Possible compromised forum?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

mackle

Active Member
Nov 13, 2013
221
40
28
I just went private mode (I don’t often do it) and went to the main site via my forum bookmark and after clicking the first article I got redirected again.
 

Twist

Member
Oct 15, 2015
79
42
18
48
Norway
Private mode does not get me redirected, changed my ip 3 times and got I redirected every time clicking on the first arcticle.
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
I am, in many ways, jealous of you guys that can recreate this so easily. We have 4 folks trying to do it, and have 4 VMs using different browsers trying to recreate (including on a cloned site.)

Turned off ads on the STH main site. If we still see it, then it at least narrows the possibilities.

The Google recaptcha thing needs to stay. Otherwise we get close to a million spam comments per month.
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
Have you tried Android or iOS ? I never got any popup on my computers.
The four people trying have 2 iPhone 2 Android plus I am using an iPad and Samsung tablet.

At some point, after this is done, I want to figure out a way to get a test array online with selenium.

If it happens again today, then we start looking at ad providers but we only use three.
 

edge

Active Member
Apr 22, 2013
203
71
28
Could be difficult to recreate. I suspect DNS poisoning and that would be a location/ISP specific problem. You won't replicate it in CA if the problem is in the EU.

Ads served are location specific as well, which is equally problematic.
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
Could be difficult to recreate. I suspect DNS poisoning and that would be a location/ISP specific problem. You won't replicate it in CA if the problem is in the EU.

Ads served are location specific as well, which is equally problematic.
Task 1 is triage. Task 2 I want to hire someone get a selenium monitoring system setup. Performance + monitoring for stuff like this. Maybe setup a EU and Asian VPS to help the monitoring.
 

psannz

Member
Jun 15, 2016
79
19
8
39
A little update from my side:
Have yet to see a malicious popup/redirect on my iPhone today (started testing 3h ago). Fingers crossed whatever @Patrick did worked.

Test settings:
Germany
iPhone with iOS 13.4.1
Safari, private mode
Networks: o2/Telefonica LTE (4G), 1&1 (VDSL), Globalways (Fibre)
 

edge

Active Member
Apr 22, 2013
203
71
28
Task 1 is triage. Task 2 I want to hire someone get a selenium monitoring system setup. Performance + monitoring for stuff like this. Maybe setup a EU and Asian VPS to help the monitoring.
I had to research selenium, but once I did your approach makes sense to me.
 

marcoi

Well-Known Member
Apr 6, 2013
1,532
288
83
Gotha Florida
Just got redirected when I clicked on new posts.
Went to arwartortleer .com

Android os
Google browser
Us FL loc
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
Happened to visit the forums on a PC that had Norton Internet Security running on it (I know - old school). I keep getting a warning about blocked traffic - see attached.

Windows 10
Chrome 81.0.4044.138

Looks like something is making DNS requests to "publicenred.com", which Norton lists as a malicious domain.

No idea if this is related to the adware...
 

Attachments

  • Like
Reactions: Patrick

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
Just in case, we re-built the entire ad web stack today. Also, we should be serving nothing but static banners at this point.
 

amalurk

Active Member
Dec 16, 2016
311
116
43
102
@Patrick
Just got sent through a series of redirects on my phone to some spammy site where I could win something when I visited servethehome.com on my phone. All I was doing was loading the home page and I saw it for a second or two and then a redirect chain started. Phone is Pixel 2 totally updated with latest monthly security patches, chrome browser, never rooted, no sideloaded apps, haven't noticed that happening on any other sites.

Browser history says I was at servethehome.com and that I went next to a.r.w.a.r.t.o.r.l.e.e.r.c.o.m. (with no dots except before .com of course). I did not choose to go there, pretty sure servethehome.com redirected me there. Not sure if that is first or last place in redirect chain as I saw multiple domains flash in the address bar before spammy win stuff site loaded. I tried back button and saw redirect chain flash again and ended up at a different spammy site. Went back to servethehome by typing it and the site loaded fine navigated to forums everything fine.

Maybe just rogue ad on front page of servethehome?
 
  • Like
Reactions: Patrick and Amrhn

Amrhn

New Member
Mar 17, 2020
1
1
3
@Patrick Just had the same happen to me as @amalurk but in the forums when I tried to go to the network sub here is a screenshot of the redirect series Screenshot_20200516_160354_com.android.chrome.jpg

And BTW I'm from Egypt if that could be any help.
 
  • Like
Reactions: Patrick

i386

Well-Known Member
Mar 18, 2016
4,220
1,540
113
34
Germany
I'm not sure where to post...
Since the new forum version every notfication mail ends up in junk, marked as spam.
Not sure if it's filtered directly by outlook.com (good old hotmail :D) or by thunderbird.