Spam re-directs

The latest news from the admins
Post Reply
User avatar
K9EZ
Site Admin
Posts: 2986
Joined: Wed Nov 14, 2007 3:16 pm
Location: Raleigh, NC
Contact:

Spam re-directs

Post by K9EZ » Sun Jul 06, 2008 4:43 pm

Humans,

I have seen an issue that seems to be increasing in frequency. That is where some idiots decide it is fun to hijack a web site. What happens is that you go to your normal page (ie broadcastengineering.info) and once you get there the page is re directed to some ad crap.

If you see that happen here, please let us know immediately. We need to put these guys out of business (even though they are running the stuff from Russia.

Watch out for the follow IP: 80.93.48.89 you may also get forwarded to [http://66.135.60.166/e010/h.htm]

More info:
IP : 80.93.48.89 Neighborhood
Host : 80.93.48.89.colo.piter.peterhost.ru
Country : Russian Federation

A good fix is here: http://www.mvps.org/winhelp2002/hosts.htm

(Edited by Doc to kill the link)
Kent Winrich
Owner, Consultant, Floor Sweeper and Official Thread Hijacker
Broadcast and Technology Blog http://sceotech.com/blog/
Raleigh, NC

User avatar
Deep Thought
Posts: 3217
Joined: Thu Mar 20, 2008 9:23 am
Location: La Grange, IL
Contact:

Re: Spam re-directs

Post by Deep Thought » Sun Jul 06, 2008 4:59 pm

Question: How can that happen unless the redirect code is in the page somewhere? Ads are one thing. This sounds more like a vulnerability in the website.
Mark Mueller • Mueller Broadcast Design • La Grange, IL • http://www.muellerbroadcastdesign.com

User avatar
K9EZ
Site Admin
Posts: 2986
Joined: Wed Nov 14, 2007 3:16 pm
Location: Raleigh, NC
Contact:

Re: Spam re-directs

Post by K9EZ » Sun Jul 06, 2008 7:12 pm

Deep Thought wrote:Question: How can that happen unless the redirect code is in the page somewhere? Ads are one thing. This sounds more like a vulnerability in the website.

Exactly. Sorry if I was not very clear. But it appears that the web sites I was running into this, if I sent them to the host 127.0.0.1 it went away. Of course it could just be a timing thing. Perhaps there are people far smarter than me that knows more,
Kent Winrich
Owner, Consultant, Floor Sweeper and Official Thread Hijacker
Broadcast and Technology Blog http://sceotech.com/blog/
Raleigh, NC

w9wi
Posts: 848
Joined: Tue Feb 05, 2008 11:40 am
Location: Pleasant View, Tennessee
Contact:

Re: Spam re-directs

Post by w9wi » Mon Jul 07, 2008 7:14 am

K9EZ wrote:
Deep Thought wrote:Question: How can that happen unless the redirect code is in the page somewhere? Ads are one thing. This sounds more like a vulnerability in the website.

Exactly. Sorry if I was not very clear. But it appears that the web sites I was running into this, if I sent them to the host 127.0.0.1 it went away. Of course it could just be a timing thing. Perhaps there are people far smarter than me that knows more,
There exists something called "DNS hijacking", where someone modifies the database relating hostnames to IP addresses. If they repoint "www.broadcastengineering.info" to their own IP they can make it pull up anything they want without having to hack your webserver at all. Indeed, your webserver is still working just fine, just that you have to pull it up by IP address instead of hostname.

We had a problem a few years back where a major local business was running their own DNS server for their internal computers. It got jacked & they redirected our domain to a porn site. Luckily it only affected people surfing at that one business. I suppose if you managed to jack Comcast's or Earthlink's DNS servers you could cause a LOT of trouble though.
--
Doug Smith W9WI
Pleasant View, TN EM66

User avatar
countrykev
Posts: 328
Joined: Thu Jan 10, 2008 3:18 pm
Location: Not Wisconsin, eh?
Contact:

Re: Spam re-directs

Post by countrykev » Mon Jul 07, 2008 7:42 am

phpbb is a very common target for hackers and spammers. Always make sure you are running the latest version of the software.
What the heck am I supposed to write here?

User avatar
K9EZ
Site Admin
Posts: 2986
Joined: Wed Nov 14, 2007 3:16 pm
Location: Raleigh, NC
Contact:

Re: Spam re-directs

Post by K9EZ » Mon Jul 07, 2008 7:58 am

w9wi wrote:
K9EZ wrote:
Deep Thought wrote:Question: How can that happen unless the redirect code is in the page somewhere? Ads are one thing. This sounds more like a vulnerability in the website.

Exactly. Sorry if I was not very clear. But it appears that the web sites I was running into this, if I sent them to the host 127.0.0.1 it went away. Of course it could just be a timing thing. Perhaps there are people far smarter than me that knows more,
There exists something called "DNS hijacking", where someone modifies the database relating hostnames to IP addresses. If they repoint "www.broadcastengineering.info" to their own IP they can make it pull up anything they want without having to hack your webserver at all. Indeed, your webserver is still working just fine, just that you have to pull it up by IP address instead of hostname.

We had a problem a few years back where a major local business was running their own DNS server for their internal computers. It got jacked & they redirected our domain to a porn site. Luckily it only affected people surfing at that one business. I suppose if you managed to jack Comcast's or Earthlink's DNS servers you could cause a LOT of trouble though.

Interesting.

In this case, on this other web site.... when I am NOT logged in I dont get the redirect. When I log in I get redirected. Which (in my simple l'il mind) tells me that the server got hacked. Or am I off base?
Kent Winrich
Owner, Consultant, Floor Sweeper and Official Thread Hijacker
Broadcast and Technology Blog http://sceotech.com/blog/
Raleigh, NC

Tim Burke
Forum Jedi
Posts: 472
Joined: Sun Nov 18, 2007 1:10 am
Location: Spring, TX
Contact:

Re: Spam re-directs

Post by Tim Burke » Mon Jul 07, 2008 9:12 am

countrykev wrote:phpbb is a very common target for hackers and spammers. Always make sure you are running the latest version of the software.
I'm glad we're running the up-to-date version! :mrgreen:
up-to-date.PNG

User avatar
NECRAT
Site Admin
Posts: 2952
Joined: Sat Nov 17, 2007 9:13 pm
Location: Taunton, MA
Contact:

Re: Spam re-directs

Post by NECRAT » Mon Jul 07, 2008 9:42 am

countrykev wrote:phpbb is a very common target for hackers and spammers. Always make sure you are running the latest version of the software.
What's even sadder is, that on YouTube, there are a number of videos of people hacking boards, including instructions on how to do it.
http://www.necrat.us

"Arguing with an engineer is like mud wrestling with a pig. After a couple of hours, you realize the pig likes it"

User avatar
BroadcastDoc
Site Admin
Posts: 2729
Joined: Tue Nov 13, 2007 3:34 pm
Location: Milwaukee, WI
Contact:

Re: Spam re-directs

Post by BroadcastDoc » Mon Jul 07, 2008 10:12 am

Tim Burke wrote:
countrykev wrote:phpbb is a very common target for hackers and spammers. Always make sure you are running the latest version of the software.
I'm glad we're running the up-to-date version! :mrgreen:
up-to-date.PNG

Yep. I sleep better knowing Tim's on the job! :)
Christopher "Doc" Tarr CSRE, DRB, AMD, CBNE
Help support the Virtual Engineer, use our 1&1 Affiliate link if you need good, cheap hosting.
Virtual Engineer. The Broadcast Engineering discussion forum

w9wi
Posts: 848
Joined: Tue Feb 05, 2008 11:40 am
Location: Pleasant View, Tennessee
Contact:

Re: Spam re-directs

Post by w9wi » Mon Jul 07, 2008 10:51 am

K9EZ wrote:In this case, on this other web site.... when I am NOT logged in I dont get the redirect. When I log in I get redirected. Which (in my simple l'il mind) tells me that the server got hacked. Or am I off base?
Apparently hacking phpBB is more common than I realized - it's probably a lot easier than DNS hijacking...

But I would suggest that it's *possible* this is indeed still a hijacking. Could be the crooks duplicated part of the site - certainly common with phishing. Or, when you login the legitimate site redirects you to a different domain, and that domain is the one that's been hijacked. (you should be able to tell by looking at the address bar: does the part between "http://" and the next / change when you login?)

But it's probably indeed just that the board has been hijacked, not DNS.
--
Doug Smith W9WI
Pleasant View, TN EM66

User avatar
K9EZ
Site Admin
Posts: 2986
Joined: Wed Nov 14, 2007 3:16 pm
Location: Raleigh, NC
Contact:

Re: Spam re-directs

Post by K9EZ » Mon Jul 07, 2008 11:50 am

w9wi wrote:
K9EZ wrote:In this case, on this other web site.... when I am NOT logged in I dont get the redirect. When I log in I get redirected. Which (in my simple l'il mind) tells me that the server got hacked. Or am I off base?
Apparently hacking phpBB is more common than I realized - it's probably a lot easier than DNS hijacking...

But I would suggest that it's *possible* this is indeed still a hijacking. Could be the crooks duplicated part of the site - certainly common with phishing. Or, when you login the legitimate site redirects you to a different domain, and that domain is the one that's been hijacked. (you should be able to tell by looking at the address bar: does the part between "http://" and the next / change when you login?)

But it's probably indeed just that the board has been hijacked, not DNS.

Nope it doesnt change, and the topics are new, so they didnt copy the site.

Let me tell you there are some pretty upset people at this other board. And the Board OPs or managers are trying to tell it is a problem with the personal computers, not with the web page.

BTW this is not a radio related page. It deals with Mercedes repair.

I just want to be on top of things so that if it does happen here we can deal with it PRONTO.
Kent Winrich
Owner, Consultant, Floor Sweeper and Official Thread Hijacker
Broadcast and Technology Blog http://sceotech.com/blog/
Raleigh, NC

User avatar
Deep Thought
Posts: 3217
Joined: Thu Mar 20, 2008 9:23 am
Location: La Grange, IL
Contact:

Re: Spam re-directs

Post by Deep Thought » Mon Jul 07, 2008 12:04 pm

If your DNS entries are compromised, that's an entirely different matter. As for phpBB, yeah it's a target because a lot of people running it have no clue what it is or how it works. They just load the default scripts from their hosting provider and run with that. You'll often see default graphics and other telltale signs. I used to run it but decided on a better system.

As for people running their own personal DNS for whatever reason, they get what they deserve if they don't know what they're doing. Having a local DNS server hacked is probably a red flag for much bigger IT issues at that location...
Mark Mueller • Mueller Broadcast Design • La Grange, IL • http://www.muellerbroadcastdesign.com

User avatar
BroadcastDoc
Site Admin
Posts: 2729
Joined: Tue Nov 13, 2007 3:34 pm
Location: Milwaukee, WI
Contact:

Re: Spam re-directs

Post by BroadcastDoc » Mon Jul 07, 2008 12:23 pm

You're right about phpBB. On the other hand, since everyone and their brother uses it, security issues are out in the open right away, so if you're good about keeping up with it, you're pretty safe.

The thing about forum software is that there is a bunch out there...all of which have issues! I think that like anything else if you're diligent, you'll be OK.
Christopher "Doc" Tarr CSRE, DRB, AMD, CBNE
Help support the Virtual Engineer, use our 1&1 Affiliate link if you need good, cheap hosting.
Virtual Engineer. The Broadcast Engineering discussion forum

User avatar
K9EZ
Site Admin
Posts: 2986
Joined: Wed Nov 14, 2007 3:16 pm
Location: Raleigh, NC
Contact:

Re: Spam re-directs

Post by K9EZ » Mon Jul 07, 2008 1:50 pm

BroadcastDoc wrote:You're right about phpBB. On the other hand, since everyone and their brother uses it, security issues are out in the open right away, so if you're good about keeping up with it, you're pretty safe.

The thing about forum software is that there is a bunch out there...all of which have issues! I think that like anything else if you're diligent, you'll be OK.
And exactly the reason I would like us to keep an eye out there. I KNOW Tim and NECRAT and Doc all keep this thing pretty much up to date. But having a few extra eyes cant hurt.
Kent Winrich
Owner, Consultant, Floor Sweeper and Official Thread Hijacker
Broadcast and Technology Blog http://sceotech.com/blog/
Raleigh, NC

Post Reply