1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Migrated Server Yesterday - Intermittent SPAM redirects ever since! (Unknown IP!)

Discussion in 'Security' started by WebDev Solutions, Aug 6, 2015.

  1. #1
    OK folks, I'm absolutely pulling my hair out here.

    Bit of background, I migrated our Xenforo forum 36 hours to a new reseller account and before I transferred the web files and restored the DB on the new server, everything was working perfectly.

    My old server IP was 173.236.244.124

    My new server IP is 94.76.219.227

    After a few hiccups, the website resolved for the majority of our visitors. However, spammy redirects to 'millionaire ebook' , 'zeroredirect1' and 'zerodirect2' (amongst others) started to immediately forward a user to these offers ... it somtimes also redirects to ww9.www.onefootballforum.co.uk as opposed to onefootballforum.co.uk.

    Malicious IP which is responsible for redirects and often appears when i ping my site in cmd: 77.247.178.109

    The redirects seem intermittant, some users haven't seen them at all, others have them intermittently, whilsts others cannot access the main site at all.

    Our host has scanned the server files for MALWARE and this has supposedly come up empty.

    My work PC is one of those that has been affected. so I flushed my DNS. No luck.

    When I open command prompt and type: ping onefootballforum.co.uk the IP it returns is 77.247.178.109. A quick Google search shows this is some kind of spam/hackers site. Also, if you load that IP in your browser you seem the same kind of spammy redirects I am currently suffering from. (https://www.google.co.uk/?gws_rd=ssl#q=77.247.178.109 )

    Excert of some of the redirect URLs below.
    http://zk1.zeroredirect2.com/domredirect?visitid=284304d3-3c4c-11e5-8822-12eac5448493&type=js&browserWidth=1366&browserHeight=667&iframeDetected=false[/code
    
    [code]http://ww9.www.onefootballforum.co.uk/
    Code (markup):
    Interestingly, when I ping with www. attached, my true server IP is returned 94.76.219.227.

    I've tried uninstalling my browsers and reinstalling, along with malwarebytes scans (normally and in safe mode), thinking it could be a computer virus. No luck.

    The site is quite busy and usually has 60+ members online - the redirects appear to be affecting 50-100 visitors intermittently. I'm really struggling to understand how this issue wasn't happening before I moved the site, then it happens immediately? Could this be some kind of DNS issue? The host messed it up to begin with.

    I'm happy to provide any further details,I've gone into as much detail as possible but may not be giving the right sort of info!

    Any help would be greatly appreciated.

    WebDev
     
    WebDev Solutions, Aug 6, 2015 IP
  2. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #2
    Must be a DNS-issue somewhere. Talk to the hosting company.
    Tested now, and from here (using Google DNS) it returns your site (correct IP and all) both with and without www. on both ping and tracert.
     
    PoPSiCLe, Aug 6, 2015 IP
    WebDev Solutions likes this.
  3. WebDev Solutions

    WebDev Solutions Well-Known Member

    Messages:
    1,644
    Likes Received:
    80
    Best Answers:
    2
    Trophy Points:
    170
    #3
    I'm not disregarding your advice and am phoning the hosting company now, but surely the kind of redirects I'm seeing are a result of something malicious? Another example below...
    http://bbcc-news.com/web/uk/news1/2333.htm?voluumdata=vid..00000001-36cf-4c7a-8000-000000000000__vpid..92aae800-3c5c-11e5-8df6-22f709cbf10c__caid..d09107fc-95f7-4b08-804a-b79e77c26593__rt..D__lid..ab7e1990-a2f1-4fb4-9eb7-9cbe7a34ac8b__oid1..f01be7ee-703d-4b8f-bed8-ab2f4c6c4c28__var1..romeo-yin-WziREgue__var2..www%5C.%5Conefootballforum%5C.%5Cco%5C.%5Cuk__var4..NON-ADULT__var5..DOMAIN__rd..
    Code (markup):
    WebDev
     
    WebDev Solutions, Aug 6, 2015 IP
  4. Zoti Media Group

    Zoti Media Group Notable Member

    Messages:
    1,598
    Likes Received:
    113
    Best Answers:
    2
    Trophy Points:
    265
    Digital Goods:
    2
    #4
    Have you scanned your site with Sucuri? Does it shows something?
    Have checked htaccess and some php, js files for some encryptet code,
     
    Zoti Media Group, Aug 6, 2015 IP
  5. WebDev Solutions

    WebDev Solutions Well-Known Member

    Messages:
    1,644
    Likes Received:
    80
    Best Answers:
    2
    Trophy Points:
    170
    #5
    I haven't. To be perfectly honest I do not know enough about this kind of stuff to do it myself. I'm awaiting a response from the host reference this issue but if they cannot provide a speedy resolution I would be willing to pay somebody who can take a look with a good degree of confidence about resolving the issue.

    EDIT: Can anybody extract anything meaningful from these results (takes a moment to load)? http://dnscheck.pingdom.com/?domain=onefootballforum.co.uk

    Errors all over the shop...

    WebDev
     
    Last edited: Aug 6, 2015
    WebDev Solutions, Aug 6, 2015 IP
  6. billzo

    billzo Well-Known Member

    Messages:
    961
    Likes Received:
    278
    Best Answers:
    15
    Trophy Points:
    113
    #6
    If I was in your situation, I would wipe everything and start over from scratch. You have obviously been compromised somewhere down the line, or it could be that your host was compromised as you are on a shared server (I assume). That does happen.

    Anti-virus programs are far from perfect. I think the best are about 70% effective, or a bit more. If you want certainty you do not have a virus on your computer, reformat your hard drive and reinstall your operating system and all your software (after you backup your critical data!).

    What you describe above does sound like your DNS was compromised. But it is not now. And I cannot imagine any low-level hacker having the sophistication to randomly change your DNS. I checked both the www and non-www versions of your site and they both point to 94.76.219.227.

    As I said, what you describe does sound like a DNS thing. But there are lots of ways a hacker can redirect traffic, including a javascript redirect. So check your HTML output and look for that, check your htaccess file(s). And keep in mind that hackers often put in hidden backdoors so they can access your site again if the original exploit is found.

    The only issue with the Pingdom DNS test is an invalid rDNS host name. That is out of your control if you are on a shared server. irnj.eazyprintz.com. Not that big of a deal.
     
    billzo, Aug 6, 2015 IP
  7. WebDev Solutions

    WebDev Solutions Well-Known Member

    Messages:
    1,644
    Likes Received:
    80
    Best Answers:
    2
    Trophy Points:
    170
    #7
    Wipe everything and start from scratch?! We are the largest UK football forum on the net. Starting again is not an option.

    Fortunately, we weren't compromised. This was a DNS issue.

    I appreciate your responses and we'll still be having the files you highlighted checked for peace of mind.
     
    WebDev Solutions, Aug 7, 2015 IP
  8. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #8
    Question: Is a mirror of your old site still up at the old location, or has the old provider already slapped up their own placeholder?

    I usually like to have a two week overlap between the old and new location since you can't trust hosting providers not to pull sleazy tricks with the old domain when you move away from them. Got burned on that like 12 years ago, haven't trusted hosts since on that subject.

    Though DNS being compromised sounds far more likely.

    That DNS check sends up some warning flags -- no RDNS on the nameservers is a big one. Means the nameserver names don't even exist or aren't registered properly. The invalid PTR records (usually meaning misconfigured hosting) can also screw with you later on since Y! and Live will reject e-mails from your domain as spam. That can be a real headache when people try to join your forums. Something I also dealt with on a certain host over a decade ago, only solution was to move again a month later :(

    Pretty much your SOA, DNS CNAME and PTR are pointing at irnj.eazyprintz.com, a domain that doesn't actually even exists or resolve on any DNS I can find. It's not surprising you're having issues. It's actually surprising that your domain names are even resolving in the first place to the new IP address.

    That could really turn around and screw things up in another two to three weeks or so when the mass-live overrides the normal TTL.
     
    deathshadow, Aug 30, 2015 IP
    WebDev Solutions likes this.
  9. WebDev Solutions

    WebDev Solutions Well-Known Member

    Messages:
    1,644
    Likes Received:
    80
    Best Answers:
    2
    Trophy Points:
    170
    #9
    Hi,

    Thanks for this information deathshadow, I've forwarded it onto our team to find out what's happening.

    WebDev
     
    WebDev Solutions, Sep 1, 2015 IP