Okay, this has happened twice to me on two different computers and different locations. From the home page I scrolled down and clicked on the title "Thane Heins" and up pops a porn page. There is something going on with this website. I even have a porn blockers on my home computer and it did not catch it.
Fred
Yes, I agree, if there's going to be pr0n that pops up, I atleast want it to be in english also.
...it's a full size popup too.
Stefan, this is seriously tasteless.
What is up with the popup?
Russians found free energy heating?
Lots of energy there, they don't even need to be dressed anymore.
Yeah, I saw it too. ??? It's almost like the site got 'soft hacked', ie meaning no flashy ha ha ha I got you message.
Oh so it wasn't some crap on my pc causing it. Stefan surfing your forum got a bit dangerous. What if someone walked in and a pron pop up showed up .
Quote from: broli on May 09, 2009, 06:10:34 PM
Oh so it wasn't some crap on my pc causing it. Stefan surfing your forum got a bit dangerous. What if someone walked in and a pron pop up showed up .
Same thing happened to me. I clicked up Thane's thread and a naked Russian teen popped up in secondary window. Not cool. I have enough trouble explaining posting to a OU website. I would rather not have to explain a Russian teen porn site.. Somehow I think the believability limit would be exceeded. Oh wait.. I am posting to a OU site ;)
Ditto.
Happened when I made a preview click on a topic teaser to see the full last post.
I saw "teen" and ".ru" in the loading URL and killed it before it loaded, but it would seem that there is an exploitable flaw in the newest SMF.
I'm having the same issues and this is against international law I believe. Stephan could you please send an all clear email to all members as I will have to exclude this site from my agenda.
Stefan it seems the current version of SMF has an exploit which a Russian site is using
http://nnovclub.ru/ I believe...
Not destructive but disruptive
Recommend checking with simplemachines.org
And the popup also plants a cookie.
Delete or block this cookie; "video-huk.ru"
I saw it because I use Firefox and Firefox must always ask me if I want a cookie or not.
Just want to let you all know.
Maybe the cookie doesn't do anything bad.
Quote from: AquariuZ on May 09, 2009, 07:44:52 PM
Stefan it seems the current version of SMF has an exploit which a Russian site is using
http://nnovclub.ru/ I believe...
Not destructive but disruptive
Recommend checking with simplemachines.org
This was posted in the Thane thread.
If you go to Google.com and type in Overunity the first link that is shown states Overunity.com but when you select that link it takes you to the Russian site (http://nnovclub.ru/ ) that has the P0RN that pops up in multiple windows.
Somehow in Google the Overunity site is now linked to the Russian Site that has P0RN. Is Stephan using the same IP provider ???
Does not seem to happen with other search engines (like Yahoo) but then they maybe behind in updating.
..this website has been a closet of surprises lately. I go to take finals for college, and then come back and there's a pr0n popup and a christmass-tree theme.
I looked at the SMF 2.0 software, it does not recommend use for a production site. As I recall from earlier versions of SMF, this are a bit scary code-side; and from the looks of the source it generates, the styling of output is done with about a dozen different style sheets.
All this website needs is one good set of style sheets and a back-end hack to fit the advertising in and everything will be ok.
As it stands, there wasn't really any use in changing forum versions - I wonder how version 2 stacks up to version 1.8?
I never have fansied all of the junk that SMF comes with out of 'box'...there are better templating systems out there as well. 'smarty' is one of them.
Quote from: Tink on May 09, 2009, 08:32:25 PM
And the popup also plants a cookie.
Delete or block this cookie; "video-huk.ru"
I saw it because I use Firefox and Firefox must always ask me if I want a cookie or not.
Just want to let you all know.
Maybe the cookie doesn't do anything bad.
I had the same Russian teen hard core when clicking through to the Tommey Reed thread. Technically, it wasn't a pop-up
but opened in a new browser.
There is something bad going on here which needs to be
dealt with.
Paul.
Hi,
Anybody else thet experience that a bad site pops up as soon as you enter overunity.com? It seems to happen every time I move the mouse over the logo flash section.
Vidar
Same thing here, new browser window opened at http://rus-teenagers.ru, added to Adblock and firewall to block the IP 91.202.63.108.
Front Page Information
Website Title: Реальное ÑкÑклюзивное 18+ МолодÑ'жное Ñупер порно оÑ,менного качеÑÑ,ва, Ñ,олько на ÑÑ,ом ÑайÑ,е
Title Relevancy 33%
Meta Description: Порно виÑ,рина, порно, ÑкачаÑ,ÑŒ порно, качеÑÑ,венное порно, порнуÑ...а,порево, минеÑ,, анал, групповуÑ...а
Relevancy: 44% relevant.
Meta Keywords: порно виÑ,рина, порно, ÑкачаÑ,ÑŒ порно, качеÑÑ,венное порно, порнуÑ...а, порево, минеÑ,, анал, групповуÑ...а
Relevancy: 44% relevant
SEO Score: 73%
Terms: 343 (Unique: 236, Linked: 188)
Images: 206 (Alt tags missing: 40)
Links: 128 (Internal: 126, Outbound: 2)
AboutUs: Wiki article on Rus-teenagers.ru
Indexed Data
Alexa Trend/Rank: The lower the rank the better. #274,074: Down 41,081 ranks over the last three months.
Registry Data
Created: 2009-04-07
Expires: 2010-04-07
Whois Server: whois.ripn.net
Server Data
Server Type: nginx/0.6.35
IP Address: 91.202.63.108 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location Virgin Islands, British - Virgin Islands, British - Akrino Inc
Response Code: 200
Domain Status: Registered And Active Website
DomainTools Exclusive
Registrant Search: "Private person" owns about 178,060 other domains
Whois History: 2 records have been archived since 2009-05-05.
Reverse IP: 7 other sites hosted on this server.
Free Tool: Download DomainTools Download DomainTools for Windows
Whois Record
domain: RUS-TEENAGERS.RU
type: CORPORATE
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED
person: Private person
phone: +7 495 7829037
e-mail:
registrar: REGRU-REG-RIPN
created: 2009.04.07
paid-till: 2010.04.07
source: TC-RIPN
Regards,
Paul
Hi,...
Try using Firefox, and then install the addons AdBlock Plus and NoScript, and you will be ok. NoScript will block the site "1traffu.ru", from what I can see that seems to be the problem.
It´s what i´m using and have had no problems with pop-ups.
not only this! i just got a flase notify about a topic i followed. In a link that normally should point to overunity topic i got directed to some russian webpage.
Stefan do some backup of the forum when it's still in one pice.
And to say that my good email is now on some spamers list somewhere...
Free Energy Open Source Research Forum OverUnity.com <harti@harti.com>
to -------------------
data 10 may 2009 13:27
subject Topic reply: Air - water electric generator
send by harti.com
Follow up message
A reply has been posted to a topic you are watching by Cloxxki.
View the reply at: http://www.overunity.com/index.php?topic=6072.new;topicseen#new
Unsubscribe to this topic by using this link: http://www.overunity.com/index.php?action=notify;topic=6072.0
More replies may be posted, but you won't receive any more notifications until you read the topic.
Regards,
The Free Energy Open Source Research Forum OverUnity.com Team.
Quote from: Low-Q on May 10, 2009, 07:11:54 AM
Hi,
Anybody else thet experience that a bad site pops up as soon as you enter overunity.com? It seems to happen every time I move the mouse over the logo flash section.
Vidar
Hi LowQ
I've have experienced the same problem as you described and posted the server information in the pop-ups thread at http://www.overunity.com/index.php?topic=7441.msg177412#msg177412
The following information is for anyone who is using a Windows operating system and doesn't have Firefox and/or AdBlock and/or NoScript installed, or any other way to block this for that matter:
1. Go to C:\WINDOWS\system32\drivers\etc\hosts (When you double click on it choose to open with Notepad or Wordpad). See picture 1 below.
2. Copy and paste the following at the end of the file and click save. See picture 2 below.
When this problem has been fixed on the site simply remove the entry from the hosts file and save the changes to bring the hosts file back to it's original state.
Regards,
Paul
Quote from: Creativity on May 10, 2009, 08:43:53 AM
not only this! i just got a flase notify about a topic i followed. In a link that normally should point to overunity topic i got directed to some russian webpage.
Stefan do some backup of the forum when it's still in one pice.
And to say that my good email is now on some spamers list somewhere...
Free Energy Open Source Research Forum OverUnity.com <harti@harti.com>
to -------------------
data 10 may 2009 13:27
subject Topic reply: Air - water electric generator
send by harti.com
Follow up message
A reply has been posted to a topic you are watching by Cloxxki.
View the reply at: http://www.overunity.com/index.php?topic=6072.new;topicseen#new
Unsubscribe to this topic by using this link: http://www.overunity.com/index.php?action=notify;topic=6072.0
More replies may be posted, but you won't receive any more notifications until you read the topic.
Regards,
The Free Energy Open Source Research Forum OverUnity.com Team.
@ Creativity & All
Before you delete or add this email spammer to your spam filter please go to the "view information" section of the email and copy the sender's information (IP address and routes), you could post it here to help Harti block these guys if possible.
Regards,
Paul
Hmm,
somebody managed to access my
.htaccess file.
They added the following code:
QuoteRewriteCond %{HTTP_REFERER} .*google.*$
RewriteRule .* ht tp://xxxxxxx..ru/ [R,L]
(Website name changed, so if someone clicks it it will not open up)
How can this be, if I had the .htaccess file
on 755 permission ?
Maybe they hacked or used my Spider-Trap.de
php files to manipulate the
.htaccess file ?
Okay, I will see now, if there is a new version of
the spider trap script and changed the pathes...
So the P.O.R.N sites are gone now ! ;D
Regards, Stefan.
Has anybody any good experience with a good and free
open source website firewall software ?
Is there any PHP package that can block bad spiders
and users, who want to abuse a forum ?
Many thanks.
Regards, Stefan.
:D ;D :D ;D
a different kind of pulse motor :o
I thought somebody had hacked into my wifi link
;) cat
It works with NoScript preference.
I run Firefox under Sandboxie.
http://www.sandboxie.com/
Hi Stefan,
I've used a software called moblock (gui control is mobloquer) to disallow connections from various hosts based on online databases that are constantly updated for specific types of hosts or abusive IP ranges. It was originally posted for torrent connections but would work fine for abusive hosts connections to an http server and you can make a custom config file to add hosts not caught by the databases you choose.
IPTABLES is the default firewalling program for linux kernels and has many graphical front ends to work with (firestarter, firewallbuilder, webadmin plugin, etc.) that will do just what moblock does (in fact it is what moblock uses to function).
FAIL2BAN is a nice program that crawls your logs in /var/log and will selectively look for abusive behavior aimed at services like ssh, http, https, xinetd, PAM, etc. and ban the abusive IPs for a specified length of time (I use it for ssh and http(s) ) using iptables rules.
/etc/hosts.deny is a tried and true fall back to disallow certain IPs access
to web services but requires manual filtering of the logs for abuse and manual entry into the file to ban them.
For ease of use, I'd try mixture of moblock and fail2ban first as they are a "safer" way to manipulate iptables more easily.
Hand hacking iptables rules from command line works just as well, but command syntax is sometimes pretty arcane.
WARNING: With any of these tools it IS possible to lock out any type of network access to the machine if you misconfigure them!!!!
You might want to configure and test them with nmap or wireshark on a differnet machine/test LAN, and then copy the successfully tested configs over to the production machine (web server).
Hope That Helps!
Quote from: Goat on May 10, 2009, 08:46:49 AM
Hi LowQ
I've have experienced the same problem as you described and posted the server information in the pop-ups thread at http://www.overunity.com/index.php?topic=7441.msg177412#msg177412
The following information is for anyone who is using a Windows operating system and doesn't have Firefox and/or AdBlock and/or NoScript installed, or any other way to block this for that matter:
1. Go to C:\WINDOWS\system32\drivers\etc\hosts (When you double click on it choose to open with Notepad or Wordpad). See picture 1 below.
2. Copy and paste the following at the end of the file and click save. See picture 2 below.
When this problem has been fixed on the site simply remove the entry from the hosts file and save the changes to bring the hosts file back to it's original state.
Regards,
Paul
paul is right, hosts files work great. if used properly, they can be better than most firewalls. your windows operating systems checks it FIRST before asking your DNS server so why not use it?
personally, i don't use a 'enumerate the badness' policy. it puts you in an endless 'arms race'. i use a deny all and enumerate the goodness, but most people don't even know the difference between ram and rom so... 'default permit' and 'enumerate the badness' it is.
this link makes it easy for anyone, to easily modify their host file to block a ton of crap sites like this russian one.
http://www.mvps.org/winhelp2002/hosts.htm
find the zip file. download it, extract it, run the batch (.bat) file and you're done.read the page and learn something about how your computer works, it's in lay terms.
i don't use adblock or any firefox plugins and i haven't seen a bit of russian pron...
for those interested, here is a quick read of why using a default permit, and then enumerating the badness is a BAD IDEA.
http://www.ranum.com/security/computer_security/editorials/dumb/
if you read this, be sure to click the link to richard feynman's "Personal Observations on the Reliability of the Space Shuttle". it's a great read too.
Well, somebody managed to add
2 lines of p.o.r.n code into the .htaccess file,
probably via an outdated spider-trap.de
script I had been running here.
Have a look at this:
http://www.overunity.com/index.php?topic=7444
It is fixed now.
If you still have the problem,
Please clear your browser cache.
Quote from: hartiberlin on May 10, 2009, 05:15:27 PM
It is fixed now.
No, it isn't, Stefan. At least, not at 11.32pm, (10.32 BST). I got the same site again.
Quote from: Paul-R on May 10, 2009, 05:36:01 PM
No, it isn't, Stefan. At least, not at 11.32pm, (10.32 BST). I got the same site again.
So did I.
Hmm,
Did you clear your browser cache and cookies ?
Please try again.
Can you see, where in the source code it is located ?
Many thanks for your help.
Regards, Stefan.
Which thread do I click on to get the porn pop-ups ?
Seriously though, I thought it odd...given that I never go on threat designated sites.
I hope Stefan can get the matter dealt with soon...or at least keep the porn updated until its fixed.{:~>
I would like to have the old front page back soon also.
Regards...
Quote from: exxcomm0n on May 10, 2009, 01:46:20 PM
Hi Stefan,
I've used a software called moblock (gui control is mobloquer) to disallow connections from various hosts based on online databases that are constantly updated for specific types of hosts or abusive IP ranges. It was originally posted for torrent connections but would work fine for abusive hosts connections to an http server and you can make a custom config file to add hosts not caught by the databases you choose.
IPTABLES is the default firewalling program for linux kernels and has many graphical front ends to work with (firestarter, firewallbuilder, webadmin plugin, etc.) that will do just what moblock does (in fact it is what moblock uses to function).
FAIL2BAN is a nice program that crawls your logs in /var/log and will selectively look for abusive behavior aimed at services like ssh, http, https, xinetd, PAM, etc. and ban the abusive IPs for a specified length of time (I use it for ssh and http(s) ) using iptables rules.
/etc/hosts.deny is a tried and true fall back to disallow certain IPs access
to web services but requires manual filtering of the logs for abuse and manual entry into the file to ban them.
For ease of use, I'd try mixture of moblock and fail2ban first as they are a "safer" way to manipulate iptables more easily.
Hand hacking iptables rules from command line works just as well, but command syntax is sometimes pretty arcane.
WARNING: With any of these tools it IS possible to lock out any type of network access to the machine if you misconfigure them!!!!
You might want to configure and test them with nmap or wireshark on a differnet machine/test LAN, and then copy the successfully tested configs over to the production machine (web server).
Hope That Helps!
Hmm,
I don´t have access to the server´s IPTables over here at the
hosting company cause it is running a special clustered server configuration.
So I would need a PHP based firewall script or something
simular.
I have looked around, but so far found no
real good open source script, only one for 120 US$:
http://firewallscript.com/
Does anybody of you use it ?
Is it good ?
Regards, Stefan.
Sorry Stefan,
I forget you're on a hosting server.
I've gone to servage.net and looked at the options and features of the account and the only user configurable security I see is the ability to use an .htaccess file for per directory permissions.
The only other thing I can see is to really explore the web based administration panel and see if there is host.deny or any other access control method available to you there.
I'm looking into the PHP Firewallscript and I think it's your best bet if your site management actions are limited, but remember to ask tech support if there are any other options as they will know their environment best.
EDIT:
This is from the wiki @ servage:
How do I deny one/multiple IP-adresses/hostnames/domains with .htaccess files?
Copy these lines below into a .htaccess file:
AuthName "Access for webmaster only."
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from 11.222.123.99
</Limit>
Change "11.222.123.99" with your own IP-adress (use only if you have static IP).
With more IP-adresses/hostnames/domains:
# Block a subnet, e.g. 123.234.56.0 through 123.234.56.255
deny from 123.234.56.
# Block a specific host name
deny from machine.domain.com
# Block a given domain name:
deny from .otherdomain.com
EDIT 2:
about Firewallscript:
FireWall Script requires PHP5 and ioncube to run. ioncube loaders are included with the software, however there is still a possibility your host will need to load ioncube via php.ini, depending on the server configuration.
Our software does not use any database engine at this time.
2 things a re a little worrisome. There have been no new posts in the forum since Sept. 2008 and:
"Perpetual license: the software will run indefinitely and will NOT automatically terminate at the end of the renewal period. Includes 1 year of support and upgrades with initial purchase. Software does automatically renew annually to renew your support and upgrades."
Which means you have to remember to find the off button for automatic updates or be very careful around the time your purchase expires to make sure it doesn't auto-update.
Could it be, that it only comes up,
if one is posting a message ?
Somehow I had it also again but very weirdly very
few times only...
Hmm..
I don´t find any hidden code in any script blocks yet..
May 11, 2009, 02:10:39 AM
I just had it coming up after posting a message. Strangely though it did not come up on the browser that showed the OU pages but booted up the browser a second time (firefox)
Hope that helps
Hans
Quote from: exxcomm0n on May 10, 2009, 07:30:36 PM
Sorry Stefan,
I forget you're on a hosting server.
I've gone to servage.net and looked at the options and features of the account and the only user configurable security I see is the ability to use an .htaccess file for per directory permissions.
The only other thing I can see is to really explore the web based administration panel and see if there is host.deny or any other access control method available to you there.
I'm looking into the PHP Firewallscript and I think it's your best bet if your site management actions are limited, but remember to ask tech support if there are any other options as they will know their environment best.
EDIT:
This is from the wiki @ servage:
How do I deny one/multiple IP-adresses/hostnames/domains with .htaccess files?
Copy these lines below into a .htaccess file:
AuthName "Access for webmaster only."
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from 11.222.123.99
</Limit>
Doesn´t these lines only allow one IP adress
11.222.123.99
to access the whole website ?
Or is it a code to allow access to edit
the file
.htaccess
only itsself ?
Quote
about Firewallscript:
FireWall Script requires PHP5 and ioncube to run. ioncube loaders are included with the software, however there is still a possibility your host will need to load ioncube via php.ini, depending on the server configuration.
Our software does not use any database engine at this time.
2 things a re a little worrisome. There have been no new posts in the forum since Sept. 2008 and:
"Perpetual license: the software will run indefinitely and will NOT automatically terminate at the end of the renewal period. Includes 1 year of support and upgrades with initial purchase. Software does automatically renew annually to renew your support and upgrades."
Which means you have to remember to find the off button for automatic updates or be very careful around the time your purchase expires to make sure it doesn't auto-update.
Yes, the license aggreement is not too good and I find it also too expensive.
So I am still looking for an open source or free or cheaper
solution.
The problem is, that I probably have to access to the IPTables,
so I can not run software like PHP Firewall generator or the other
programs that you suggested.
As far as I can tell it is OK now...
Remove all cookies from russian domains (.ru)
Some have session ID´s pointing to those skin sites
No more popups for now...
I still think a SMF template file compare with a backup to find any modification should be done
find with diff > check
If .htaccess was comprimised them may have laid their hands on the templates
The problem does not appear as related to browser cache and cookies.
I just used a laptop that hasn't ran in months to access this site. Seconds after entering the OU URL the .RU garbage popped up in a new window.
Harti
You may also wish to check httpd.conf or any includes. If they modified your ht-access they may have inserted redirects in conf files.
If this is not the case then my problem must be in the upstream cache system.
I just looked at the main page source. There is no .ru or other identifiers that I know of.
Quote from: AquariuZ on May 10, 2009, 08:15:49 PM
As far as I can tell it is OK now...
Remove all cookies from russian domains (.ru)
Cookies are just only stored in your browser,
so the user has to clear his cookies in the browser.
Quote
Some have session ID´s pointing to those skin sites
What are session IDs in cookies ?
Do they call up automatically the sites ?
Quote
No more popups for now...
I still think a SMF template file compare with a backup to find any modification should be done
find with diff > check
If .htaccess was comprimised them may have laid their hands on the templates
How could they access the template files if they just managed to use
an older script that just updated the .htaccess file ?
They probably used the spider-trap script to somehow
add their code into the .htaccess file.
The spider-trap script is now disabled,
so I am looking for a different website firewall script now.
I don´t think they had FTP access, otherwise they would have been doing
much more nasty things..
Quote from: hartiberlin on May 10, 2009, 08:15:33 PM
Or is it a code to allow access to edit
the file
.htaccess
only itsself ?
correct
this is a pretty good quickie on .htaccess stephan.
http://corz.org/serv/tricks/htaccess.php
It somehow is tied to the login. I booted up the browser as guest and the minute I logged in as me the second browser window came up. I think there are several triggers sitting on the server.
When booting up the browser, if you look at the bottom bar in firefox where it tells you what the computer is doing it very very quickly shows Russian addresses before coming up with "transferring data from overunity.com"
Perhaps it is only visible here because I have a landline, broadband might be too fast to show up.
Hans von Lieven
Quote from: hartiberlin on May 10, 2009, 08:22:26 PM
Cookies are just only stored in your browser,
so the user has to clear his cookies in the browser.
What are session IDs in cookies ?
eh, yeah that´s what I meant. Everyone get rid of the .ru cookies
Quote
Do they call up automatically the sites ?
One I threw away contained a PHP sessid, this can be used for various purposes..
Quote
How could they access the template files if they just managed to use
an older script that just updated the .htaccess file ?
They probably used the spider-trap script to somehow
add their code into the .htaccess file.
The spider-trap script is now disabled,
so I am looking for a different website firewall script now.
I don´t think they had FTP access, otherwise they would have been doing
much more nasty things..
You can execute any command (i.e via PHP) when they have write access to .htaccess. (via via via) assuming you are running Apache on Linux
Please check PM for details
Hmm,
it really must be related to Session IDs,
very strange, do not know yet this trick.
If I clear my browsers cache and cookies and
klick this link:
http://www.overunity.com/index.php?action=unreadreplies
and then press the
HOME button
Then the p.or.n site is loading...
The Home button has some session cookie attached.
I guess I try to change the cookie, that SMF is sending,
maybe this will help ?
Take the browser off automatic log in. Make overunity your default homepage. close the browser.
Re-open the browser, it will come up as guest. click on login and log in and the Russian site appears in a new window. Seems to work every time.
Hans von Lieven
Quote from: hansvonlieven on May 10, 2009, 08:55:12 PM
Take the browser off automatic log in. Make overunity your default homepage. close the browser.
Re-open the browser, it will come up as guest. click on login and log in and the Russian site appears in a new window. Seems to work every time.
Hans von Lieven
Yes that fits what I think is going on... Did you explicitly remove your .ru cookies locally? I have not had the popup for an hour now....
They are using a server reference to the session id and may have injected some code in a handler via PHP. This should not be possible if PHP is up to date though-
Quote from: hartiberlin on May 10, 2009, 08:47:33 PM
Hmm,
it really must be related to Session IDs,
very strange, do not know yet this trick.
If I clear my browsers cache and cookies and
klick this link:
http://www.overunity.com/index.php?action=unreadreplies
and then press the
HOME button
Then the p.or.n site is loading...
The Home button has some session cookie attached.
I guess I try to change the cookie, that SMF is sending,
maybe this will help ?
If you change the cookie everyone needs to login again, but that´s ok.
Please check the article I sent you on PHP passthru & sessions
Also if you are running proftpd 1.3.x not safe either, check bottom of article
Still no popup BTW, whatever I do
AZ
This is how it is re-directing it. It uses a yahhoou.com site see below
Hans
Quote from: hansvonlieven on May 10, 2009, 09:07:10 PM
This is how it is re-directing it. It uses a yahhoou.com site see below
Hans
That´s a url rewrite via a cookie I suspect a client side problem...
I am puzzled why you still see this after clearing cache (Stefan too) and I do not anymore.
All I did was in Firefox search for all .ru cookies and remove them one by one... (Wanted to see the content)
Tools -> Privacy -> Show Cookies -> Search .ru
Anything?
Use "internet options" in your Control Panel on Windows to enter this as a restricted site on the Security Settings Tab.
This blocks it and allows access to Overunity.com without that garbage popping up.
This is what comes up under overunity cookies.
All other cookies plus the whole browser history is deleted. I can still bring it up though. ???
Hans
I have to go to sleep now, I am very tired, it is already 3:30 am in the morning.
I will try to find it tommorow.
It is not in the index.php file.
I just exchanged this versus a clean one
from overunity.de
so it is not in the index.php which loads first.
Have to exchange the other files tommorow.
Sorry, but just close th P.o.r.n windows, if they pop up
for now.
Regards, Stefan.
When ever I clear cookies and cache in my browser and
then call:
http://www.overunity.com/index.php?action=unreadreplies
and then klick
Home,
the Home button has this session ID code:
http://www.overunity.com/index.php?PHPSESSID=087688eae0f068f570fb7fa7f727da35&
and this seems to load the smut site in another window.
@all
I don't mean to sound stupid... ;D
But, How can I avoid those P.or.n Popups??
I'm no tech geek, so, bear with me... LOL!!
It's very annoying... :D
Quote from: lon92 on May 11, 2009, 03:14:39 AM
@all
I don't mean to sound stupid... ;D
But, How can I avoid those P.or.n Popups??
I'm no tech geek, so, bear with me... LOL!!
It's very annoying... :D
You are not stupid Ion,
This is obviously a server problem and Stefan will sort it out eventually. These spam guys are crafty and know their technology. It is not easy, at times, to beat them. I don't envy Stefan his task.
Hans von Lieven
Quote from: hartiberlin on May 10, 2009, 09:41:34 PM
When ever I clear cookies and cache in my browser and
then call:
http://www.overunity.com/index.php?action=unreadreplies
and then klick
Home,
the Home button has this session ID code:
http://www.overunity.com/index.php?PHPSESSID=087688eae0f068f570fb7fa7f727da35&
and this seems to load the smut site in another window.
Stefan, I have found the malicious code
Can post because it is a standard russian popup handler.
Source code: http://1traff.ru/script/js.php?id=41360&mode=clickunder (safe to click)
Reference: (Auto translated from Russian)
http://translate.google.es/translate?u=http%3A%2F%2Fwww.bepartner.ru%2Fshowthread.php%3Ft%3D7251&sl=ru&tl=en&hl=en&ie=UTF-8
It is basic javascript (maybe idynamically injected) please search all content & templates for 1traff.ru
At the moment calls are made to 1traff.ru please check server logs for origin.
AZ
You got to be right AquariuZ,
That 1traff.ru keeps coming up here but it is difficult to spot because the message is very brief. Well done.
Hans von Lieven
BTW to accomplish this, they DID at some point inject code into SMF.
If you wish to track down the culprit check the JS call from the server to 1traff.ru
The handler function uses a parameter called id to determine which affiliate is calling the ad server.
So someone is making money off third party sites using a russian affiliate program, they do not even have to be the owner of the skin sites. Pretty nifty.
PARTIAL QUOTE
function popup_4268ClUpTrafRu(gocode) {
day = new Date(); URL192 = "http://yahhoou.com/search.php?id=XXXXX&go=" + gocode + "&close=" + gocode + "&hash=0668e20b3c9e9185b04b3d2a9dc8fa2d0&domain=builtwith.com&adult="; URL392 = "http://yahhoou.com/search.php?id=XXXXX&go=" + gocode + "&close=" + gocode + "&hash=0668e20b3c9e9185b04b3d2a9dc8fa2d&domain=builtwith.com&adult="; URL427 = "http://yahhoou.com/searcn.php?id=XXXXX&go=" + gocode + "&close=" + gocode + "&hash=0668e20b3c9e9185b04b3d2a9dc8fa2d&domain=builtwith.com&adult="; id = day.getTime();
END PARTIAL
Look at the XXXXX. It should contain a 5 digit affiliate code.
With that you can report & prosecute if you so desire.
AZ
Many thanks for all your help.
I made an FTP backup of all the server files
and then deleted them and restored the files
from my other domain.
Now it is all solved.
There were still some old scripts
from TinyPortal and some other scripts
stored in the webspace, maybe someone
used them to compromise other files.
But now these old files are all cleared and
now also the caching is working correctly.
Regards, Stefan.
Quote from: hartiberlin on May 11, 2009, 08:59:02 AM
Many thanks for all your help.
I made an FTP backup of all the server files
and then deleted them and restored the files
from my other domain.
Now it is all solved.
There were still some old scripts
from TinyPortal and some other scripts
stored in the webspace, maybe someone
used them to compromise other files.
But now these old files are all cleared and
now also the caching is working correctly.
Regards, Stefan.
Please note that all clients need to purge their .ru cookies and session data too.. (or all)
AZ
You mean,
alll users should clear their browser cookies and browser cache ?
In Firefox you can do this by going in the menu to:
Extras/Clear private data
and then select
cookies and
cache and
offline webpages datas.
Hope this helps.
Many thanks for your help.
Quote from: hansvonlieven on May 11, 2009, 05:50:50 AM
You are not stupid Ion,
This is obviously a server problem and Stefan will sort it out eventually. These spam guys are crafty and know their technology. It is not easy, at times, to beat them. I don't envy Stefan his task.
Hans von Lieven
@hansvonlieven
Thanks for your motivating words... LOL!! ;D
@Stefan
Thanks for solving the problem... :D
if he could edit the .hta file, there are big chance that your database as been compromized too.
settings.php have the database name and password...
Sorry folks,
I removed/cleared all history, cache, cookies in Opera, FireFox and IExploder (haven't used it in months).
The smut pops ups on almost anything I click on this site.
Stefan,
Relax. Take your time and do it right. This is the first time I've ever had a good excuse to see smut ;D (The wife disagrees!)
Hi BEP,
there must be still some cached files and/or cookies in your browser
or you are surfing via a Proxy !
I already cleaned all out about 12 hours ago, so it is
all clean now.
Please ask your ISP, if they use a proxy server
and how long they keep outdated files in their proxy cache.
Regards, Stefan.
P.S. I also changed the database and ftp and forum passwords ,
so they will not have any access to this, if they compromised somehow a password.
Where's mine?? I'm jealous.
Darn, I guessed I missed the action.
(Firefox 3.0.10, NoScript, FlashBlock, latest Java patches, Norton AV resident, SpyBot SD resident, hardware firewall)
and fingers crossed, salt over the shoulder, knock on wood...(wood? He said wood...!)
Quote from: TinselKoala on May 11, 2009, 09:16:32 PM
Where's mine?? I'm jealous.
Darn, I guessed I missed the action.
(Firefox 3.0.10, NoScript, FlashBlock, latest Java patches, Norton AV resident, SpyBot SD resident, hardware firewall)
and fingers crossed, salt over the shoulder, knock on wood...(wood? He said wood...!)
i missed it too, and i am using IE...
but not with its default settings. ;)
all the scripting are disabled for the internet zone.
the trusted zone is not at its default settings either.
Quote from: hartiberlin on May 11, 2009, 09:09:39 PM
Hi BEP,
there must be still some cached files and/or cookies in your browser
or you are surfing via a Proxy !
I already cleaned all out about 12 hours ago, so it is
all clean now.
Please ask your ISP, if they use a proxy server
and how long they keep outdated files in their proxy cache.
Regards, Stefan.
P.S. I also changed the database and ftp and forum passwords ,
so they will not have any access to this, if they compromised somehow a password.
Oh Damn! Not only did you fix it but you must be right about my proxy.
Alas! The SMUT is gone. Now what am I going to do?
;D
Thanks Harti!