DMCTalk is Infected. Again.

[ccurzio]

I haven't been to DMCTalk in a while, and I was trying to find something yesterday via Google and one of the results was DMCTalk. I clicked on it and bam, got hit with a bunch of spam pages all over again, trying to download malware bullshit. So yeah, this is still a problem.

[Tamir A.]

Do you have the link? It used to be very clear when this was happening. I'd go to any device, search DMCTALK from google or yahoo, click on it, and boom redirected to malware site. That isn't happening anymore, and my VMWARE guy says site is clean. So wondering if this old link is labeled as a dmctalk link but really is just a malware link?

I haven't been to DMCTalk in a while, and I was trying to find something yesterday via Google and one of the results was DMCTalk. I clicked on it and bam, got hit with a bunch of spam pages all over again, trying to download malware bullshit. So yeah, this is still a problem.

[DMCVegas]

The frequency in which it happens is totally random, as are the specific links. It's almost like DNS poisoning, but I've had it happen so far on 3 different providers with 3 separate sets of DNS Servers. Perform a Google Search on something DeLorean related. Get a link to either DMCTalk (or even DMCToday as I found) by either a regular Google page search, or with Image search. Click on the link. Go to DMCTalk, stop, get re-directed to the malicious site (which I posted the link to before). Now for me, it gets confused. I'm running either Windows or OS X with Safari or Chrome with Ghostery to suppress popups, so I get an error that the file can not be found. HOWEVER, when this same thing happened on iOS, that's when I got not only the same page, but then suddenly redirected to some random Asian dating site since the re-directions were not disabled.

Now then, go back to the Google results page and click on the same exact link again, now the proper DMCTalk web page comes up.

Now at one point when I was trying to link a image, I DID receive a notification that DMCTalk was requesting permission to use Flash. Which I denied. Strange because I've never seen that before. That was on OS X Safari.

Using a totally separate browser on a separate OS which is NOT linked in any way to other accounts, this happens still. And what is weird again is that it's only happening on these message boards.

Now I don't frequent much anything else other than DMCTalk. When I pop-up over on the Ford boards, it's kinda rare. And I have no doubt at all that your guy isn't finding any direct infections or abnormal problems with the site. I also don't have a membership for "Today" either, so there are no cookies involved. But there is one thing that you both have in common: You're Version 4 vBulliten boards.

Most of the time when I access DMCTalk.org on iOS, and I'm not logged in, I will get a random interception on Safari that temporarily redirects me to a page advertising Tapatalk. Then it gives me links to open the App, or to just proceed on to DMCTalk.org.

What is the chance that the Tapatalk plugin for this site is the problem because Tapatalk's advertising servers are compromised?

So when you visit DMCTalk and the board sees that you're coming from Google instead of internally, it launches the app to check for the Brower type and to see if it should redirect to the Tapatalk advertising screen branded with DMCTalk's logo. But with a remote infection which you cannot detect, courtesy of Tapatalk's infected advertising servers you don't have access to, it will instead redirect the user over to the infected site.

This is the same thing that Link Exchange had many years ago, and the Wall Street Journal had recently with compromised Adobe Flash advertisements on their redirection page.

[ccurzio]

The frequency in which it happens is totally random, as are the specific links.

It's not though. It's dead simple to reproduce 100% of the time.

1. Open a browser that has no saved history, no saved cookies, and no stored sessions. (This emulates someone visiting DMCTalk for the very first time.)
2. Go to www.google.com and enter a search that will absolutely return DMCTalk in the results. The best way to do this is to search for something like "site:dmctalk.org Flux"
3. Click any of the resulting links.
4. Watch as DMCTalk redirects you to some other site that tries infecting your shit with malware.

This process will ALWAYS work: http://i.imgur.com/u7cxnQcl.png

Now then, go back to the Google results page and click on the same exact link again, now the proper DMCTalk web page comes up.

That's because once DMCTalk manages to write a cookie in your browser's cache, the problem disappears. This happens just before the initial redirect.

[DMCVegas]

I'm not able to reproduce it on command, but it might just be because of my security settings. Though DMCTalk.org does keep installing cookies for price blink.com & tb.priceblink.com

However....

In Firefox I use an extension called WOT. Also known as Web Of Trust. When doing a Google search it will automatically inject some nice flags on the results next to the links, and DMCTalk.org got flagged as unsafe.

Here is the page that it linked me to explaining why:

https://www.mywot.com/en/scorecard/d...t=popup-donuts

Don't know whom this source is, but they're reporting infected .php scripts.

I'm no vBulliten expert, so I don't even know where to begin. Though it looks as though this might be a a shared server possibly we're hosted on with another server that has been compromised and is able to inject itself into DMCTalk's datastore. Or there is a bad/unauthorized plugin. From there it might have to be kicked up to Google to refresh their cached data from their last site scan perhaps? I have no idea. But we do know that a 3rd party has now seen it as well.

[acaciolo]

My homebuilding site www.monogramcustombuilders.com got hacked and was sending out spam emails. We would clean it, and the hackers kept getting back in. I pulled my hair out for 3 months. Finally, I paid $199 per year to these guys https://sucuri.net/. They not only protect my site, but they remove any viruses for free (unlimited times.) And they do it in a few hours. I am not sure how dmctalk if funded, but I'd be happy to pitch in some $$ to help support it. I've seen the same porn sites redirect when I search from google, so there most likely is some php injectoin. Sucuri will find it and clean it.

Even more annoying was that the porn it directed me to wasn't even good.

tony

[Tamir A.]

Thanks for all the extra information guys, this is super helpful. I'll continue to have my Vbulletin expert pursue this issue. He works heavily with VBulletin and should be able to make things right.

[DMCVegas]

Just happened again. Sent me back to filestore72 DOT info, and then popped up a new window for musicbox to initiate a download.

[Tamir A.]

Well my guy informs me that he removed the latest malware, as well as some trojans in my web hosting. I'm hoping this puts this issue to bed. Let me know if anyone is still encountering issues.

Thanks.

[Ron]

I just tried the example in post #17 and got:

TalkMW110215.jpg