this site has been hacked

[moore_rb]

Quote:

Originally Posted by twobjshelbys

I use Firefox on my phone. No such directory on my phone.

The hack is in the native Android browser (which all the other 3rd party browsers actually use to interact with your phone's OS)- I only tested it with Chrome, and removing the goAdSDK folder helped. It must put its scripts in a different location with Firefox.

try closing all apps on your phone, then open your native Android browser (the one with the Globe icon). If the bogus warning pages instantly appear (or if it opens a Play Store window to some bogus ad blocker) before your home page loads, then you are still infected - at which point you can open the settings in the native browser, and clear the cache and all temporary data (this shouldn't impact your firefox cache at all) Then, set your native browser's homepage to a safe destination with a public certificate (https://google.com for example), and restart your phone one more time.


after this 2nd restart - open your phone's native browser again, and try to navigate to club cobra from the native browser... click some links, and see if the issue is cleared up. If it is, then go try club cobra from Firefox, too...

[cycleguy55]

Quote:

Originally Posted by twobjshelbys

I use Firefox on my phone. No such directory on my phone.

Ditto, no GOADSDK folder on my phone. That's clearly not the common thread.

Looking my mobile browser history, it appears to originate with a re-direct to serve.popads.net, then the advertisement, warning, etc. pops up. The domain registration for popads.net ( Whois popads.net ) is in Costa Rica and looks like a one-man or small shop (TOMKSOFT S.A.) owned by TOMASZ KLEKOT.

I have reported abuse by popads.net to abuse@enom.com, the "Registrar Abuse Contact Email". The policies posted on the registrar's Web site ( eNom - domain name, web site hosting, email, registration ) look good - but action is quite another matter. We'll have to wait and see if anything changes.

[cycleguy55]

Quote:

Originally Posted by moore_rb

The hack is in the native Android browser (which all the other 3rd party browsers actually use to interact with your phone's OS)- I only tested it with Chrome, and removing the goAdSDK folder helped. It must put its scripts in a different location with Firefox.

My native browser is Chrome and, again, no goAdSDK folder on my phone.

BTW, I just checked again and I'm no longer getting pop-ups or re-directs.

[joyridin']

The browser I use on my Ipad is Mercury. No such folders. The bogus ads appear after the page is loaded and when I go to a forum or to sign in.

No such folder like that on mine either and it only happens on this forum.

[mrmustang]

No issues on my Iphone or Ipads, three separate desktop/laptops, running two different versions of WIN, with four different browsers, no issue.


Then again, I have anti virus and anti malware up the wazoo on everything.......


Bill S

[DanEC]

Interestingly I have a NOOK with internet capability and when I opened it to the Cobra Forum site last night and clicked on a post, the infected notice popped up. Lovely.

[mudhenk27]

I'm guessin' it's President Putin trying to decide what Cobra to buy ;-)

[Blas]

Still getting the pop-up when I log in on my iPad. "SeeSo" or something is what it says on the pop up. I have erased my cookies, etc. still happens.

[twobjshelbys]

Yep, it happened last night at about 8:00PM PST. I didn't use the phone much yesterday though.

I also noticed that Firefox is asking me to allow Adobe Flash. I don't recall that the site used Flash in the past. Is this related to the problem?

[dcdoug]

Quote:

Originally Posted by twobjshelbys

Yep, it happened last night at about 8:00PM PST. I didn't use the phone much yesterday though.

I also noticed that Firefox is asking me to allow Adobe Flash. I don't recall that the site used Flash in the past. Is this related to the problem?

I have seen that FF warning on Flash on other sites. I don't think it is related to the CC site issue. Make sure that your FF is up-to-date though.

[twobjshelbys]

Quote:

Originally Posted by dcdoug

I have seen that FF warning on Flash on other sites. I don't think it is related to the CC site issue. Make sure that your FF is up-to-date though.

Not in my case. I have flash disabled because it always wants to play videos automatically and nothing is more annoying when trying to read a site to have video moving (to distract the eyes) and sound (to distract the ears). So I turn off Flash by default and only let it play things I want to see. Now if I could figure out the same for HTML5 (which is what most sites are migrating to)

[Brent Mills]

I'm still trying to figure out what if anything is going on from the site. I am not finding anything to this point.

[mrmustang]

Quote:

Originally Posted by Brent Mills

I'm still trying to figure out what if anything is going on from the site. I am not finding anything to this point.

I'm thinking it is 3rd party banner or embedded link/key word related, as I have yet to have an issue as stated in my other post above.

Looking at the coding (using seamonkey for that) for the main page as well as the main forum page do not show any malicious or out of place coding vs our sister site CHR. Then again, we are using a later version (4.1.3 on CHR vs 3.8.0 here) of the software package there. If memory serves me correctly, we had a similar issue there under an older version of the forum software about a year or year and a half ago.


Just thinking outside the box while looking for a solution or explanation.


Bill S.

[mrmustang]

For those experiencing issues as above, this is what I recommend doing:

1: log out of the forum
2: Clear out your browser and system cache
3: remove the "cookies" for this site from your browser
4: do the same for any back ups you may have
5: make sure you are using the latest version of your browser
6: make sure you have all patches and updates for your operating system (PC, MAC, PHONE) and any anti virus or anti malware programs you may be running
7: reboot
8: log back in

Report back here

On CHR, 95% of the end user reported issues were cleared up with these simple 8 steps. 95%


Bill S

[joyridin']

Did all that. I was redirected 3 times in a row.

[twobjshelbys]

Quote:

Originally Posted by joyridin'

Did all that. I was redirected 3 times in a row.

Me too. I'm pretty sure that the problem is NOT on the client (reader) end but that this server is sending people off to the weeds. And that the problem is not local to the server but at some off-site link that is used to load ad content here. [This assumes that this site has been scrubbed for links to the sites I posted earlier.]

[mrmustang]

Quote:

Originally Posted by joyridin'

Did all that. I was redirected 3 times in a row.

Quote:

Originally Posted by twobjshelbys

Me too. I'm pretty sure that the problem is NOT on the client (reader) end but that this server is sending people off to the weeds. And that the problem is not local to the server but at some off-site link that is used to load ad content here. [This assumes that this site has been scrubbed for links to the sites I posted earlier.]

You deleted all browser and system cache and temp files?

Are the two of you running any ad blocker, anti virus, or anti malware software?

What devices are you on?
What version of the software (IE: MAC: IOS 9.5, or WIN 95)
What browser are you using? Version?

[twobjshelbys]

Quote:

Originally Posted by mrmustang

You deleted all browser and system cache and temp files?

Are the two of you running any ad blocker, anti virus, or anti malware software?

What devices are you on?
What version of the software (IE: MAC: IOS 9.5, or WIN 95)
What browser are you using? Version?

Yes I know what I'm doing. This is an android phone (Samsung S7). All cache and stuff was cleared. On two different systems (phone and Nexus 9) each with two tries. Thanks for your help but most of us have already done all of this. We are in the 5% this doesn't help because it is not on our end.

Additionally, only mobile devices (both iOS and Android) are being attacked because their mission is to sell a store app.

Windows systems are excused this time. Furthermore, it will do no good to try each and every off-site link from a Windows system because it won't show anything. The HTML for this attack is using the platform identifier to trigger the rogue behaviour.

[mrmustang]

Quote:

Originally Posted by twobjshelbys

Yes I know what I'm doing. This is an android phone (Samsung S7). All cache and stuff was cleared. On two different systems (phone and Nexus 9) each with two tries. Thanks for your help but most of us have already done all of this. We are in the 5% this doesn't help because it is not on our end.

Additionally, only mobile devices (both iOS and Android) are being attacked because their mission is to sell a store app.

Windows systems are excused this time. Furthermore, it will do no good to try each and every off-site link from a Windows system because it won't show anything. The HTML for this attack is using the platform identifier to trigger the rogue behaviour.

Can't say anything about the Android as I do not have it, but I've now attempted it on 4 IOS mobile platforms of various versions, without an issue


Bill S

[twobjshelbys]

Quote:

Originally Posted by mrmustang

Can't say anything about the Android as I do not have it, but I've now attempted it on 4 IOS mobile platforms of various versions, without an issue


Bill S

Not too unexpected. I got through all evening yesterday (6:00 to about 8:00) without a problem then at about 8:00PM last night it happened again. I tried camping on the "new posts" button since that is where it always happens, but I think there is (what appears to be a random) ad that shows up that is the trigger. I do believe there has to be "content" to load, so the empty page if there is no new content the default page doesn't count.