Wittenborg Posted February 23, 2016 Share Posted February 23, 2016 When opening armbian.com I was redirected to different malware-sites via h t t p s ://go. padsdel. com/afu.php?id=473791 If I reload the page everything is normal. Only when i start a new browser session or private mode, there will be a redirect again. 1 Link to comment Share on other sites More sharing options...
Wittenborg Posted February 23, 2016 Author Share Posted February 23, 2016 Maybe this will help: https://blog.sucuri.net/2016/01/jquery-pastebin-replacement.html 1 Link to comment Share on other sites More sharing options...
zador.blood.stained Posted February 23, 2016 Share Posted February 23, 2016 Can confirm, opening armbian.com in incognito mode causes redirect to mentioned website. 1 Link to comment Share on other sites More sharing options...
Guest mpmc Posted February 23, 2016 Share Posted February 23, 2016 It would appear that the wordpress site that armbian.com uses has been compromised, the offending code is here: hxxp://www.armbian.com/wp-includes/js/jquery/jquery.js?ver=1.11.3 You can see the decode result here: http://ddecode.com/hexdecoder/?results=6037488726ff4fe2ccad144cabcfe77c Link to comment Share on other sites More sharing options...
Toast Posted February 23, 2016 Share Posted February 23, 2016 can also confirm this @Igor might wanna fix that issue 1 Link to comment Share on other sites More sharing options...
Guest bombobrudi Posted February 23, 2016 Share Posted February 23, 2016 Confirmed here: redirects to http://software131updates.xyz/14578/lp3/49438/585/39(do NOT click!) Link to comment Share on other sites More sharing options...
wildcat_paris Posted February 23, 2016 Share Posted February 23, 2016 @ALL thanks a lot for reporting the issue 1 Link to comment Share on other sites More sharing options...
Igor Posted February 23, 2016 Share Posted February 23, 2016 Tnx ... working on it. any clues where to start? Link to comment Share on other sites More sharing options...
Toast Posted February 23, 2016 Share Posted February 23, 2016 https://blog.sucuri.net/2016/01/jquery-pastebin-replacement.html seems like a good start 1 Link to comment Share on other sites More sharing options...
Igor Posted February 23, 2016 Share Posted February 23, 2016 This is done, now to find the why and where part 2 Link to comment Share on other sites More sharing options...
Toast Posted February 23, 2016 Share Posted February 23, 2016 Not fun being attacked however this is a prime example on why its good to be up2date 1 Link to comment Share on other sites More sharing options...
wildcat_paris Posted February 23, 2016 Share Posted February 23, 2016 long story short, forbid any language that permits XSS cross-site scripting... javascript (&others) are a bunch of security holes for the front end of the Internet. Link to comment Share on other sites More sharing options...
mi7chy Posted May 28, 2016 Share Posted May 28, 2016 FYI, accessed the main armbian.com page on a PC running Chrome with uBlock Origin which it displayed then immediately redirected to a fake PC infection alert with toll free # to call. Haven't seen one of those in a long time. Link to comment Share on other sites More sharing options...
wildcat_paris Posted May 28, 2016 Share Posted May 28, 2016 FYI, accessed the main armbian.com page on a PC running Chrome with uBlock Origin which it displayed then immediately redirected to a fake PC infection alert with toll free # to call. Haven't seen one of those in a long time. I have tried Win7 / Ubuntu firefox/chromium normal/private mode I don't see any issue with forum.armbian.com or www.armbian.com or redirection with armbian.com pi@pi2 ~ $ host armbian.com armbian.com has address 89.212.141.223 armbian.com mail is handled by 10 mailstore1.secureserver.net. armbian.com mail is handled by 0 smtp.secureserver.net. pi@pi2 ~ $ host www.armbian.com www.armbian.com is an alias for armbian.com. armbian.com has address 89.212.141.223 armbian.com mail is handled by 10 mailstore1.secureserver.net. armbian.com mail is handled by 0 smtp.secureserver.net. pi@pi2 ~ $ host forum.armbian.com forum.armbian.com is an alias for armbian.com. armbian.com has address 89.212.141.223 armbian.com mail is handled by 10 mailstore1.secureserver.net. armbian.com mail is handled by 0 smtp.secureserver.net. pi@pi2 ~ $ host -l 89.212.141.223 223.141.212.89.in-addr.arpa domain name pointer 89-212-141-223.dynamic.t-2.net. General IP Information IP: 89.212.141.223 Decimal: 1507102175 Hostname: 89-212-141-223.dynamic.t-2.net ASN: 34779 ISP: T-2 Access Network Organization: T-2, d.o.o. Services: None detected Type: Broadband Assignment: Static IP Blacklist: Geolocation Information Continent: Europe Country: Slovenia si flag State/Region: Ljubljana City: Ljubljana Latitude: 46.0511 (46° 3′ 3.96″ N) Longitude: 14.5051 (14° 30′ 18.36″ E) Postal Code: 1000 Link to comment Share on other sites More sharing options...
Recommended Posts