Possible compromised forum?

Bjorn Smith

Active Member
Sep 3, 2019
232
86
28
I cannot wait to get the old look back - black is so old hat :) - besides the title of this post is even "invisible" - because of the color of the title.
So please as soon as safe - get the old look back, so we can read stuff better.
Black on white is the best way to read stuff - not white on black or any other weird colors.
 

Jannis Jacobsen

Active Member
Mar 19, 2016
350
72
28
42
Norway
I'm on android with latest Firefox and have a similar problem,it only happens on STH. Noticed this first time yesterday and it happend again today even if I cleaned my cookies in between.

I see some connection to:

appcenter3.com
fckmnk.com
smrtmnk.com
belombrea.com
propeller-tracking.com

Not sure if all of these are correct.


View attachment 13811 View attachment 13812
I read something about this a while back.
It has something to do with ads on websites iirc.
I've had this happen when following a link from google to ebay for instance.

The forums here seems to have been upgraded to a new version/theme.
-jannis
 

ari2asem

Active Member
Dec 26, 2018
504
81
28
The Netherlands, Groningen
i am on android with opera as browser, blocking the ads. i never have issue of pop-up, hijack or ads.

@Patrick, thanks for your efforts to get rid off of annoying ads issue.

next challenge is...old UI without ads issue. this temporary and new UI is really ugly
 

Samir

Well-Known Member
Jul 21, 2017
1,306
375
83
45
Glad to find out this new look is only temporary--it really lacks the old one's clean lines and professionalism.
 

nle

Member
Oct 24, 2012
194
11
18
Just happened again. I was in the option to turn on the new black theme, saved. Pressed the logo to go to the front page, and when I pressed the menu and forum link it opened a new spam page.

Still on iOS no adblock since on 4g (at home I have pihole)

So I guess compromised ads? Like mentioned earlier.
 

Scott Laird

Active Member
Aug 30, 2014
255
101
43
I just had it happen on the main site, not the forum. I was reading the new Ubiquiti SFP+/10GbT review and tried to follow the first link in the conclusion (10Gtek ASF-10G-T), and it took me off-site. Followup attempts stayed on STH. This was on my phone (S20 Ultra, up-to-date OS) with Chrome.
 

matthew5025

New Member
Mar 21, 2016
23
18
3
Happened to me on the forum, while browsing on an ipad. I’m including the link to help troubleshoot this problem.

arwartortleer.com/?rb=RxP07nmx15XaedrmI9O5zAAZyOqDg5kEdfikYX_kLH5yGETmY4B_tbPxe0ZJEPQ4MVry-Dd3wBGaCmUOI9KBNco_ygZyzIl2Xk7pEtvbJTWjM5Ya24GYObS97qEdtwo_E5bMuaHv99e3u5gBOXk1CpY3J5fkv1VPg156mgjQ9QCMMH-N8umtkFtutv94MDy_MU86tO6YZXORQ5A5NyJZDPahuWO2wLllllqSCmJHi3UBiny4vD_rq4hFDuenHlGaJUV_u69gLH4JJVfhU5E8nqntZRArYd9nJNYEbCgwblGztOBTGxSUbw%3D%3D&zoneid=2721667&fs=0&cf=0&sw=1024&sh=1366&sah=1024&wx=0&wy=0&ww=1366&wh=1024&cw=1366&wiw=1366&wih=911&wfc=1&pl=https%3A%2F%2Fwww.servethehome.com%2F&drf=&np=0&pt=0&nb=1&ng=1&ix=0&nw=1&tb=true
 

Twist

Member
Oct 15, 2015
73
30
18
45
Norway
Happened to me again today on my phone on 4G, two times actually.

Address has changed from appcenter3.com to appcentereur.com

Screenshot_20200503_152626_org.mozilla.firefox.jpgScreenshot_20200503_152651_org.mozilla.firefox.jpg
 

Patrick

Administrator
Staff member
Dec 21, 2010
11,906
4,868
113
We rebuilt the main site today completely and turned off the mobile minification service since it seems like mobile device is a common theme.

We have had two WP security firms go through and validate the installs by early this afternoon.

From this post forward, if you guys see anything:
  • Mobile or desktop?
  • Browser
  • Location
  • Site (main site or forums)
If you do not feel comfortable posting location publicly, feel free to shoot me a PM.

We have 4 people trying to get this for the past few days. Since we have not recreated, we have rebuilt our entire stack top top to bottom and turned off anything on the periphery of delivering basic functionality.
 
  • Like
Reactions: nasi and nle

psannz

Member
Jun 15, 2016
58
13
8
35
Still getting the popups/new tabs with junk redirects, telling me how my Iphone was "hacked" or some other crap. Content of the messages is always centered on Iphones and in german (local language).
First url called in the new window is always arwartortleer.com/?rb=codecodecodecode.
Happens after opening an article on the main page, e.g. "Why Your Favorite Default Passwords Are Changing".
Never happens when opening the forums via the main page.

Tested on Iphone with Safari (private mode) on iOS 13.4.1 via the ISPs o2/Telefonica Germany and 1&1.

Only ever had those redirects on the Iphone, never on PC or Laptop, no matter the browser.

Maybe an issue with your advertising partners?
 

Attachments

Twist

Member
Oct 15, 2015
73
30
18
45
Norway
I have tried numerous times to get this popup again but I have not been successful until I turned off data traffic, deleted my cache and re-booted my phone.

Made sure I had a new ip, connected to main site, clicked 'NVIDIA Acquires Cumulus Networks' and I got the popup served again.
Also, I have never had this popup on my pc - only on my phone.

Can anyone try to delete their cookies and make sure you have a new ip and try to connect to main site ?

  • Android 9
  • Firefox 68.7.0
  • Norway
  • Main site
Screenshot_20200504_202140_org.mozilla.firefox.jpgScreenshot_20200504_202127_org.mozilla.firefox.jpg
 

edge

Member
Apr 22, 2013
88
27
18
I have not experienced any of this on my tablet for the entire period it has been reported.

Tab S3
Android 9
Main site and forums
US
 

nle

Member
Oct 24, 2012
194
11
18
Just tested in a new "private tab", and can confirm I also got the pop-ups.

Typed in servethehome.com, clicked the Nvidia article.

iPhone 11 Pro
iOS 13.4.1 (17E262)
Firefox Version 24.1 (17574)
Norway

I tried to do the exact same thing again, but did not trigger any thing the second time.
 

Serverking

Active Member
Jan 6, 2019
251
84
28
@Patrick It would be a good idea to stop all ads and outside links on this site for the time being.

I still see skimresources and googletagmanager running from my umatrix logger on the forums. Main site seems to be running google.com and some kind of InvisibleReCaptcha?

https://www.google.com/recaptcha/api.js?onload=renderInvisibleReCaptcha&render=explicit

 
Last edited: