|
Joined: Nov 2021
Posts: 28 Likes: 1
Newbie
|
Newbie
Joined: Nov 2021
Posts: 28 Likes: 1 |
Greetings . . . The support folks over at Ipower have taken our web-presence down because of a Phishing attack that apparently originated from our site. The details can be found over at Netcraft: https://incident.netcraft.com/685581256719/redirect_graph.html Based on the URL it appears to involve changepfrefs.inc.php. I was just out in the filesystem. None of the php files have been touched since our upgrade back in February. So the codebase doesn’t appear to have been compromised. Please advise on (if you can) on how to stop the offending redirects. Ipower will not put our site back online until we can assure them that this is fixed. Regards, Keith Tech Services Admin, Inliners International
|
|
|
|
Joined: Jul 2006
Posts: 116 Likes: 4
Member
|
Member
Joined: Jul 2006
Posts: 116 Likes: 4 |
A quick workaround for this issue Open /ubb/scripts/changeprefs.inc.php in an editor and replace the following line near at the end: header("Location: $curl"); with: if( substr( $curl, 0, 2 ) == "//" ) {
header("Location: $curl");
} This will add an additional check for the curl parameter
Last edited by Philipp; 08/25/2022 11:45 AM. Reason: Updated code with better solution
|
1 member likes this:
InlinersAdmin |
|
|
|
Joined: Nov 2021
Posts: 28 Likes: 1
Newbie
|
Newbie
Joined: Nov 2021
Posts: 28 Likes: 1 |
Thanks for the quick turn on a patch/fix. Working with Ipower technicians to get us back online.
|
|
|
|
Joined: Jun 2006
Posts: 16,253 Likes: 113
|
Joined: Jun 2006
Posts: 16,253 Likes: 113 |
Tentative for v8 we've actually rejiggered the library /libs/html.inc.php Prior: // If they aren't logged in, or just logged out, give them the proper message
if ((empty($user['USER_DISPLAY_NAME']) || !$userob->is_logged_in) || ($bypass)) {
$sfu = "";
if ($config['SEARCH_FRIENDLY_URLS'] == "1") {
$sfu = "?";
} else {
$sfu = "&";
}
$ocurl = urlencode(get_current_url());
$welcome = "<a href=\"" . make_ubb_url("ubb=login", "", true) . "$sfu" . "ocu=$ocurl\" rel=\"nofollow\"><i class=\"fas fa-sign-in-alt fa-fw\" aria-hidden=\"true\"></i> {$ubbt_lang['BUTT_LOGIN']}</a>";
} else {
$welcome = "{$user['USER_DISPLAY_NAME']}";
} New: // If they aren't logged in, or just logged out, give them the proper message
if ((empty($user['USER_DISPLAY_NAME']) || !$userob->is_logged_in) || ($bypass)) {
if ($ubb != "login" && $ubb != "start_page" && $ubb != "logout") {
$sfu = "";
if ($config['SEARCH_FRIENDLY_URLS'] == "1") {
$sfu = "?";
} else {
$sfu = "&";
}
$ocurl = $sfu . "ocu=" . urlencode(get_current_url());
}
$welcome = "<a href=\"" . make_ubb_url("ubb=login", "", true) . $ocurl . "\" rel=\"nofollow\"><i class=\"fas fa-sign-in-alt fa-fw\" aria-hidden=\"true\"></i> {$ubbt_lang['BUTT_LOGIN']}</a>";
} else {
$welcome = "{$user['USER_DISPLAY_NAME']}";
} The above coding is stock in v7.5.5, but on November 22nd, 2023 on the thread Google Third-Party Spam Warning a set of code was implemented to throw a forum error when a 3rd party URL is detected.
Last edited by Gizmo; 11/22/2023 6:19 PM.
|
|
|
|
Joined: Dec 2011
Posts: 6
Stranger
|
Stranger
Joined: Dec 2011
Posts: 6 |
I have gotten hit also, assume this will also fix it?
My phishing is: http://domain/ubbthreads.php?ubb=changeprefs&what=style&value=5&curl=http://inter-national-events.com/FNlnPKo2h.dbm?oEyfVuVPKEWDH=CXmKMWogabQWp19k1brq020w5801fg0c017e3091hxtpee7rv9
so am planning to change based on the above note: if( substr( $curl, 0, 2 ) == "//" ) { header("Location: $curl"); }
|
|
|
|
Joined: Jun 2006
Posts: 16,253 Likes: 113
|
Joined: Jun 2006
Posts: 16,253 Likes: 113 |
My previous post is the official patch from v8, I believe one of them exists in v7.7.5.
|
|
|
1 members (Michael_E6D9),
220
guests, and
318
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|