News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

My forum randomly (but rarely) redirect to 18+ site. Server issue?

Started by PokémonS, September 17, 2014, 09:54:08 AM

Previous topic - Next topic

PokémonS

SMF 2.0.8
Apache 2.2.22
PHP 5.3.27
MySQL 5.1.73-cll-lve
cPanel 11.44.1

Hi,

September 9, I req to hosting to move my forum to the new server.
Why? 'cuz my forum had issue for 9 days, which every 4 PM - 7 PM is always temporary unavailable to access.

September 16, a lot of mobile users reported that my forum randomly (but rarely) redirect to 18+ site.
Some users reported it happened while login, click "show unread post", or visit some threads.
Some users reported that the problems were from a week ago.

The 18+ site is a****f*****f******.com

Then I investigate this with our staff,

  • Does this problem related to their own browser/mobile? Surveyed, a lot of mobile users experiences this problem.
  • Does this problem related to ISP? Surveyed, any ISP still randomly (but rarely) redirect to 18+ site.
  • Does this problem related to the files/database? Analysed all files and database with compare plugin in Notepad++ from last backup before move to the new server, including htaccess, there are no malicious code.
  • Does this related to the server? I think so, but there are still one more of my forum (with different domain) which placed in the same server. Our staff and members should test it before I req to move server again to the hosting.

So... I am just asking here...
Has someone ever experienced this problem? Is this related to server issue?

Or maybe someone ever known this issue.
Thanks!

My forum is -> http://pokemonstars.com/
きみと手をつなごう つらいときはもっと
ゼロからはじめよう ほら ほら 手をつなごう
みんな手をつなごう つらいときはもっと
力を合わせよう ほら ほら 手をつなごう

Chalky

Bloody hell, clicking the link in your post took me straight to the adult site.  Yet the second time I clicked it and going directly to your site in a new tab, I get your site.  Weird.  My money's on your host server being the problem.

PokémonS

Quote from: Chalky on September 17, 2014, 10:02:14 AM
Bloody hell, clicking the link in your post took me straight to the adult site.  Yet the second time I clicked it and going directly to your site in a new tab, I get your site.  Weird.  My money's on your host server being the problem.

Thanks for your answer!

Can you check my other forum? It's still in the same server: http://pkmn-id.com/ . But if you have visited http://pokemonstars.com/ , maybe the server detected that you already visit one of the website in the server, so clear cache may apply, or use other IP address.
きみと手をつなごう つらいときはもっと
ゼロからはじめよう ほら ほら 手をつなごう
みんな手をつなごう つらいときはもっと
力を合わせよう ほら ほら 手をつなごう

Chalky

I'm not getting anything unusual for http://pkmn-id.com/, I've tried in Firefox, Chrome and even Tor to mask my IP but it just takes me to your site.  However, I haven't been able to recreate the redirect on http://pokemonstars.com/ either.  It only redirected me to adult-f-f the first time I clicked it but since then it's behaved itself, again in FF, Chrome and Tor.  Something strange is happening indeed, but I don't know what to suggest other than talk to your host.

Kindred

well hell again....


I clicked and the site was immediately blocked as a web exploit.
There is definitely something wrong on your server.

It looks like either the server itself is compromised or something is compromised in your files....

since pinging both the addresses above results in the same IP, I assume they are correctly on the same server...    which means that the likelihood of a file hack is more likely than a server-side hack
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

NanoSector

My phone blocked the URL as well. Check your site files and contact your host *immediately*.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

PokémonS

Thanks all for the answers!

Contacted my hosting.
Requested to migrate from US to Indonesian server.

I'll post here if they're done. :)




But if the problem still exist, idk, maybe I skipped some files to compare from the backup files.
きみと手をつなごう つらいときはもっと
ゼロからはじめよう ほら ほら 手をつなごう
みんな手をつなごう つらいときはもっと
力を合わせよう ほら ほら 手をつなごう

kat

Have a look at your index.php. The one in the root of your site.

The very first line should be:

<?php

Just that and absolutely nothing else. I have a feeling that you have a base64 hack. :(

Initially, I got a failed link to conceiveababygirl.com. I'm getting your site, properly, now.

PokémonS

Quote from: K@ on September 17, 2014, 03:36:37 PM
Have a look at your index.php. The one in the root of your site.

The very first line should be:

<?php

Just that and absolutely nothing else. I have a feeling that you have a base64 hack. :(

Initially, I got a failed link to conceiveababygirl.com. I'm getting your site, properly, now.

Thanks for your answer!

I already experiences the base64 hack while I am running on Wordpress.
The index files were injected by base64_decode() right after <?php.




Okay,

Already checked index file in the root and SMF's index files, no malicious code. Already checked mass and all PHP files with Notepad++ from the root, searching "base64" and no malicious code on the first line.

Screenshot:
-> http://puu.sh/bDkba.png
-> http://puu.sh/bDkbP.png
-> http://puu.sh/bDkco.png
きみと手をつなごう つらいときはもっと
ゼロからはじめよう ほら ほら 手をつなごう
みんな手をつなごう つらいときはもっと
力を合わせよう ほら ほら 手をつなごう

margarett

It can be (and probably is) a server issue. Since both domains resolve to the same IP, it's possible that your server messes the destination account.
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

LiroyvH

Quote from: margarett on September 17, 2014, 07:51:46 PM
It can be (and probably is) a server issue. Since both domains resolve to the same IP, it's possible that your server messes the destination account.

That's rather unlikely, granted the site it redirected to (at least for me) apparently is a site with huge traffic that wouldn't be on shared hosting, and hosted at a totally different provider.
Absolutely malware somewhere, but given the way it works it seems rather unlikely to be a server exploit.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

NanoSector

And since it looks like you're running windows xp, time to upgrade.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

PokémonS

Finally my host migrated my forum to another server.
To: 103.6.205.193

Check again: http://pokemonstars.com/

Check with: Clear cache + cookies, different IP address, different browsers, different ISP, or/and different platform.
きみと手をつなごう つらいときはもっと
ゼロからはじめよう ほら ほら 手をつなごう
みんな手をつなごう つらいときはもっと
力を合わせよう ほら ほら 手をつなごう

Night09



PokémonS

Thanks for the answers!

Waiting 3 days for this problem to be solved,
so please post here if it's still redirect to 18+ site or doesn't redirect anymore. :)
きみと手をつなごう つらいときはもっと
ゼロからはじめよう ほら ほら 手をつなごう
みんな手をつなごう つらいときはもっと
力を合わせよう ほら ほら 手をつなごう

kat


Chalky

Quote from: K@ on September 19, 2014, 07:36:01 AM
If we don't get sidetracked by the 18+ stuff, sure!

Oh don't, I'm already embarrassed that you've seen those pictures of me  :P O:) ;D


radu81

 O:)I had the same problem a few years ago, on a shared hosting I had 2 smf and one Joomla website. All websites had this problem, I couldn't find any modified file so I contacted my host  and he told me that they know about this problem and it will be solved in a few hours. And so was, I didn't ask further information
sorry for my bad english

Advertisement: