DMCTalk managed to get itself infected with another malware redirect affecting non-cookied visitors to the site finding their way here via Google.

Open a browser with all cookies deleted and an empty cache, then go to Google and enter "dmctalk" into the search field. Click the first link returned, and enjoy the show.

http://i.imgur.com/ZMAHCXpl.png

http://i.imgur.com/dFGpqvtl.png

Someone with server-level access to this site (and an understanding of security) REALLY needs to start keeping an eye on things.

DMCTalk managed to get itself infected with another malware redirect affecting non-cookied visitors to the site finding their way here via Google.

Open a browser with all cookies deleted and an empty cache, then go to Google and enter "dmctalk" into the search field. Click the first link returned, and enjoy the show.

Someone with server-level access to this site (and an understanding of security) REALLY needs to start keeping an eye on things.

FYI - The old malware redirect error still occurs for me occasionally, under the same conditions (non-cookied visitors to the site finding their way here via Google)
I have seen it appear when I am away from home and checking the forum on a "public" computer, typing in DMCTalk from Google.

Just thought I would mention it now, if someone is looking into the latest malware report already.

I figured they still hadn't resolved the prior infection - have found myself redirected to a porn site twice in past couple of months when coming here :(

Is this seriously the same infection from a while back? Who's maintaining the server? I assumed it was Tamir but it doesn't look like he's actually handling it.

It really seems like DMCTalk is limping along with a support staff only and nobody actually at the wheel.

I figured they still hadn't resolved the prior infection - have found myself redirected to a porn site twice in past couple of months when coming here :(

same here and I was puzzled. At least there has never been a problem just typing in the url.

What's interesting about the warning message is it's pretty unprofessional -"which seems to accessed from.." Vs. the correct "which seems to BE accessed from". Whatever you do, do not call the number as it's not Apple. One time I got one of these, I clicked on my browsers back button and it went away. And no, if you have your firewall stuff turned on (it is by default), then you shouldn't have any security issues.

What's interesting about the warning message is it's pretty unprofessional -"which seems to accessed from.." Vs. the correct "which seems to BE accessed from". Whatever you do, do not call the number as it's not Apple. One time I got one of these, I clicked on my browsers back button and it went away. And no, if you have your firewall stuff turned on (it is by default), then you shouldn't have any security issues.

It's not that it's unprofessional, it's that it's usually made by people who aren't native and/or fluent English speakers. And yeah, of course the number isn't Apple. It's one of many numbers for scammers who are trying to get control over your system.

FYI, your firewall does not protect you against this sort of attack, nor does it protect against browser-based attacks.

I just wish whoever can get into the DMCTalk hosting server would fix this. People who search Google for help or info on the DMC-12 are going to end up stumbling over this shitty scam, and some of them may actually fall for it. :(

My wife's friend fell for that scam. The funny thing is she bought an apple because she was told hackers could not penetrate it.

My wife's friend fell for that scam. The funny thing is she bought an apple because she was told hackers could not penetrate it.

Any system has vulnerabilities, but make no mistake. This is not an example of hacking. This is social engineering.

Settle down Chris, it is one little issue that I had plugged but came back. It will be taken care of and doesn't affect anyone's ability to use the site.

T.


Is this seriously the same infection from a while back? Who's maintaining the server? I assumed it was Tamir but it doesn't look like he's actually handling it.

It really seems like DMCTalk is limping along with a support staff only and nobody actually at the wheel.

It will be taken care of and doesn't affect anyone's ability to use the site.

Actually it does, but ok.

Gotten redirected to http://filestore72.info/download.php?id=c86d8d12 twice in the past two days now. Don't know what's going on, but wanted to give a heads up since it just happened again.

Robert, I suspect you should update/change your virus protection software because that link goes straight to the URL:MAL virus...

It's updated. I've also had the same exact thing happen on my PC at work, so it's happening on both Windows and OS X 10.11.

I don't see this at all from all the search engines I'm testing. I have a VBulletin expert monitoring the site and he pulled all the malware off of it 2 weeks ago. What search engine did you use? Could it have been a cookie maybe? I'll have him scan the site again to see if something was missed.

T.


It's updated. I've also had the same exact thing happen on my PC at work, so it's happening on both Windows and OS X 10.11.

FWIW, I get a URL:MAL virus warning for the link posted (2 different: browsers, OSes, virus protection programs), so I would suggest the link be broke or deleted, in any case.

Google Image Search was the search engine used that led to this redirection. Click back, then click on the very same link again, and then suddenly it works. Had it happen on Chrome in Windows 7 with McAffe, and Safari in OS X 10.11 w/ESET.

For what it's worth, when using GIS I had this happen 3 times on links to DMCToday as well. I'm not a member over there, so there were no cookies involved on that site.

If need be, I'll clear cookies and start fresh.

I followed your example and got:
37304

Cleared cookies, ran a boot scan (clean), and got the same thing.

Thanks for all the information. My guy is looking into it and all of this is helpful to show him.


I followed your example and got:
37304

Cleared cookies, ran a boot scan (clean), and got the same thing.

Just had it happen again. This time in Safari on iOS 9 via Google.

I haven't been to DMCTalk in a while, and I was trying to find something yesterday via Google and one of the results was DMCTalk. I clicked on it and bam, got hit with a bunch of spam pages all over again, trying to download malware bullshit. So yeah, this is still a problem.

Do you have the link? It used to be very clear when this was happening. I'd go to any device, search DMCTALK from google or yahoo, click on it, and boom redirected to malware site. That isn't happening anymore, and my VMWARE guy says site is clean. So wondering if this old link is labeled as a dmctalk link but really is just a malware link?


I haven't been to DMCTalk in a while, and I was trying to find something yesterday via Google and one of the results was DMCTalk. I clicked on it and bam, got hit with a bunch of spam pages all over again, trying to download malware bullshit. So yeah, this is still a problem.

The frequency in which it happens is totally random, as are the specific links. It's almost like DNS poisoning, but I've had it happen so far on 3 different providers with 3 separate sets of DNS Servers. Perform a Google Search on something DeLorean related. Get a link to either DMCTalk (or even DMCToday as I found) by either a regular Google page search, or with Image search. Click on the link. Go to DMCTalk, stop, get re-directed to the malicious site (which I posted the link to before). Now for me, it gets confused. I'm running either Windows or OS X with Safari or Chrome with Ghostery to suppress popups, so I get an error that the file can not be found. HOWEVER, when this same thing happened on iOS, that's when I got not only the same page, but then suddenly redirected to some random Asian dating site since the re-directions were not disabled.

Now then, go back to the Google results page and click on the same exact link again, now the proper DMCTalk web page comes up.

Now at one point when I was trying to link a image, I DID receive a notification that DMCTalk was requesting permission to use Flash. Which I denied. Strange because I've never seen that before. That was on OS X Safari.

Using a totally separate browser on a separate OS which is NOT linked in any way to other accounts, this happens still. And what is weird again is that it's only happening on these message boards.

Now I don't frequent much anything else other than DMCTalk. When I pop-up over on the Ford boards, it's kinda rare. And I have no doubt at all that your guy isn't finding any direct infections or abnormal problems with the site. I also don't have a membership for "Today" either, so there are no cookies involved. But there is one thing that you both have in common: You're Version 4 vBulliten boards.

Most of the time when I access DMCTalk.org on iOS, and I'm not logged in, I will get a random interception on Safari that temporarily redirects me to a page advertising Tapatalk. Then it gives me links to open the App, or to just proceed on to DMCTalk.org.

What is the chance that the Tapatalk plugin for this site is the problem because Tapatalk's advertising servers are compromised?

So when you visit DMCTalk and the board sees that you're coming from Google instead of internally, it launches the app to check for the Brower type and to see if it should redirect to the Tapatalk advertising screen branded with DMCTalk's logo. But with a remote infection which you cannot detect, courtesy of Tapatalk's infected advertising servers you don't have access to, it will instead redirect the user over to the infected site.

This is the same thing that Link Exchange had many years ago, and the Wall Street Journal had recently with compromised Adobe Flash advertisements on their redirection page.

The frequency in which it happens is totally random, as are the specific links.

It's not though. It's dead simple to reproduce 100% of the time.

1. Open a browser that has no saved history, no saved cookies, and no stored sessions. (This emulates someone visiting DMCTalk for the very first time.)
2. Go to www.google.com and enter a search that will absolutely return DMCTalk in the results. The best way to do this is to search for something like "site:dmctalk.org Flux"
3. Click any of the resulting links.
4. Watch as DMCTalk redirects you to some other site that tries infecting your shit with malware.

This process will ALWAYS work: http://i.imgur.com/u7cxnQcl.png


Now then, go back to the Google results page and click on the same exact link again, now the proper DMCTalk web page comes up.

That's because once DMCTalk manages to write a cookie in your browser's cache, the problem disappears. This happens just before the initial redirect.

I'm not able to reproduce it on command, but it might just be because of my security settings. Though DMCTalk.org does keep installing cookies for price blink.com & tb.priceblink.com

However....

In Firefox I use an extension called WOT. Also known as Web Of Trust. When doing a Google search it will automatically inject some nice flags on the results next to the links, and DMCTalk.org got flagged as unsafe.

Here is the page that it linked me to explaining why:

https://www.mywot.com/en/scorecard/dmctalk.org?utm_source=addon&utm_content=popup-donuts

Don't know whom this source is, but they're reporting infected .php scripts.

I'm no vBulliten expert, so I don't even know where to begin. Though it looks as though this might be a a shared server possibly we're hosted on with another server that has been compromised and is able to inject itself into DMCTalk's datastore. Or there is a bad/unauthorized plugin. From there it might have to be kicked up to Google to refresh their cached data from their last site scan perhaps? I have no idea. But we do know that a 3rd party has now seen it as well.

My homebuilding site www.monogramcustombuilders.com got hacked and was sending out spam emails. We would clean it, and the hackers kept getting back in. I pulled my hair out for 3 months. Finally, I paid $199 per year to these guys https://sucuri.net/. They not only protect my site, but they remove any viruses for free (unlimited times.) And they do it in a few hours. I am not sure how dmctalk if funded, but I'd be happy to pitch in some $$ to help support it. I've seen the same porn sites redirect when I search from google, so there most likely is some php injectoin. Sucuri will find it and clean it.

Even more annoying was that the porn it directed me to wasn't even good.

tony

Thanks for all the extra information guys, this is super helpful. I'll continue to have my Vbulletin expert pursue this issue. He works heavily with VBulletin and should be able to make things right.

Just happened again. Sent me back to filestore72 DOT info, and then popped up a new window for musicbox to initiate a download.

Well my guy informs me that he removed the latest malware, as well as some trojans in my web hosting. I'm hoping this puts this issue to bed. Let me know if anyone is still encountering issues.

Thanks.

I just tried the example in post #17 and got:

37758

Tried it on a Android 5.0 lollipop and it went to filestore72 (dot) info/download.php?id=c86d8d12 => bunch of BS

Ok guys, filled in my guy on this one more time, and he put in more security features to help rid these pesky bots and malware issues and found some new problems that may have been causing this still. Please keep me updated on this if you see more issues occurring. Supposedly the issue is resolved now, though I'm never sure until I hear from you the users. I've tried troubleshooting some of the examples you guys have posted here and all seems ok right now.

Seems OK now.

Clicking on the DMCTalk banner at the top of the page now redirects me to the following site:

REFERENCE PURPOSES ONLY! "P" IN "HTTP" REMOVED TO DISPLAY ENTIRE LINK.

htt ://malware.opendns.com/main?server=dfw6&url=dmctalk.org%2Fforum.php&proxy=y&origin=Eg9oGgx9DBguBQpwGAgdFQ%3D%3D&prefs=16448&tagging=0x1f%2C0xd000780000000000&ref=http%253A%252F%252Fdmctalk.org%252Fforumdispla y.php%253F2-General-DeLorean-Discussion

Opening up just the root address alone on iOS gives me an error that there are too many redirects. It looks as though the "forum.php" file is infected as if I go to the root URL by itself, let alone sub-forums in the address, there is no problem.

Just got redirected to the Filestore site from my Mac (running Chrome). Here's the Google link that I clicked:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&cad=rja&uact=8&ved=0CDIQFjAGahUKEwjv-InH1PTIAhVPN4gKHYGXDqY&url=http%3A%2F%2Fdmctalk.org%2Fshowthread.php%3F40 83-Steering-Wheel-Center-Pad-Vinyl-Cover-Stainless-Steel-Emblem&usg=AFQjCNEUql-127keI9eq48P3TXdY5TK4Hg&sig2=k_YCSd-0wjmtExuYrmTHLw&bvm=bv.106674449,d.cGU

Hello,

Can someone test if the malware issue is still happening?
We have applied another fix..

Thanks!

I can't get it to screw up with any examples given using Chrome 46.0.2490.71 on a WIN 7 Pro SP1 machine or the Android 5.0 lollipop anymore.

Here is one of the few ways to test.
Open an "Incognito Browser". Right click your browser like Google chrome then click Open Incognito Window.
Go to Google.com
Search "dmctalk"
Click any of the forum links in the search results.

Let us know if you get redirected to other sites..

So far no problems, but my company's security settings have wound up blocking http://dmctalk.org/forum.php So you may need to contact content filter providers to give them the all-clear for that URL to be taken off of their blacklist. Strangely enough, the rest of the site comes up no problem. It just seems to be when the URL targets that specific .php file instead of letting the browser default automaticly.

Still OK here (on all three machines, etc).

Glad to hear. Some of these new security patches may be finally doing the trick. Damn bots be gone! :mad2:


Still OK here (on all three machines, etc).