Results 1 to 23 of 23

Thread: Auto-re-routing

  1. #1
    Oza the Sly: Vandal Invasion Member Braden's Avatar
    Join Date
    Apr 2005
    Location
    Leeds, Centre of the Universe, England
    Posts
    1,251

    Exclamation Auto-re-routing

    I'm using FireFox and IE8 to use these forums and I'm getting re-routed more and more (this is from two seperate PC's one with very high level security and the other with something more normal).

    Scenario:

    1) I’m reading the forms and BAM…auto re-routed to online Bingo.
    2) More serious. Reading the forum and BAM get re-routed to a fake Control Panel image with warning stating the PC has virus’s

    I haven’t clicked any pop-ups, indeed no pop-ups are showing or even showing as blocked. I can only assume the code for the forums has been compromised and tampered with. Happens on various threads and appears random.

    Just thought you ought to know really and see if you can take action. The on-line bingo isn’t a major issue as you can just “back” and you’re where you started but the newer one…the fake Control Panel with fake virus warning is much more worrying for some users who are not PC savvy to know about it being fake and it disables your browser window as well.

    Luckily as I use IE8 and Firefox, I normally have the forum open on a separate tab so can close it ok but this morning the 2nd one got me on the first session so I had to force FF to close via Task Manager.
    My Steam Community Profile - Currently looking for .Org members I know with NTW for MP stuff (as I'm new to that...lol)

  2. #2
    Headless Senior Member Pannonian's Avatar
    Join Date
    Apr 2005
    Posts
    7,978

    Default Re: Auto-re-routing

    What sites do they redirect you to?

  3. #3
    Oza the Sly: Vandal Invasion Member Braden's Avatar
    Join Date
    Apr 2005
    Location
    Leeds, Centre of the Universe, England
    Posts
    1,251

    Default Re: Auto-re-routing

    I haven't taken the time to note down the URL's but as I said above the most common one is a simple on-line Bingo website (which seems genuine) but the other one doesn't have a URL as its quite a sophisticated website which looks EXACTLY like a Windows XP standard Control Panel complete with icons for hard drive etc etc.

    Only difference is that it has a "mock" antivirus scan running on it and a large announcement stating your PC is infected...it also has several pop-up windows asking you to "ok" or "cancel" requests for antivirus updates.

    It it was just my PC at home then I'd say I'd picked up that virus that copies XP's built in antivirus (can't recall the name of it) but its happened on a work PC which is seriously locked down with firewalls and antivirus active scans galore so it's website related I believe.
    My Steam Community Profile - Currently looking for .Org members I know with NTW for MP stuff (as I'm new to that...lol)

  4. #4
    Headless Senior Member Pannonian's Avatar
    Join Date
    Apr 2005
    Posts
    7,978

    Default Re: Auto-re-routing

    I've seen mock-AV sites before, and it's usually local drive-related, and often involve rather complicated cleaning processes, hence my asking for the sites. Without knowing what they are, it's hard to know what to do.

  5. #5
    Oza the Sly: Vandal Invasion Member Braden's Avatar
    Join Date
    Apr 2005
    Location
    Leeds, Centre of the Universe, England
    Posts
    1,251

    Default Re: Auto-re-routing

    I know, which is why I was more concerned when it:

    1) only happened when on these forums
    2) happened on two seperate PC, from two seperate locations with two seperate security measure templates installed

    I will attempt to get more info if possible next time it happens.
    My Steam Community Profile - Currently looking for .Org members I know with NTW for MP stuff (as I'm new to that...lol)

  6. #6
    Mr Self Important Senior Member Beskar's Avatar
    Join Date
    Feb 2008
    Location
    Albion
    Posts
    15,930
    Blog Entries
    1

    Default Re: Auto-re-routing

    I never had it happen with Firefox. But you could get Adblock Plus to make sure it doesn't for Firefox.

    As for IE8, just don't bother using it.
    Last edited by Beskar; 11-18-2009 at 16:00.
    Days since the Apocalypse began
    "We are living in space-age times but there's too many of us thinking with stone-age minds" | How to spot a Humanist
    "Men of Quality do not fear Equality." | "Belief doesn't change facts. Facts, if you are reasonable, should change your beliefs."

  7. #7
    Amphibious Trebuchet Salesman Member Whacker's Avatar
    Join Date
    Nov 2006
    Location
    in ur city killin ur militias
    Posts
    2,934

    Default Re: Auto-re-routing

    You have a virus and/or rootkit. You'll want to run MS Defender, Adaware, possibly Spybot, and your AV program of choice until they show up clean. If this still doesn't fix your problem, then you've got a rootkit, and those are just about impossible to extract without the right tools and some serious knowhow.

    "Justice is the firm and continuous desire to render to everyone
    that which is his due."
    - Justinian I

  8. #8
    Oza the Sly: Vandal Invasion Member Braden's Avatar
    Join Date
    Apr 2005
    Location
    Leeds, Centre of the Universe, England
    Posts
    1,251

    Default Re: Auto-re-routing

    Autorouting link for 2nd issue:

    http://protect-yourselfb.com/1/?sess...EyNTU1McQMMQkN

    Like I said, if it occured on one PC I'd agree with all of you and say its a virus issue on the PC in question but with two seperate and one is a work based PC with corporate firewalls etc etc as well as many non-work sites blocked I assumed it may be something embedded in the forums.

    Not saying I'm right though by a long shot!
    My Steam Community Profile - Currently looking for .Org members I know with NTW for MP stuff (as I'm new to that...lol)

  9. #9

    Default Re: Auto-re-routing

    Interestingly enough:
    Code:
    wget -O ~/dltestfile -c http://protect-yourselfb.com/
    file ~/dltestfile
    The result is: dltestfile: very short file (no magic); not surprising since wget reports an amazing content-length of: Length: 1 [text/html]. (1 byte). Guess what that single byte is? 0x0A. (Newline.)
    - Tellos Athenaios
    CUF tool - XIDX - PACK tool - SD tool - EVT tool - EB Install Guide - How to track down loading CTD's - EB 1.1 Maps thread


    ὁ δ᾽ ἠλίθιος ὣσπερ πρόβατον βῆ βῆ λέγων βαδίζει” – Kratinos in Dionysalexandros.

  10. #10
    Headless Senior Member Pannonian's Avatar
    Join Date
    Apr 2005
    Posts
    7,978

    Default Re: Auto-re-routing

    Someone else seems to have the same problem on another forum. Googling doesn't find anything else on it yet, and the site itself isn't on my DNS. Try tracerting that host and noting down what IP it produces.

  11. #11
    Amphibious Trebuchet Salesman Member Whacker's Avatar
    Join Date
    Nov 2006
    Location
    in ur city killin ur militias
    Posts
    2,934

    Default Re: Auto-re-routing

    The other possibility is that a DNS server has been either compromised or poisoned.

    I still say scan the crap out of both of your machines with those programs I listed. If it's clean, then they're clean, and the problem is ISP related.

    "Justice is the firm and continuous desire to render to everyone
    that which is his due."
    - Justinian I

  12. #12
    Oza the Sly: Vandal Invasion Member Braden's Avatar
    Join Date
    Apr 2005
    Location
    Leeds, Centre of the Universe, England
    Posts
    1,251

    Default Re: Auto-re-routing

    Yup, going with that option for now. Posted this mainly as a warning for the forum Admin, can't actively scan the work PC as that's done by our national IT department on a regular basis (multinational company) but will go down hard on my home one as soon as I have the 2hr+ it'll take.
    My Steam Community Profile - Currently looking for .Org members I know with NTW for MP stuff (as I'm new to that...lol)

  13. #13
    L'Etranger Senior Member Banquo's Ghost's Avatar
    Join Date
    Dec 2005
    Location
    Hunting the Snark, a long way from Tipperary...
    Posts
    5,604

    Default Re: Auto-re-routing

    If it helps, I have experienced the same problem with the bingo redirect just recently.

    I have been given a brand new Windows laptop for running games. The OS is Windows 7. The only programs installed on the machine are Baldur's Gate, STW, MTW, M2TW, ETW with Steam connection. There is AVG anti-virus and Firefox with Ad Block.

    I have used Firefox to visit one site only, and that is the Org. A couple of days ago, I got the redirect as described above.

    My usual machines are a MacBook Pro and a MacBook Air, both running Snow Leopard. I use Safari to visit the Org and the rest of the web, and occasionally Firefox.

    There has never been this issue with the Mac set-up. Given that I have a pretty clean Windows machine, I might venture that this is a problem with something on the Org, and that uses a Windows vulnerability.

    I don't know whether this information helps the more technically knowledgeable, but I hope so.
    "If there is a sin against life, it consists not so much in despairing as in hoping for another life and in eluding the implacable grandeur of this one."
    Albert Camus "Noces"

  14. #14
    Needs more flowers Moderator drone's Avatar
    Join Date
    Dec 2004
    Location
    Moral High Grounds
    Posts
    9,286

    Default Re: Auto-re-routing

    Add NoScript to your Firefox. It's a little annoying since you have to enable scripts for sites, but it prevents a lot of mischief.
    The .Org's MTW Reference Guide Wiki - now taking comments, corrections, suggestions, and submissions

    If I werent playing games Id be killing small animals at a higher rate than I am now - SFTS
    Si je n'étais pas jouer à des jeux que je serais mort de petits animaux à un taux plus élevé que je suis maintenant - Louis VI The Fat

    "Why do you hate the extremely limited Spartan version of freedom?" - Lemur

  15. #15
    Guest Aemilius Paulus's Avatar
    Join Date
    Aug 2008
    Location
    Russia/Europe in the summer, Florida rest of the time
    Posts
    3,473

    Exclamation Re: Auto-re-routing

    Quote Originally Posted by Whacker View Post
    You have a virus and/or rootkit. You'll want to run MS Defender, Adaware, possibly Spybot, and your AV program of choice until they show up clean. If this still doesn't fix your problem, then you've got a rootkit, and those are just about impossible to extract without the right tools and some serious knowhow.
    Definitely. That is what I first thought. Usually such symptoms are usually malware-induced. But Windows Defender and Adware are near useless, I used them a long time ago. Now, Spybot is a different thing. It actually works quite well. But not nearly as well as the fully-functional 30-day trial of the best AV package ever made - Kaspersky Internet Security 2010. It even has a feature called Safe-Run where you can run any program in a virtual, closed environment, which protects you from virtually any malware you can pick up from surfing the web.

    So get it. It is free, for 30 days. Fully functional - it scans, protects, and neutralises any infections. I never got why they have such permissive trials, but whatever - take advantage of it. Here is the download link.

  16. #16
    Oza the Sly: Vandal Invasion Member Braden's Avatar
    Join Date
    Apr 2005
    Location
    Leeds, Centre of the Universe, England
    Posts
    1,251

    Default Re: Auto-re-routing

    I'm doubting its something on the PC's now as the issue is very specifically related to these forums and only ever happens whilst i'm here...and I use a lot of other forums and even host my own one.
    My Steam Community Profile - Currently looking for .Org members I know with NTW for MP stuff (as I'm new to that...lol)

  17. #17

    Default Re: Auto-re-routing

    I'm with drone Try installing NoScript for FF. If it is something embedded on the the site, that should take care of it. It's free, it updates fairly regularly and its painless.

    You may also try http://www.safer-networking.org/en/mirrors/index.html; spy-bot search & destroy.
    Immunize function is handy.
    Last edited by HopAlongBunny; 11-20-2009 at 10:18.
    Ja-mata TosaInu

  18. #18
    Member Member Sevis's Avatar
    Join Date
    Oct 2009
    Location
    Netherlands
    Posts
    165

    Default Re: Auto-re-routing

    Okay, first of all, this looks absolutely nothing like an already activated virus, trojan or rootkit. Why in the world would such a thing blatantly show itself, almost yelling "Hey, you're infected!" at the user? What would it possibly have to gain? Neither does DNS-poisoning seem to be all that likely - but, none the less, you could try setting your DNS to be something unlikely to be poisoned, such as your work DNS-server or (if possible) the RNS.

    Now, as to what I'd guess this is:
    The image it displays looks silly, at best. It is either trying to keep the user focused on it (at the risk of alerting the user to it being malicious) or wants to give the user some sort of choice. The second, although unlikely, is possible - something like "If you're stupid enough to agree to what we're suggesting, we'll rootkit you, but we'll spare the smart ones." Ethics? Meh.

    Either way, you are not of any true influence on the process. If it can run arbitrary code on your machine, it will do so as it pleases, and does not need your permission. If it cannot, I see little point in it existing... A prank? Unlikely.

    Thus, what we know about the program:
    1. It shows up while, and only while, you are browsing the Guild from a Windows machine.
    1.1. Thus, it likely has a check about whether your browser claims you're using Windows - try changing this variable, and see if it vanishes. If you post your current one, I can try it under Linux.
    2. It shows up on both Firefox and IE.
    2.1. Kudos for making it browser independant >.>
    3. Neither antivirus is alarmed by it.
    3.1. Now this is the interesting bit. The high-security one should be tipped off by just about anything. Could you specify which one it is that you use at home and at work, please? No need to include firewalls - I'm guessing this is purely http.

    I would advise scanning at least your home system fully, to make sure it didn't cause you to get infected. Further, NoScript was already mentioned - it's a great thing, although not all that necessary now that AdBlock can block .js files. When browsing the Guild, Firefox wishes to execute scripts from totalwar.org, google.com, adbureau.net, quantserve.com and atomicgamer.com. I allowed the first two, blocked the rest (don't know the last one, but the other two are ad sites). Back on Windows machines, I've had Avast light up while browsing quantserve - that could very well be the problem.

  19. #19
    Oza the Sly: Vandal Invasion Member Braden's Avatar
    Join Date
    Apr 2005
    Location
    Leeds, Centre of the Universe, England
    Posts
    1,251

    Default Re: Auto-re-routing

    Sure.

    I have browsed many...many forums etc and this occurs only here. So, we can confirm some association.

    Antivirus kits

    Home - Avira (using IE8)

    Work - Mcafee (using Firefox)

    Both machines are using Windows XP with the latest service packs etc making them fully upto date.

    I don't get much facetime with my home PC so a full scan is planned just not executed yet. I can't self-scan my work based PC but this is done every night by automatic IT executable and I have not been notified of anything amiss.

    I now use the Tabs functions more to help prevent this annoyance. Always having two tabs active means that when this occurs it occurs on only one tab so I just manually close that tab (it displays another fake warning which I "X" close down rather than using its "OK" to close).
    Last edited by Braden; 11-22-2009 at 11:15.
    My Steam Community Profile - Currently looking for .Org members I know with NTW for MP stuff (as I'm new to that...lol)

  20. #20
    Oza the Sly: Vandal Invasion Member Braden's Avatar
    Join Date
    Apr 2005
    Location
    Leeds, Centre of the Universe, England
    Posts
    1,251

    Default Re: Auto-re-routing

    Quote Originally Posted by Sevis View Post
    When browsing the Guild, Firefox wishes to execute scripts from totalwar.org, google.com, adbureau.net, quantserve.com and atomicgamer.com. I allowed the first two, blocked the rest (don't know the last one, but the other two are ad sites). Back on Windows machines, I've had Avast light up while browsing quantserve - that could very well be the problem.
    Done a little research and I think you may have found the issues here...but I'll still scan my PC, always good practice.
    My Steam Community Profile - Currently looking for .Org members I know with NTW for MP stuff (as I'm new to that...lol)

  21. #21
    Hǫrðar Member Viking's Avatar
    Join Date
    Apr 2005
    Location
    Hordaland, Norway
    Posts
    6,449

    Default Re: Auto-re-routing

    So much for the 'checks OS' theory.

    Spoiler Alert, click show to read: 
    Runes for good luck:

    [1 - exp(i*2π)]^-1

  22. #22
    the G-Diffuser Senior Member pevergreen's Avatar
    Join Date
    Nov 2006
    Location
    Brisbane, Australia
    Posts
    11,585
    Blog Entries
    2

    Default Re: Auto-re-routing

    Quote Originally Posted by Braden View Post
    2) More serious. Reading the forum and BAM get re-routed to a fake Control Panel image with warning stating the PC has virus’s
    This has been happening lately

    http://magnum-defence33.cn/1/?sess=p...0xMjY4MUAMPQJN

    is the site

    FF3. No adblock/noscript though, it doesnt install for me.

    Only seems to happen from main page, currently scanning with AVG.
    Quote Originally Posted by TosaInu
    The org will be org until everyone calls it a day.

    Quote Originally Posted by KukriKhan View Post
    but I joke. Some of my best friends are Vietnamese villages.
    Quote Originally Posted by Lemur
    Anyone who wishes to refer to me as peverlemur is free to do so.

  23. #23
    Member Member Sevis's Avatar
    Join Date
    Oct 2009
    Location
    Netherlands
    Posts
    165

    Default Re: Auto-re-routing

    Quote Originally Posted by Viking View Post
    So much for the 'checks OS' theory.

    Spoiler Alert, click show to read: 
    Well, that is Windows, judging by the look of it. Might not check OS version number, simply the name.

    EDIT: Aha! Instead of giving a pop-up with the choice of continuing the 'repair' or aborting, it suggests you download something... Interesting, let me give that site a go.

    EDIT2: Went to the page manually. No matter what you click, it gets to the point where it offers you to repair. If you press the screen anywhere at that time, it'll try to download an "install.exe" - against which Firefox is safe, but I'm not sure if IE is. Until that comes up, there was no sign of any intrusion.
    Last edited by Sevis; 12-08-2009 at 07:12.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Single Sign On provided by vBSSO