Wittenborg Posted February 23, 2016 Posted February 23, 2016 When opening armbian.com I was redirected to different malware-sites via h t t p s ://go. padsdel. com/afu.php?id=473791 If I reload the page everything is normal. Only when i start a new browser session or private mode, there will be a redirect again. 1
Wittenborg Posted February 23, 2016 Author Posted February 23, 2016 Maybe this will help: https://blog.sucuri.net/2016/01/jquery-pastebin-replacement.html 1
zador.blood.stained Posted February 23, 2016 Posted February 23, 2016 Can confirm, opening armbian.com in incognito mode causes redirect to mentioned website. 1
Guest mpmc Posted February 23, 2016 Posted February 23, 2016 It would appear that the wordpress site that armbian.com uses has been compromised, the offending code is here: hxxp://www.armbian.com/wp-includes/js/jquery/jquery.js?ver=1.11.3 You can see the decode result here: http://ddecode.com/hexdecoder/?results=6037488726ff4fe2ccad144cabcfe77c
Toast Posted February 23, 2016 Posted February 23, 2016 can also confirm this @Igor might wanna fix that issue 1
Guest bombobrudi Posted February 23, 2016 Posted February 23, 2016 Confirmed here: redirects to http://software131updates.xyz/14578/lp3/49438/585/39(do NOT click!)
wildcat_paris Posted February 23, 2016 Posted February 23, 2016 @ALL thanks a lot for reporting the issue 1
Igor Posted February 23, 2016 Posted February 23, 2016 Tnx ... working on it. any clues where to start?
Toast Posted February 23, 2016 Posted February 23, 2016 https://blog.sucuri.net/2016/01/jquery-pastebin-replacement.html seems like a good start 1
Igor Posted February 23, 2016 Posted February 23, 2016 This is done, now to find the why and where part 2
Toast Posted February 23, 2016 Posted February 23, 2016 Not fun being attacked however this is a prime example on why its good to be up2date 1
wildcat_paris Posted February 23, 2016 Posted February 23, 2016 long story short, forbid any language that permits XSS cross-site scripting... javascript (&others) are a bunch of security holes for the front end of the Internet.
mi7chy Posted May 28, 2016 Posted May 28, 2016 FYI, accessed the main armbian.com page on a PC running Chrome with uBlock Origin which it displayed then immediately redirected to a fake PC infection alert with toll free # to call. Haven't seen one of those in a long time.
wildcat_paris Posted May 28, 2016 Posted May 28, 2016 FYI, accessed the main armbian.com page on a PC running Chrome with uBlock Origin which it displayed then immediately redirected to a fake PC infection alert with toll free # to call. Haven't seen one of those in a long time. I have tried Win7 / Ubuntu firefox/chromium normal/private mode I don't see any issue with forum.armbian.com or www.armbian.com or redirection with armbian.com pi@pi2 ~ $ host armbian.com armbian.com has address 89.212.141.223 armbian.com mail is handled by 10 mailstore1.secureserver.net. armbian.com mail is handled by 0 smtp.secureserver.net. pi@pi2 ~ $ host www.armbian.com www.armbian.com is an alias for armbian.com. armbian.com has address 89.212.141.223 armbian.com mail is handled by 10 mailstore1.secureserver.net. armbian.com mail is handled by 0 smtp.secureserver.net. pi@pi2 ~ $ host forum.armbian.com forum.armbian.com is an alias for armbian.com. armbian.com has address 89.212.141.223 armbian.com mail is handled by 10 mailstore1.secureserver.net. armbian.com mail is handled by 0 smtp.secureserver.net. pi@pi2 ~ $ host -l 89.212.141.223 223.141.212.89.in-addr.arpa domain name pointer 89-212-141-223.dynamic.t-2.net. General IP Information IP: 89.212.141.223 Decimal: 1507102175 Hostname: 89-212-141-223.dynamic.t-2.net ASN: 34779 ISP: T-2 Access Network Organization: T-2, d.o.o. Services: None detected Type: Broadband Assignment: Static IP Blacklist: Geolocation Information Continent: Europe Country: Slovenia si flag State/Region: Ljubljana City: Ljubljana Latitude: 46.0511 (46° 3′ 3.96″ N) Longitude: 14.5051 (14° 30′ 18.36″ E) Postal Code: 1000
Recommended Posts