Page 3 of 5 FirstFirst 1 2 3 4 5 LastLast
Results 21 to 30 of 41

Thread: DMCTalk is Infected. Again.

  1. #21
    Senior Member ccurzio's Avatar
    Join Date:  Nov 2011

    Location:  Atlanta-ish

    Posts:    2,212

    My VIN:    5311

    Club(s):   (SEDOC) (DCUK)

    I haven't been to DMCTalk in a while, and I was trying to find something yesterday via Google and one of the results was DMCTalk. I clicked on it and bam, got hit with a bunch of spam pages all over again, trying to download malware bullshit. So yeah, this is still a problem.
    - Chris


    what

  2. #22
    DeLorean Historian / Administrator Tamir A.'s Avatar
    Join Date:  May 2011

    Location:  Los Angeles / Chicago

    Posts:    438

    My VIN:    11474

    Do you have the link? It used to be very clear when this was happening. I'd go to any device, search DMCTALK from google or yahoo, click on it, and boom redirected to malware site. That isn't happening anymore, and my VMWARE guy says site is clean. So wondering if this old link is labeled as a dmctalk link but really is just a malware link?

    Quote Originally Posted by Accipiter View Post
    I haven't been to DMCTalk in a while, and I was trying to find something yesterday via Google and one of the results was DMCTalk. I clicked on it and bam, got hit with a bunch of spam pages all over again, trying to download malware bullshit. So yeah, this is still a problem.
    Fan of all things DeLorean!

  3. #23
    Senior Member DMCVegas's Avatar
    Join Date:  Oct 2011

    Location:  Elsewhere

    Posts:    2,317

    My VIN:    6585

    Club(s):   (DOA) (DCUK)

    The frequency in which it happens is totally random, as are the specific links. It's almost like DNS poisoning, but I've had it happen so far on 3 different providers with 3 separate sets of DNS Servers. Perform a Google Search on something DeLorean related. Get a link to either DMCTalk (or even DMCToday as I found) by either a regular Google page search, or with Image search. Click on the link. Go to DMCTalk, stop, get re-directed to the malicious site (which I posted the link to before). Now for me, it gets confused. I'm running either Windows or OS X with Safari or Chrome with Ghostery to suppress popups, so I get an error that the file can not be found. HOWEVER, when this same thing happened on iOS, that's when I got not only the same page, but then suddenly redirected to some random Asian dating site since the re-directions were not disabled.

    Now then, go back to the Google results page and click on the same exact link again, now the proper DMCTalk web page comes up.

    Now at one point when I was trying to link a image, I DID receive a notification that DMCTalk was requesting permission to use Flash. Which I denied. Strange because I've never seen that before. That was on OS X Safari.

    Using a totally separate browser on a separate OS which is NOT linked in any way to other accounts, this happens still. And what is weird again is that it's only happening on these message boards.

    Now I don't frequent much anything else other than DMCTalk. When I pop-up over on the Ford boards, it's kinda rare. And I have no doubt at all that your guy isn't finding any direct infections or abnormal problems with the site. I also don't have a membership for "Today" either, so there are no cookies involved. But there is one thing that you both have in common: You're Version 4 vBulliten boards.

    Most of the time when I access DMCTalk.org on iOS, and I'm not logged in, I will get a random interception on Safari that temporarily redirects me to a page advertising Tapatalk. Then it gives me links to open the App, or to just proceed on to DMCTalk.org.

    What is the chance that the Tapatalk plugin for this site is the problem because Tapatalk's advertising servers are compromised?

    So when you visit DMCTalk and the board sees that you're coming from Google instead of internally, it launches the app to check for the Brower type and to see if it should redirect to the Tapatalk advertising screen branded with DMCTalk's logo. But with a remote infection which you cannot detect, courtesy of Tapatalk's infected advertising servers you don't have access to, it will instead redirect the user over to the infected site.

    This is the same thing that Link Exchange had many years ago, and the Wall Street Journal had recently with compromised Adobe Flash advertisements on their redirection page.

  4. #24
    Senior Member ccurzio's Avatar
    Join Date:  Nov 2011

    Location:  Atlanta-ish

    Posts:    2,212

    My VIN:    5311

    Club(s):   (SEDOC) (DCUK)

    Quote Originally Posted by DMCVegas View Post
    The frequency in which it happens is totally random, as are the specific links.
    It's not though. It's dead simple to reproduce 100% of the time.

    1. Open a browser that has no saved history, no saved cookies, and no stored sessions. (This emulates someone visiting DMCTalk for the very first time.)
    2. Go to www.google.com and enter a search that will absolutely return DMCTalk in the results. The best way to do this is to search for something like "site:dmctalk.org Flux"
    3. Click any of the resulting links.
    4. Watch as DMCTalk redirects you to some other site that tries infecting your shit with malware.

    This process will ALWAYS work: http://i.imgur.com/u7cxnQcl.png

    Quote Originally Posted by DMCVegas View Post
    Now then, go back to the Google results page and click on the same exact link again, now the proper DMCTalk web page comes up.
    That's because once DMCTalk manages to write a cookie in your browser's cache, the problem disappears. This happens just before the initial redirect.
    Last edited by ccurzio; 10-22-2015 at 07:31 PM.
    - Chris


    what

  5. #25
    Senior Member DMCVegas's Avatar
    Join Date:  Oct 2011

    Location:  Elsewhere

    Posts:    2,317

    My VIN:    6585

    Club(s):   (DOA) (DCUK)

    I'm not able to reproduce it on command, but it might just be because of my security settings. Though DMCTalk.org does keep installing cookies for price blink.com & tb.priceblink.com

    However....

    In Firefox I use an extension called WOT. Also known as Web Of Trust. When doing a Google search it will automatically inject some nice flags on the results next to the links, and DMCTalk.org got flagged as unsafe.

    Here is the page that it linked me to explaining why:

    https://www.mywot.com/en/scorecard/d...t=popup-donuts

    Don't know whom this source is, but they're reporting infected .php scripts.

    I'm no vBulliten expert, so I don't even know where to begin. Though it looks as though this might be a a shared server possibly we're hosted on with another server that has been compromised and is able to inject itself into DMCTalk's datastore. Or there is a bad/unauthorized plugin. From there it might have to be kicked up to Google to refresh their cached data from their last site scan perhaps? I have no idea. But we do know that a 3rd party has now seen it as well.

  6. #26
    Senior Member acaciolo's Avatar
    Join Date:  Apr 2014

    Location:  coopersburg, PA

    Posts:    275

    My VIN:    3886

    Club(s):   (DMA)

    My homebuilding site www.monogramcustombuilders.com got hacked and was sending out spam emails. We would clean it, and the hackers kept getting back in. I pulled my hair out for 3 months. Finally, I paid $199 per year to these guys https://sucuri.net/. They not only protect my site, but they remove any viruses for free (unlimited times.) And they do it in a few hours. I am not sure how dmctalk if funded, but I'd be happy to pitch in some $$ to help support it. I've seen the same porn sites redirect when I search from google, so there most likely is some php injectoin. Sucuri will find it and clean it.

    Even more annoying was that the porn it directed me to wasn't even good.

    tony

  7. #27
    DeLorean Historian / Administrator Tamir A.'s Avatar
    Join Date:  May 2011

    Location:  Los Angeles / Chicago

    Posts:    438

    My VIN:    11474

    Thanks for all the extra information guys, this is super helpful. I'll continue to have my Vbulletin expert pursue this issue. He works heavily with VBulletin and should be able to make things right.
    Fan of all things DeLorean!

  8. #28
    Senior Member DMCVegas's Avatar
    Join Date:  Oct 2011

    Location:  Elsewhere

    Posts:    2,317

    My VIN:    6585

    Club(s):   (DOA) (DCUK)

    Just happened again. Sent me back to filestore72 DOT info, and then popped up a new window for musicbox to initiate a download.

  9. #29
    DeLorean Historian / Administrator Tamir A.'s Avatar
    Join Date:  May 2011

    Location:  Los Angeles / Chicago

    Posts:    438

    My VIN:    11474

    Well my guy informs me that he removed the latest malware, as well as some trojans in my web hosting. I'm hoping this puts this issue to bed. Let me know if anyone is still encountering issues.

    Thanks.
    Fan of all things DeLorean!

  10. #30
    Admins Never Retire Ron's Avatar
    Join Date:  Jun 2011

    Location:  North GA

    Posts:    4,074

    My VIN:    1669 (Sold) Looking for 5 spd...

    Club(s):   (SEDOC) (DCUK)

    I just tried the example in post #17 and got:

    TalkMW110215.jpg
    Last edited by Ron; 11-02-2015 at 02:23 PM.

Page 3 of 5 FirstFirst 1 2 3 4 5 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •