Jump to content
Instructions on joining the Members Only Forum

Pattaya Talk infected with virus / ongoing now a few years


Recommended Posts

Pattaya Talk has been infected with the url4short virus for a few years now and nothing has been done.

 

what happens in any google search that links to pattayatalk when you click it automatically gets redirected to url4short scam.

 

please look into this and remove the infection from the website, I'm sure you're losing a shit load of traffic due to this.

 

thanks

 

(it happens when not logged into forums and google search links to anywhere on this forum)

Edited by pattayatalkbroken
Link to post
Share on other sites
  • Replies 68
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I found and removed the malware (again) about a week ago.   In the last two days it had come back, and this time was totally different in its signature, so finding it was not possible using the tec

I had the same problem with the sudden disappearance of red-green buttons Monday evening and now they are back. Thanks!   Evil

Google link still working for me today.

Posted Images

Hi MM. He is right... :(

 

My PC always reconnects me automatically, so not something I noticed, but I tried in a private browsing window to ask PattayaTalk on Google and, indeed, your site tried to redirect me on a "/url4short.info/" url that my antivirus blocked !

 

- First thing to do is to check for the .htaccess files in your hosting directories. Probably many unwanted "rewrite" rules in the main .htaccess or several others.

 

- Second will be to search for "url4short", "eval(" or other suspicious code in all your php files.

 

- Third will be to find how your files have been modified, else it will happen again. (Probably difficult if "a few years" ! and probably several updates since that infection...)

 

Good luck

Link to post
Share on other sites

Hi MM. He is right... :(

 

My PC always reconnects me automatically, so not something I noticed, but I tried in a private browsing window to ask PattayaTalk on Google and, indeed, your site tried to redirect me on a "/url4short.info/" url that my antivirus blocked !

 

- First thing to do is to check for the .htaccess files in your hosting directories. Probably many unwanted "rewrite" rules in the main .htaccess or several others.

 

- Second will be to search for "url4short", "eval(" or other suspicious code in all your php files.

 

- Third will be to find how your files have been modified, else it will happen again. (Probably difficult if "a few years" ! and probably several updates since that infection...)

 

Good luck

This blog will show how clever the writer of the virus is... it's not as simple as you suggest.

 

Thing is, I did all those steps and found a hit way back when. I removed the offending file changes, rebuilt the IPB caches, and even write protected the files that had been modified. The problem went away for a few days, then came back.

It was found by using a grep that looks for a signature string...that grep doesn't find anything now except in image files, and it could be just a result of random compression results.

Bottom line..that blog, while it got to the virus the first few times, no longer works and the virus has moved somewhere harder to find.

 

We are working on a plan to do a complete reinstall of the server software, forum software, database and associated files...that's likely to eliminate this redirect bug as well.

Link to post
Share on other sites

This blog will show how clever the writer of the virus is... it's not as simple as you suggest.

Yes, I know well about this kind of attacks. Sometimes some very crafty pirates. ;)

In the case of this blog, finding "eval" in php files was well the easy way to locate the problem.

Link to post
Share on other sites

Reported nearly 2 years ago too, here.

Personally I do not get the problem now, I access PT from a link within my empty tab in Firefox..

It can also come from an infected DNS. I was suspicious back then it was something in my router.

Edited by jacko
Link to post
Share on other sites

yeah I get the hits from google search results about something in pattaya, if the link is the pattayatalk forum it's always sent me to url4short.

 

just wanted to give you guys a heads up anyway. if I'm logged into this site surprisingly it loads ok.

 

some updated info on removal from a few months back here: https://revisium.com/en/kbe/infected_ipb_and_vbulletin.html

Edited by pattayatalkbroken
Link to post
Share on other sites
  • 2 weeks later...

I found and removed the malware (again) about a week ago.

 

In the last two days it had come back, and this time was totally different in its signature, so finding it was not possible using the techniques given in the blogs written about it cited above.

 

I managed to locate it again, but it had changed variable names and the encoded string was changed, but it still had to use two relatively rare functions in IPB to decode itself to runnable code.

 

So, this afternoon, after several hours of searching, GOTCHA! (again :banghead: )

 

It's now removed, and all the entry points into the system have had their locks changed, so let's see if it is still there.

 

Please do what you can to see if this problem remains...seems to me to be fixed, but this malware is very clever and might be hiding from me again.

  • Upvote 2
Link to post
Share on other sites

Just tried it via google and no redirect, which did happen 2 days ago. I'll try to remember to try it over the next few days.

Thank you. I'd like to get confirmation that it's fixed.

Link to post
Share on other sites

// but this malware is very clever and might be hiding from me again.

Hi MM.

I am surprised that IPB can't help you as you have their up-to-date forum release ??

They is clearly a security hole somewhere in the software... :(

 

 

While waiting to find it, or a new release that would fix it, you maybe can block this malware action

by blocking the "two relatively rare functions" that it uses "to decode itself to runnable code".

 

Depends of your hosting, but if you have access to php.ini, something like:

disable_functions = eval, base64_decode, gzinflate

 

You of course must *not* block functions your forum needs ;)

 

http://serverfault.com/questions/169489/php-evalgzinflatebase64-decode-hack-how-to-prevent-it-from-occurring-a

http://php.net/manual/en/ini.core.php#ini.disable-functions

Link to post
Share on other sites

Hi MM.

I am surprised that IPB can't help you as you have their up-to-date forum release ??

They is clearly a security hole somewhere in the software... :(

 

 

While waiting to find it, or a new release that would fix it, you maybe can block this malware action

by blocking the "two relatively rare functions" that it uses "to decode itself to runnable code".

 

Depends of your hosting, but if you have access to php.ini, something like:

disable_functions = eval, base64_decode, gzinflate

 

You of course must *not* block functions your forum needs ;)

 

http://serverfault.com/questions/169489/php-evalgzinflatebase64-decode-hack-how-to-prevent-it-from-occurring-a

http://php.net/manual/en/ini.core.php#ini.disable-functions

Invision just says "look for something unusual" and change your passwords.

Their help is worthless, even when you locate the infected files and ask them how to clean them so they don't come back.

 

Believe me, I have tried...given them specific files that are infected and asked for help.

 

All the files are in their own SW too.

 

Here's what they send me when I report this problem... https://www.invisionpower.com/support/kb/_/how-to-clean-your-site-from-infection-r27

Link to post
Share on other sites

: banghead:

 

Back to the drawing board!

Is it really a problem in the board's software. I haven't seen the problem for ages and am here a good bit.

Link to post
Share on other sites

I just tried it from google, and got re directed. on an ipad2 using safari. never noticed b4 as I use a bookmark

Link to post
Share on other sites

I tried searching for "Pattaya Talk" a half-dozen times using Chrome, then clicking on the link and wasn't re-directed once. Never have been, but I usually connect with Talk via a bookmark.

 

Evil

:devil

Edited by Evil Penevil
Link to post
Share on other sites

Is it really a problem in the board's software. I haven't seen the problem for ages and am here a good bit.

Yes, it's an infection in the board software that I can locate and remove, but there is some way it can come back...and since it first came out, it's also mutated to avoid detection. As of now, it is removed again, and I'm trying to find out how it gets back in.

It only occurs (as far as I know) when you access the forum through a web search engine listing rather than a direct link (as in a bookmark).

 

I tried searching for "Pattaya Talk" a half-dozen times using Chrome, then clicking on the link and wasn't re-directed once. Never have been, but I usually connect with Talk via a bookmark.

 

Evil

:devil

It apparently has several conditions that have to be satisfied before it will do a redirect, possibly to avoid detection by being repeatable on demand...somehow, you're not matching all those conditions.

 

For example, on my first google search for "pattayatalk transport", google shows me a list of topics in the transport section. My first attempt to follow one of those links will redirect me, but subsequent attempts do not.

 

Tricky bastards.

Link to post
Share on other sites

Yeah, both the main site and forum link worked fine for me via google just prior to this post. As wac is fond of saying, strange days.

 

edit: well, the above explains that.

Edited by brotherbuzz
Link to post
Share on other sites

Yeah, both the main site and forum link worked fine for me via google just prior to this post. As wac is fond of saying, strange days.

They should work fine now, since the infection was removed...until it comes back :P

Link to post
Share on other sites

I've been trying to find a link for 6 traveller for Tapatalk? Not sure I'm asking this question in the right place Sorry if I'm wrong. Again not sure but saw the link here but new to this board, looked around and tried to send a PM but couldn't. If someone could tell me where to go would appreciate it.. Cheers..

 

 

Sent from my iPhone using Tapatalk

Link to post
Share on other sites

Interesting. I've been clicking the main link via Google with no redirect for the last few days the and had the same result a few minutes back. So, it dawned on me to try one I hadn't clicked, "General Discussion about..." in this case and was redirected.

Link to post
Share on other sites

Interesting. I've been clicking the main link via Google with no redirect for the last few days the and had the same result a few minutes back. So, it dawned on me to try one I hadn't clicked, "General Discussion about..." in this case and was redirected.

I hate you!

 

Seriously, thanks for continuing to check. I really thought I'd nailed it this last time.

Link to post
Share on other sites

But in a good way. :D

Indeed!

 

Okay, I have made some changes that might have eliminated the problem (with the help Frostfire, hacker whiz), and I haven't been able to reproduce the redirection problem.

 

Guys...care to give it another go and report back?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.


×
×
  • Create New...