warns- ... ector.html

Some websites are gonna look really ugly with Java turned off, but this is better than getting your files deleted or your personal info compromised. Oracle (the company who makes Java) has known about this since August last year and has blown off fixing it.
edit: Also I've run into the issue (minus the porn site redirect) but only when I google ushi no tane and try to get to the ANB page from there. And only the ANB page, all other ushi no tane pages I get to from google don't give me the issue.
Saikatsu
New Seedling
New Seedling
Posts: 6
Joined: Oct 27, 2006 6:30 pm

Post  Posted:

Yaneci wrote:A friend posted this on another forums, in a thread we both frequent. If everyone who's having the issue has updated java then maybe that's it?
I'm running AdBlock (sorry, I don't trust ad serving domains and this is exactly why, I would rather just hand my money over directly) and NoScript. I have not installed anything Java related beyond the runtime itself. The only Java application I've run is Minecraft, and no one I know who plays it is running into this issue. NoScript is configured to not run any embedded Java unless I authorize it, and I have not done so at all yet.

All scans come up clean. Yes, I realize that's not an absolute confirmation, but I am only ever encountering these redirects on the fogu.com domain, nowhere else. I browse quite a bit, it's not coincidental.

Here's a probably full list of addresses I've been redirected to:
Spoiler:
nygrht.eu/index.php?e=aXNjbmhhYno9eXN3bW0mdGltZT0xMjI1MTkxMzEwNDU3NzgwMjUmc3JjPTkmc3VybD1mb2d1LmNvbSZzcG9ydD04MCZrZXk9RDZDMjlDQTImc3VyaT0vaG0xMS8=
iuzwtu.eu/index.php?t=a3NoY2R4cz1pbWt1ZGxpaXJ6JnRpbWU9MTIyNzE5MTktODEyMjUzMTM4JnNyYz05JnN1cmw9Zm9ndS5jb20mc3BvcnQ9ODAma2V5PUQ2QzI5Q0EyJnN1cmk9L2htZm9ydW0vdmlld3RvcGljLnBocCUzZmY9MjgmdD0xNTE1Nzgmc3RhcnQ9MTIw
oznnvm.eu/index.php?h=b2VqZmRhdnA9Z3hybGwmdGltZT0xMjMwMDgxMDEwMDk4NDU5MjUmc3JjPTkmc3VybD13d3cuZm9ndS5jb20mc3BvcnQ9ODAma2V5PUQ2QzI5Q0EyJnN1cmk9L2htZm9ydW0vdmlld2ZvcnVtLnBocCUzZmY9Mjg=
qwrnsx.eu/index.php?z=d3NhcHhvaD1kaWwmdGltZT0wMTAxMDcyMi0xNTk3NDA3NzUmc3JjPTkmc3VybD13d3cuZm9ndS5jb20mc3BvcnQ9ODAma2V5PUQ2QzI5Q0EyJnN1cmk9L2htZm9ydW0vdmlld2ZvcnVtLnBocCUzZmY9Mjg=
lpwlij.eu/index.php?r=bGJ0a25reGM9amNhcmp4JnRpbWU9MTMwMTAzMTIzODExNTc0NjYzMjYmc3JjPTkmc3VybD13d3cuZm9ndS5jb20mc3BvcnQ9ODAma2V5PUQ2QzI5Q0EyJnN1cmk9L2htZm9ydW0vdmlld2ZvcnVtLnBocCUzZmY9Mjg=
oriikw.eu/index.php?a=bGpreGRuaz1waSZ0aW1lPTEzMDEwNTE4NTQ3NjQ2MjAzNjYmc3JjPTkmc3VybD13d3cuZm9ndS5jb20mc3BvcnQ9ODAma2V5PUQ2QzI5Q0EyJnN1cmk9L2htZm9ydW0vdmlld2ZvcnVtLnBocCUzZmY9Mjg=
psknxr.eu/index.php?w=dW1ycWNiZGg9Zm93a211dnZ0JnRpbWU9MTMwMTA3MjMxOTcxMTU3NDYxNCZzcmM9OSZzdXJsPXd3dy5mb2d1LmNvbSZzcG9ydD04MCZrZXk9RDZDMjlDQTImc3VyaT0vaG1mb3J1bS92aWV3Zm9ydW0ucGhwJTNmZj0yOA==
ngupgl.eu/index.php?n=dWhpbnVieT10Z2Rna2t4JnRpbWU9MTMwMTEwMDEyMi0zOTQwMzk2MTgmc3JjPTkmc3VybD13d3cuZm9ndS5jb20mc3BvcnQ9ODAma2V5PUQ2QzI5Q0EyJnN1cmk9L2htZm9ydW0vdmlld2ZvcnVtLnBocCUzZmY9Mjg=
xxqmgp.eu/index.php?o=cWJieXJlbGw9ZWZoYW1xciZ0aW1lPTEzMDExMjAwNDYtNTkyMTg5MDIzJnNyYz05JnN1cmw9d3d3LmZvZ3UuY29tJnNwb3J0PTgwJmtleT1ENkMyOUNBMiZzdXJpPS9obWZvcnVtL3ZpZXdmb3J1bS5waHAlM2ZmPTI4
EDIT: Finally have a redirect with what link I clicked on, if it helps. First one so far that wasn't a .eu domain.
Spoiler:
Page I was on: http://www.fogu.com/hmforum/viewtopic.php?f=28&t=140231
Link I clicked: http://www.fogu.com/hmforum/viewforum.php?f=28
Redirect: 34c360c197fac1f7.belcantotoday.com/index.php?c=YWFqYWNhcD1wY3VjdiZ0aW1lPTEzMDExNDAwMjUxMDczNjQ4MzM1JnNyYz05JnN1cmw9d3d3LmZvZ3UuY29tJnNwb3J0PTgwJmtleT1ENkMyOUNBMiZzdXJpPS9obWZvcnVtL3ZpZXdmb3J1bS5waHAlM2ZmPTI4
Last edited by Saikatsu on Jan 13, 2013 7:13 pm, edited 1 time in total.
SilverFire
UNoT Extreme Mooomber
UNoT Extreme Mooomber
Posts: 2102
Joined: Jun 01, 2010 6:28 am

Post  Posted:

Well I just got hit by clicking on the link to the PG section. Yay for Avast and Firefox.
Spoiler:
Image
I've been pretty good so far in not getting hit but my time as come v~v
Kitana Coldfire
Huggy Chickens
Huggy Chickens
Posts: 323
Joined: Jan 09, 2009 1:50 pm

Post  Posted:

So this is why I've been getting more notifications from my antivirus about blocked port scans. I was wondering why the number suddenly seemed to jump.....

It certainly seems like someone is out to get fansites lately. Pokejungle got hacked a few months back, Bulbapedia just a few weeks ago, and now Ushi.
SilverFire
UNoT Extreme Mooomber
UNoT Extreme Mooomber
Posts: 2102
Joined: Jun 01, 2010 6:28 am

Post  Posted:

Apparently PG is the hot area atm. I got pinged again;
Oslm-markguy
Carrots... yum
Carrots... yum
Posts: 516
Joined: Nov 26, 2011 12:44 pm
Contact:

Post  Posted:

I have a question... If I get an infection warning, should I be worried? Or is it just one of those fake ones?
SilverFire
UNoT Extreme Mooomber
UNoT Extreme Mooomber
Posts: 2102
Joined: Jun 01, 2010 6:28 am

Post  Posted:

I'd run a scan just to be safe.
User avatar
Cherubae
UNoT Dictator
UNoT Dictator
Posts: 8610
Joined: Sep 28, 2000 7:12 pm
Contact:

Post  Posted:

SilverFire wrote:
Spoiler:
Image
It says right in the error where that is from. It isn't even the same urls we're dealing with.
Kitana Coldfire wrote:So this is why I've been getting more notifications from my antivirus about blocked port scans. I was wondering why the number suddenly seemed to jump.....
:roll: port scans have nothing at all to do with this issue.

On the one machine that I was able to replicate on, it has been redirect/porn free for the past 4 days after I cleared Firefox cache, cookies, and browsing history. Typically the .eu redirect occurred once per day, but nothing has triggered since I wiped the history. I could never get it to trigger in IE.

If you're getting the redirect, clear those three datafields from your browser.
Kitana Coldfire
Huggy Chickens
Huggy Chickens
Posts: 323
Joined: Jan 09, 2009 1:50 pm

Post  Posted:

Cherubae wrote:
Kitana Coldfire wrote:So this is why I've been getting more notifications from my antivirus about blocked port scans. I was wondering why the number suddenly seemed to jump.....
:roll: port scans have nothing at all to do with this issue.

On the one machine that I was able to replicate on, it has been redirect/porn free for the past 4 days after I cleared Firefox cache, cookies, and browsing history. Typically the .eu redirect occurred once per day, but nothing has triggered since I wiped the history. I could never get it to trigger in IE.

If you're getting the redirect, clear those three datafields from your browser.
Huh, really? I figured they were connected since the scan notifications tended to follow the site attempting to redirect, but maybe I'm mistaken. If so, I apologize for my erroneous thinking. This college wifi is odd. ^^;

Regardless, my firewall just takes me to a blank page when the attempted redirects happen, though I don't think it's attempted again since I turned AdBlock back on.
Keera
Ultimate Farming Fanatic
Ultimate Farming Fanatic
Posts: 1557
Joined: Oct 04, 2011 7:41 pm
Contact:

Post  Posted:

I cleared that stuff from my browser a few days ago and thought it would fix it. It did seem like it went away because I went a whole, like.. day and a half without getting that anymore.

However just now I got

Code: Select all

http://70878435736e2563015009130116010750259946cfaf9a4fed1f986c90deb03.ctsau.com/sort.php
I'll try clearing my stuff again right now and let you know if it happens again.[/color]
Post Reply