Forums hacked?

didds · Jan 30, 2017

interesting... 1) i tried in a cache cleared etc firefox browser (I normally sue opera when reading this forum) - all OK.

then the others I did in my normal opera browser... the FIRST time I clicked on number 3, I got that FS72 page. But subsequent clicks in that number 3 link were fine.

then I tried the URL in 3) (right click, copy link address then pasted into FF bar) I get FS72. Second time I try it (no cache clear, its fine)

didds

Ian_Cook · Jan 31, 2017

didds said:
interesting... 1) i tried in a cache cleared etc firefox browser (I normally sue opera when reading this forum) - all OK.

then the others I did in my normal opera browser... the FIRST time I clicked on number 3, I got that FS72 page. But subsequent clicks in that number 3 link were fine.

then I tried the URL in 3) (right click, copy link address then pasted into FF bar) I get FS72 Second time I try it (no cache clear, its fine)

didds

OK, so what is happening there is that the initial page is loading from the cache not from rugbyrefs.com. Your browser is "remembering" what was loaded last time you asked and is reloading it rather that referencing the actual page you are wanting because it sees that the page has not changed since the last time. Loading it again, or loading it in a new tab can sometimes force the browser to go fetch the actual page, and this refreshes its cache.

This website will explain it better than I can.

http://www.ghacks.net/2014/08/11/fi...t-loaded-from-cache-and-how-to-force-reloads/

SimonSmith · Jan 31, 2017

(Ian - thanks for dealing with this in as much detail as you are. I'm not sure how many of the Mods could help in this way. Cheers - Simon)

Ian_Cook · Jan 31, 2017

SimonSmith said:
(Ian - thanks for dealing with this in as much detail as you are. I'm not sure how many of the Mods could help in this way. Cheers - Simon)

No problemo!

L'irlandais · Feb 1, 2017

Ian_Cook said:
Tell me what happens with the following...
...
4. When you type "rugbyrefs" into a Google search and click on he top result (see attached file)
...
Tell me what the circumstances are that lead you to the redirect page.

Hello Ian,
Thanks for the détailled reply.
As you suggested 4 weeks ago I updated my device (Adobe flash player, etc..) I also cleared the cache, then rebooted my device. (Each time I close the browser it clears internet history, I believe.) Following the forums going offline, then everything went swimmingly, until about a week ago, google started redirecting me again.

symptomatic :
When I google RRF, generally it offers me two choices, the front page and the forums page. Clicking on either of them, 7 times out of ten redirects me to FS72, following which clicking on the other I can access the website.
Following the steps in your #18( after clearing cache) only option 4 redirected me.
In my browser, previously visited links show in a different colour, so once cache has been cleared, a blue coloured link means not previously visited (i.e. Not from cache, though I am no expert in that field.)

:sad: To be honest, I be happy for it to be a problem with my browser, since the alternative sounds like a lot of work for you guys.

Balones · Feb 1, 2017

I can concur that what L'irlandais outlines does happen. It does not happen when I use my bookmarked home page. Only when you go through Google (and IE) does it happen. Tried on other devices and it usually happens but not always.

didds · Feb 1, 2017

Ian_Cook said:
OK, so what is happening there is that the initial page is loading from the cache not from rugbyrefs.com. Your browser is "remembering" what was loaded last time you asked and is reloading it rather that referencing the actual page you are wanting because it sees that the page has not changed since the last time. Loading it again, or loading it in a new tab can sometimes force the browser to go fetch the actual page, and this refreshes its cache.

This website will explain it better than I can.

http://www.ghacks.net/2014/08/11/fi...t-loaded-from-cache-and-how-to-force-reloads/

Yup - I get all that (its sort od my job as well, how lucky am I?!)

but that doesn't explain why if you clean your cache etc etc etc (shift-ctrl-delete, select everything and tick all the boxes then click OK, restart the browser - which is also non-proxied) and load

then the FIRST hit is FS72, but subsequent ones (which now have that FS72 in its cache etc) then load the proper page.

So the actions seen actually are in reverse to what would be expected if anything.

didds

Flish · Feb 1, 2017

This is complex, but basically at some point a vulnerability has compromised the site and allowed code to be Injected server side into the pho scripts that power the site.

The injected code has some logic that says 'if the visitor has come from a search engine and this is their first visit then inject this JavaScript code into the page' - the injected code redirects us to the dodgy site, and is why we can't see it by viewing source and most of us are unaware, but if you kill cookies and run a script to capture output by pretending to have been referred by google you can capture the code.

The fix is for the site owners server side, vulnerability needs fixing and the php scripts cleaned up, good news it's fairly obvious to a capable Deb what the dodgybcode is, bad news is it could have been injected into 100's of files, *sometimes* you can automate cleanup, but it will happen again if you don't fix the entry point

not sure who to signpost this too, but happy to help if someone reaches out

Robert Burns · Feb 2, 2017

Hi all,

Apologies for that, but hopefully it is now all resolved.

Cpanel upgraded
LiteSpeed server upgraded
PHP upgraded.
Site software upgraded
All server side passwords have been changed.

So hopefully we are all back to normal. If anyone see's anything dodgy, feel free to report it. The Mods all have my email address.

I can confirm it was a redirect file in the structure not an SQL injection, still not sure how they got it in the file structure, but it's gone now. You'll see that all references to the file name have been changed, I then downloaded a dump of the database and did a search, so I know we were not infected database side.

I've done a google search and clicked all the links and only come here. I urge all members to clear their cache on their browsers.

If you want to be belt & braces safe a password change is never a bad thing, though as I said before, I am content that they did not breach the database, and so no information was lost.

Once again, apologies for the inconvenience.

Flish · Feb 2, 2017

Had a quick look and yes that looks to clear it up, can confirm in my experience these redirect injections are automated and opportunist (no skill involved) and purpose is to redirect to some end game, I've never yet seen one that actually involved any user data compromise or anything malicious, just annoying (and all a pit pointless IMO!)

Forums hacked?

didds

Resident Club Coach

Ian_Cook

Referees in New Zealand

SimonSmith

Referees in Australia

Ian_Cook

Referees in New Zealand

L'irlandais

, Promises to Referee in France

Balones

Referee Advisor / Assessor

didds

Resident Club Coach

Flish

Referees in England

Robert Burns

, Referees in Canada, RugbyRefs.com Webmaster

Flish

Referees in England