Author Topic: something wrong with poplular sports forum site? (Read 4969 times)

davexnet · « **on:** April 25, 2014, 02:10:52 AM »

Hi all,
getting the following popup when visiting this site. Any advice appreciated.
This is a very busy site, plenty of forum members/ posts.

hxxp://www.comeonyouspurs.com

Eddy · « **Reply #1 on:** April 25, 2014, 02:23:02 AM »

Your picture shows another site than the one you mentioned in the post.
The one in the post is not blocked.

utl4short is reported as not trustful/malicious:
https://www.virustotal.com/nl/url/0a30604db7912563535e656531a1d7a3316d598c1c627caea540372c16a8d66f/analysis/1398385521/
http://zulu.zscaler.com/submission/show/e9aa3fb507b65c844ed7c055d92629d6-1398385597
http://urlquery.net/report.php?id=1398385674986

davexnet · « **Reply #2 on:** April 25, 2014, 03:17:12 AM »

Perhaps you can help me figure out what happened. I can certainly recreate it, I tried it again just now.

Using Firefox, I navigated to the yahoo.com homepage. In their search box at top I entered
"Tottenham forums". In the search results I selected the result corresponding to the site I mentioned
in my first post (it's on the first page of results), selected it, and this detection comes up.

However, if I close and re-open Firefox and type the name of the site myself into a new tab,
everything is fine. Something wrong with the search results? Firefox? My PC?

Thanks for any further info.
EDIT - tried it in IE8 (I'm using XP) and everything works normally.

davexnet · « **Reply #3 on:** May 12, 2014, 04:59:15 AM »

I posted this at wilderssecurity and they seem to corroborate my findings.
Using the search results from Google, all is fine. As-is entering the site manually into a new tab.

Just the search results from Bing/Yahoo seem to re-direct to this malicious site.
http://www.wilderssecurity.com/threads/strange-result-with-yahoo-search-results.363500/#post-2370475

Eddy · « **Reply #4 on:** May 12, 2014, 07:28:55 AM »

You don't need to close/open FireFox, it also works without doing that.
And the same happens in other browsers as well.

It looks like bing/yahoo is using a redirector on certain search results to hide the referral.
If you go over search results with your mouse, some show the direct link to the website and others show r.search.yahoo.com or r.bing.com
http://clicky.com/blog/327/bings-secure-search-will-be-worse-than-googles-for-most-sites

Pondus · « **Reply #5 on:** May 12, 2014, 07:41:21 AM »

it seems url4short also is a browser hijacker / PUP

https://www.google.no/search?q=short+urls+detected&oq=short+urls+detected&aqs=chrome..69i57.11374j0j8&sourceid=chrome&es_sm=122&ie=UTF-8#q=url4short+detected

polonus · « **Reply #6 on:** May 12, 2014, 08:08:48 AM »

More info here: http://abhisays.com/tips-and-tricks/how-to-fix-forum-redirecting-to-url2short-info.html
Annoying,

polonus

Eddy · « **Reply #7 on:** May 12, 2014, 08:10:58 AM »

Pondus, I tested it and got the exact same results as the OP even in the safezone.
I don't think his system is infected with the redirector.

davexnet · « **Reply #8 on:** May 12, 2014, 05:46:37 PM »

I've looked at some of the sites mentioned, as well as further info here:
http://peter.upfold.org.uk/blog/2013/01/15/cleaning-up-the-ip-board-url4short-mess/

This guy gives a great analysis of how he tracked down this injection. If I understand correctly,
the problem is in the server responsible for the comeonyouspurs.com website.

Perhaps I should let the site know? One thing I was not able to clear up, nor do I understand,
is why it only occurs when you use the search results? If you enter the site name directly
on a new tab, you don't see the problem. This is why I thought Bing/Yahoo was the culprit.

Eddy · « **Reply #9 on:** May 12, 2014, 07:00:51 PM »

Bing/Yahoo IS the culprit.
It is how they redirect you to a site in a effort trying to hide things as used keywords for the search (and some other things)

The board shows up clean in all scans.

davexnet · « **Reply #10 on:** May 12, 2014, 07:03:08 PM »

Thanks Eddy. I've opened a question in the Bing section at Microsoft Answers.
Let's see if they have anything to say about it.

polonus · « **Reply #11 on:** May 12, 2014, 07:07:11 PM »

Hi davexnet,

It is the vulnerability to the use of a wildcard enabled, look for the the character %, for connections to the database.
It is the traffic reduction that makes it so annoying.

polonus

davexnet · « **Reply #12 on:** May 12, 2014, 07:57:22 PM »

Polonus,
I am neither an administrator at the website in question nor a Bing representative.
I'm just a user who came upon this by chance.

From a response on Microsoft Answers I have filled in a form to Bing outlining this issue.

I read the info at http://peter.upfold.org.uk/blog/2013/01/15/cleaning-up-the-ip-board-url4short-mess/
I reread it again, and as far as I can see, nowhere does he mention the problem
was the fault of the search results themselves. He seems to say, (as do the comments at the bottom)
that the problem actually was in the "Invisionboard site".

So, is it a Bing problem or the forum comeonyouspurs.com's problem? Mixture of the two?

Author Topic: something wrong with poplular sports forum site? (Read 4969 times)

davexnet

something wrong with poplular sports forum site?

Eddy

Re: something wrong with poplular sports forum site?

davexnet

Re: something wrong with poplular sports forum site?

davexnet

Re: something wrong with poplular sports forum site?

Eddy

Re: something wrong with poplular sports forum site?

Pondus

Re: something wrong with poplular sports forum site?

polonus

Re: something wrong with poplular sports forum site?

Eddy

Re: something wrong with poplular sports forum site?

davexnet

Re: something wrong with poplular sports forum site?

Eddy

Re: something wrong with poplular sports forum site?

davexnet

Re: something wrong with poplular sports forum site?

polonus

Re: something wrong with poplular sports forum site?

davexnet

Re: something wrong with poplular sports forum site?