Google Search Results Containing Malware

[Beaverslayer]

Yes, by reading the discussion on that forum, it seems the Admin found the infected code in some cache files. They stated that the code was fixed, but they had no idea as to how the code got there.

Noted also that it's the same forum software as this forum.

[Cyberthrasher]

  On 1/9/2013 at 8:02 PM, Beaverslayer said:

Noted also that it's the same forum software as this forum.

That's the main thing I started searching to find it.

[Johanna]

I found a remote mysql % and deleted it, changed all passwords. Let me know if the problem continues.

[Cyberthrasher]

  On 1/9/2013 at 9:20 PM, Johanna said:

I found a remote mysql % and deleted it, changed all passwords. Let me know if the problem continues.

I just tried a bunch of different times and couldn't get it to happen......fingers crossed.

[hornm]

Although I didn't understand most any of this I'm glad ya'll are on the case. Kind of like an episode of scooby doo

Horn

[Cyberthrasher]

Horn, it's what I do

I figure I spend so much time on the forum anyway, I might as well contribute some of my day-skills.

[hornm]

If I had any skills (day or not) I'd contribute. Thanks to you, Johanna and everyone else for working on getting this resolved for the rest of us.

Horn

[Beaverslayer]

Well, after reading tons of forums regarding this problem, I added all the offending url4 type addresses into my blocked list. I have Googled many different things, and clicked on many different links leading to many different IPB forums, and so far not one redirect.

While searching and reading all about this, it seems like it has been a problem for a number of years, and even to this day, some IPB forum ADMINS are blaming Google as well as users PC's.

There is also a few sites that profess to be able to help you remove "Hidden" malware on your computer as long as you send them "LOG FILES" and download multiple software. It seems like these are also some sort of scam, but not sure of what kind.

I found this interesting as well. The url4short type address that was redirecting, is listed as the following:

URL4SHORT.INFO - free url redirection and masking service

Making long and URL-s to smaller and more handy! With our free url redirection and masking service.

Checking their WHOIS, showed it as a company from Arizona I believe.

Hopefully, Johanna's fix as well as my blocked url list will resolve this from happening again.

[Dennis Oakley]

I should clarify when I say it gets locked in a loop. The PC doesn't lock up, just the browser. When the google link directs to a different website the malicious website will open a pop-up prompting you to click on it. Attempting to close the window will open another pop-up asking if you're sure you want to leave the close the window. Clicking no takes you back to the first window, clicking yes closes the window and it immediately pops up again. The only way to kill the process is to go into task manager and tell it to end the browser session.

I run Microsoft Security Essentials on all of my PC's and never have any problems with virus' getting through. Tonite I scanned my main PC with Malwarebytes and it also came up clean. I agree it seems like it happens at random and is a Google problem. Sometimes I can do leather topic searches on Google and not have an issue, other nights it will happen multiple times and only with LW links. If I come across it again I'll try to do a screen cap and send it to you.

Thanks

[Cyberthrasher]

Dennis, please see the information in this thread

http://leatherworker.net/forum/index.php?showtopic=45008

Basically, it looks like Johanna found the problem. So, if you're still experiencing it today let her know.

[Cyberthrasher]

  On 1/9/2013 at 9:20 PM, Johanna said:

I found a remote mysql % and deleted it, changed all passwords. Let me know if the problem continues.

Well, I just decided to check again and it's still happening. Looked like it had cleared up yesterday but I may have been hitting links I had already tried previously. I did a google search for swivel knife preferences today to make sure I was getting fresh results.

[Beaverslayer]

Yes, I just did a search for "Buck Stitch Material" and chose the second Google result, same thing happened as before...redirected to a spam site and MyWOT shut it down. I wasn't quick enough to catch the url before it changed a second time in the address bar either, so I can't add it to my blocked list.

[Johanna]

and you cleared your cache...thanks, I'll check into it some more.

~J

[Beaverslayer]

yes, cleared cache, history everything.

I just did a whole bunch more Google searches that would bring up Leatherworker.net results, but none of them redirected.

I do recall on one of the forum discussions related to this, where the ADMIN found hacked code in his IPB software (in a cache file). He said that the code was programmed to only activate/run every 10 minutes. It was written: 36000/60/60 or something like that.

[Cyberthrasher]

  On 1/10/2013 at 7:33 PM, Beaverslayer said:

I do recall on one of the forum discussions related to this, where the ADMIN found hacked code in his IPB software (in a cache file). He said that the code was programmed to only activate/run every 10 minutes. It was written: 36000/60/60 or something like that.

Yeah, that was in the one I linked to yesterday. It seemed like it was doing it more frequently than that yesterday though.

[Denise]

This just happened to me as well. I was clicking from a Google search onto a thread on LW and got redirected. Had to shut down IE (eventually it let me) to get away from there. So it is still happening.

[Johanna]

We are addressing the problem with Google, the host and with the maker of the board software. I'll let everyone know something when I do. Our server and the board seem to be clean, but something is not going right, obviously. I hope to have answers soon.

[Denise]

Thanks Johanna. Interesting that it happened not from this site but in getting to this site from Google. Weird. (But I say that a lot when I talk about computers...)

[Johanna]

Okay- wear it out trying to get the bad page again- I don't think you will because I think I fixed it. Yay me! Well, I won't cheer myself until you folks tell me it's gone.

~J

[Beaverslayer]

Well I think ya done it Johanna, must have clicked 30 or more Google results and nothing redirected.

[Johanna]

Sending some contact cement for your tin foil hat, Ken! Keep the doggone thing on!

[Denise]

Yay you, Johanna!! I'm sure this took way too much of your time the last few days. Thanks for all you do around here.

Is there anything those of us who have seen this need to do on our end to clear our computers or was it all on the Google side of things?

[Johanna]

It wasn't Google after all. It was an exploit in the forum software. Nobody's computer should be affected by this at all.

[Beaverslayer]

Johanna, the tinfoil hat has been welded to my glasses for a little over 4 years now. It's real hard to clean my glasses to be able to see what I'm doing as neither hat nor glasses will come off my head. I've been thinking of adding a few tinfoil antennas to add a bit of oomph to its powers....

[Feraud]

Thanks for your attention on this Johanna.