When I go to google and type in NANFA forum, the hyperlink for forum.nanfa.org directs me first to this website: http://url4short.info/53c2d5c5
It might just be my laptop or it could be happening to other people, too. It's happened about ten times now, so I figured I'd ask about it.
Redirection of forum.nanfa.org url POSSIBLE MALWARE PROBLEM. PLEASE READ THREAD AND PROTECT YOURSELF!
Started by
Guest_Erica Lyons_*
, Dec 31 2013 01:47 PM
72 replies to this topic
#2
Michael Wolfe
-
- Board of Directors
-
- North Georgia, Oconee River Drainage
Posted 31 December 2013 - 01:59 PM
Please dont anyone else click on that... it is malware!
Erica, that is not the forum, that is something that is on your system.
Did you recently install some new software, or something new that you got for Christmas?
Erica, that is not the forum, that is something that is on your system.
Did you recently install some new software, or something new that you got for Christmas?
Either write something worth reading or do something worth writing. - Benjamin Franklin
#7
Guest_Skipjack_*
Guest_Skipjack_*
-
- Guests
Posted 31 December 2013 - 02:40 PM
Now that I think about it, it did this on my android as well recently. We have a problem for sure.
I don't think it is a problem, but it gives you a warning, and then a fix from a sketchy source. I would not use the fix offered.
Michael, How do we fix this? TMD?
I don't think it is a problem, but it gives you a warning, and then a fix from a sketchy source. I would not use the fix offered.
Michael, How do we fix this? TMD?
#8
Guest_Gavinswildlife_*
Guest_Gavinswildlife_*
-
- Guests
Posted 31 December 2013 - 02:59 PM
clear your cache and disable/reenable your extensions if in chrome. Also delete any sketchy ones that you dont know are absolutely safe. I quote from another forum:
"This is probably an issue on Brian's end...
In a nutshell, someone used an exploit or vulnerability to get server level access to this site. Probably some dateless, pimplefaced, snotnosed, hot pocket snarfing, script kiddie living in their mom's basement as this is amateur hour stuff. Sometimes low rent no talent "hackers" hack sites and get paid by crooks for driving traffic to their illicit urls.
I can only guess since I do not have access to cpanel, but it sounds like someone has hijacked and redirected this site's traffic to url2short.info. It's a fake "tinyurl" type site that plants a redirect trojan on vulnerable machines. If your anti virus is up to date you should be ok. I just tested Avast and it does recognize the exploit.
This has been done before to other vBulletin (I am guessing that this is what Brian is using) forums. Here is how to determine if this is the case and correct it (note: some of this is from memory):
1 Go into cPanel and under Remote MySQL you should either see either no hosts configured or, if you have a specific database of your own enabled, the name of that
database(s). Now this is the important part; if you see a "%" character, DELETE IT. That character is a wildcard that allows any server to connect.
2. Make sure you change your passwords in cPanel and MySQL.
3. Pick any add-on, disable it, then re-enable it to clear the datastore.
4. Found this tidbit which should make fixing things up easier. Download the tool_reparse.php from this thread: http://www.vbulletin...ad.php?t=220967 . It
will rebuild your templates if they are corrupted. Read through the thread first so you understand what's going on and what the tool does.
That should do it. If you ask me how I know all this, let's just say that if you have ever seen me shoot, you know I sure don't do THAT for a living...
One last thing. I did a little checking and it does not appear to be a dns exploit, so that's good. It seems odd that that url is not on my blacklist yet my software just ignored the redirect without even throwing up a warning, which is a little odd. I would not have known about this if I hadn't seen this thread. I will have to look into that."
Ok, that was pretty informative. It doesn't seem like a malware virus running on our computers. For me, It only poped up if I clicked on it via a Google search, if i direct-connected with putting "forum.nanfa.org" in the url box/search box. Something strange, it only appeared the first time that day i clicked the link on a specific computer. The rest of the day it was fine, unless I switched computers.
Just my 2c, leave it to the pros.
"This is probably an issue on Brian's end...
In a nutshell, someone used an exploit or vulnerability to get server level access to this site. Probably some dateless, pimplefaced, snotnosed, hot pocket snarfing, script kiddie living in their mom's basement as this is amateur hour stuff. Sometimes low rent no talent "hackers" hack sites and get paid by crooks for driving traffic to their illicit urls.
I can only guess since I do not have access to cpanel, but it sounds like someone has hijacked and redirected this site's traffic to url2short.info. It's a fake "tinyurl" type site that plants a redirect trojan on vulnerable machines. If your anti virus is up to date you should be ok. I just tested Avast and it does recognize the exploit.
This has been done before to other vBulletin (I am guessing that this is what Brian is using) forums. Here is how to determine if this is the case and correct it (note: some of this is from memory):
1 Go into cPanel and under Remote MySQL you should either see either no hosts configured or, if you have a specific database of your own enabled, the name of that
database(s). Now this is the important part; if you see a "%" character, DELETE IT. That character is a wildcard that allows any server to connect.
2. Make sure you change your passwords in cPanel and MySQL.
3. Pick any add-on, disable it, then re-enable it to clear the datastore.
4. Found this tidbit which should make fixing things up easier. Download the tool_reparse.php from this thread: http://www.vbulletin...ad.php?t=220967 . It
will rebuild your templates if they are corrupted. Read through the thread first so you understand what's going on and what the tool does.
That should do it. If you ask me how I know all this, let's just say that if you have ever seen me shoot, you know I sure don't do THAT for a living...
One last thing. I did a little checking and it does not appear to be a dns exploit, so that's good. It seems odd that that url is not on my blacklist yet my software just ignored the redirect without even throwing up a warning, which is a little odd. I would not have known about this if I hadn't seen this thread. I will have to look into that."
Ok, that was pretty informative. It doesn't seem like a malware virus running on our computers. For me, It only poped up if I clicked on it via a Google search, if i direct-connected with putting "forum.nanfa.org" in the url box/search box. Something strange, it only appeared the first time that day i clicked the link on a specific computer. The rest of the day it was fine, unless I switched computers.
Just my 2c, leave it to the pros.
#9
Guest_Skipjack_*
Guest_Skipjack_*
-
- Guests
Posted 31 December 2013 - 03:17 PM
I filed a ticket with Invision Power Services. As long as it is a problem with the forum only, and not our server, it should stop soon. I will file a ticket with our server if I need to. Bear with me, I am still learning.
#11
Guest_Skipjack_*
Guest_Skipjack_*
-
- Guests
Posted 31 December 2013 - 07:14 PM
May be a day or so until we get this resolved. Refrain from accessing the forum via a Google search. If you do, do not use the fix that pops up. It is an unknown source.
For now you are perfectly safe by accessing the forum by typing "forum.nanfa.org" into the task bar. The problem only occurs when you perform a google search for NANFA forum. Our forum host(Invision Power Services) says that they are seeing more of this recently, I imagine that they will provide an update shortly that will solve it. Right now there is a fix, but is rather complicated, and as I mentioned above, might take us a couple of days. Sorry for the inconvenience, and remember to come in the back door until we give you the "all clear" Thanks Matt, and the rest of the staff.
For now you are perfectly safe by accessing the forum by typing "forum.nanfa.org" into the task bar. The problem only occurs when you perform a google search for NANFA forum. Our forum host(Invision Power Services) says that they are seeing more of this recently, I imagine that they will provide an update shortly that will solve it. Right now there is a fix, but is rather complicated, and as I mentioned above, might take us a couple of days. Sorry for the inconvenience, and remember to come in the back door until we give you the "all clear" Thanks Matt, and the rest of the staff.
#16
Guest_Gavinswildlife_*
Guest_Gavinswildlife_*
-
- Guests
Posted 16 April 2014 - 01:05 PM
Uland- Step 1: Wait for a new day.
Step 2: Google "nanfa forum"
Step 3: Click on first result
I really don't think its a big problem - just an annoyance. If you are really scared, clear your cache and cookies, and run a malware check.
Step 2: Google "nanfa forum"
Step 3: Click on first result
I really don't think its a big problem - just an annoyance. If you are really scared, clear your cache and cookies, and run a malware check.
#17
Guest_CMStewart_*
Guest_CMStewart_*
-
- Guests
Posted 25 April 2014 - 03:39 PM
It's only a problem if you just heard about NANFA and are maybe interested in joining. If your first exposure to NANFA is redirected malware its a problem.
If NANFA is interested in visitors getting a good impression of NANFA it is a HUGE problem.
If NANFA is interested in visitors getting a good impression of NANFA it is a HUGE problem.
#19
Guest_Gavinswildlife_*
Guest_Gavinswildlife_*
-
- Guests
Posted 25 April 2014 - 03:43 PM
Yes, what if some person googles "how to keep minnows", clicks on one of the links that lead to here, and a malicious ad pops up. That not good.It's only a problem if you just heard about NANFA and are maybe interested in joining. If your first exposure to NANFA is redirected malware its a problem.
If NANFA is interested in visitors getting a good impression of NANFA it is a HUGE problem.
Also, as not to freak people out, can the topic be changed back to "Forum Redirect, Possible Malware Problem"?
Reply to this topic
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
NANFA Youtube Channel 
