I believe someone at Google has targeted our site and redirects persons who click on our link that google provides.

This does not happen with any other search engine, only google.

So when a stranger tries to open GSUS web page from google they are directed to download a virus.

This keeps people from finding us.

If I close the virus window and reclick GSUS it directs properly.


About 43,300,000 results (0.34 seconds)

Search Results

Gold-Silver Forums - Gold-Silver.US (http://gold-silver.us/forum/)

gold-silver.us/forum/

gold, silver, platinum, palladium, precious metals. ... Forum description. Gold, Silver, Precious Metals. (9 Viewing). Discuss gold, silver and other precious metals ...‎General Discussion (http://gold-silver.us/forum/forumdisplay.php?9-General-Discussion) · ‎Rosa "Rosie" (http://gold-silver.us/forum/showthread.php?91653-Rosa-quot-Rosie-quot-Gumataotao-Rios-Resigns-as-US-Treasurer) · ‎Gold, Silver, Precious Metals (http://gold-silver.us/forum/forumdisplay.php?10-Gold-Silver-Precious-Metals)


8879

Strangers? We don't need no stinkin' strangers!

(https://www.google.com/search?q=gold-silver.us&biw=1536&bih=743&source=lnms&sa=X&ved=0ahUKEwjd9KODs5bSAhUB3WMKHbBTB7cQ_AUIBygA&dpr=1.25)https://www.google.com/search?q=gold-silver.us&biw=1536&bih=743&source=lnms&sa=X&ved=0ahUKEwjd9KODs5bSAhUB3WMKHbBTB7cQ_AUIBygA&dpr=1.25




:(??

SECOND LINK HAS THE filestore72 HIJACK

Strangers? We don't need no stinkin' strangers!

sometimes we gotta take a chance and dance with a stranger.

http://murderpedia.org/female.E/images/ellis-ruth/ruth-ellis-film.jpg


https://www.youtube.com/watch?v=_VvNQWP_6Ek

The google search result definitely redirects to that site, even though the link looks ok. Considered to be a browser hijacker that infects the browser and redirects search results links to their own network of web sites. Potentially loads their own adverts into legitimate pages as they load.

Gold Silver Chat also appears to be affected. Not sure if this is a sign of an infected browser or some trickery they have been able to achieve in google to provide a display text that looks like a URL while the actual URL goes to that web site.

I wonder if it is a problem with the Cloud Flare caching service. Perhaps it has been hacked or has some vulnerability in the site caching side of things.

(https://www.google.com/search?q=gold-silver.us&biw=1536&bih=743&source=lnms&sa=X&ved=0ahUKEwjd9KODs5bSAhUB3WMKHbBTB7cQ_AUIBygA&dpr=1.25)https://www.google.com/search?q=gold-silver.us&biw=1536&bih=743&source=lnms&sa=X&ved=0ahUKEwjd9KODs5bSAhUB3WMKHbBTB7cQ_AUIBygA&dpr=1.25




:(??

SECOND LINK HAS THE filestore72 HIJACK

When I use firefox 44.0 on lubuntu 12.04, it all works the way it should. No redirect.

edit: I also have Adguard and Adblock Edge installed

This has happened to me twice in the recent past. I definitely clicked on www.gold-silver.us/forum and not an alternative link in the search results. I normally just use the link in Firefox's frequently visited sites, though.

I think the main thing to determine is, is it a problem with google results or individual users browsers being hijacked.

I confirm I get the redirect from google results on 2 different web sites. Others like kitco and GIM2 appear ok. Currently scanning system for "in-house" issues.
Crimethink says happened before from "some" google links but not all
jewboos confirms some links to here show behaviour - seems to agree with Crimethink

Vacuum says no

I think the main thing to determine is, is it a problem with google results or individual users browsers being hijacked.

I confirm I get the redirect from google results on 2 different web sites. Others like kitco and GIM2 appear ok. Currently scanning system for "in-house" issues.
Crimethink says happened before from "some" google links but not all
jewboos confirms some links to here show behaviour - seems to agree with Crimethink

Vacuum says no

I'm running Kaspersky IS and MBAM Premium, so the likelihood of a browser hijack is extremely low. My intuition says (((Google))) is screwing with sites they want to paint as "malware-infested." They've done this with "pirate" sites, too.

I came up clean but I am on throw away systems anyway. More concerned about people trying to get here being hijacked

When I was messing around with the link it flashed up the caching service, the name escapes me right now....something fire. That service runs a global network of cache servers and ISP's serve up pages and content from that network to save on traffic costs of getting pages and content from the source. Obviously the more popular sites and content get cached closer to end users that are accessing it. The cache gets updated if the source changes.

I think the search results were served from the cache and the cache might be compromised. I noticed a streaming site I visit was having issues several times this week, page or content not found. I got a page from the cache service a couple times saying network or domain issues were happening.

When I was messing around with the link it flashed up the caching service, the name escapes me right now....something fire. That service runs a global network of cache servers and ISP's serve up pages and content from that network to save on traffic costs of getting pages and content from the source. Obviously the more popular sites and content get cached closer to end users that are accessing it. The cache gets updated if the source changes.

I think the search results were served from the cache and the cache might be compromised. I noticed a streaming site I visit was having issues several times this week, page or content not found. I got a page from the cache service a couple times saying network or domain issues were happening.

CloudFlare.

https://www.cloudflare.com/

(https://www.google.com/search?q=gold-silver.us&biw=1536&bih=743&source=lnms&sa=X&ved=0ahUKEwjd9KODs5bSAhUB3WMKHbBTB7cQ_AUIBygA&dpr=1.25)https://www.google.com/search?q=gold-silver.us&biw=1536&bih=743&source=lnms&sa=X&ved=0ahUKEwjd9KODs5bSAhUB3WMKHbBTB7cQ_AUIBygA&dpr=1.25




:(??

SECOND LINK HAS THE filestore72 HIJACK

This is a hijack bug in vbulletin forum software. Google filestore72 and vbulletin. It is not your browser.

This is a hijack bug in vbulletin forum software. Google filestore72 and vbulletin. It is not your browser.

So the site owner can fix it?

So the site owner can fix it?

I am sure it is possible.

This is a hijack bug in vbulletin forum software. Google filestore72 and vbulletin. It is not your browser.


The cure needs to be provided by our slumlord JQP:


Flish

01-02-17, 22:02

This is complex, but basically at some point a vulnerability has compromised the site and allowed code to be Injected server side into the pho scripts that power the site.

The injected code has some logic that says 'if the visitor has come from a search engine and this is their first visit then inject this JavaScript code into the page' - the injected code redirects us to the dodgy site, and is why we can't see it by viewing source and most of us are unaware, but if you kill cookies and run a script to capture output by pretending to have been referred by google you can capture the code.

The fix is for the site owners server side, vulnerability needs fixing and the php scripts cleaned up, good news it's fairly obvious to a capable Deb what the dodgybcode is, bad news is it could have been injected into 100's of files, *sometimes* you can automate cleanup, but it will happen again if you don't fix the entry point

not sure who to signpost this too, but happy to help if someone reaches out



Robert Burns

02-02-17, 05:02


Hi all,

Apologies for that, but hopefully it is now all resolved.

Cpanel upgraded
LiteSpeed server upgraded
PHP upgraded.
Site software upgraded
All server side passwords have been changed.

So hopefully we are all back to normal. If anyone see's anything dodgy, feel free to report it. The Mods all have my email address.

I can confirm it was a redirect file in the structure not an SQL injection, still not sure how they got it in the file structure, but it's gone now. You'll see that all references to the file name have been changed, I then downloaded a dump of the database and did a search, so I know we were not infected database side.

I've done a google search and clicked all the links and only come here. I urge all members to clear their cache on their browsers.

If you want to be belt & braces safe a password change is never a bad thing, though as I said before, I am content that they did not breach the database, and so no information was lost.

Once again, apologies for the inconvenience.

Not so much here, i get it on othersites that are perfectly safe.

When I load them into a stripped down chrome browser (Epic) they load ok.

I think it has to do with tracking cookies. If you dont retain them in chrome or official jew browsers u get it.

site owner, have you seen this thread?

I'll contact the ISP, and let them take a look at it. Thanks.

CloudFlare.

https://www.cloudflare.com/

yes this is the service and I think this is where the problem lies. It is before you even get to the forum... and other site links are affected as well. They cache google search results and serve those up to users instead of hitting Google each time for a new search. They also cache popular content like YT videos and so on so that it doesn't need to get transmitted from the source every time.

I think this is the service that has been hacked or affected and is what we are seeing.

I haven't use jewgle in years and this site is in my bookmarks so I go direct. Never an issue besides the fucked up formatting due to a lack of free updates.

In works...

This is a hijack bug in vbulletin forum software. Google filestore72 and vbulletin. It is not your browser.

The redirect happens at Google, so either Google and/or their CDN is causing it, not GSUS or its vBulletin suite.

The redirect happens at Google, so either Google and/or their CDN is causing it, not GSUS or its vBulletin suite.


Or you have a redirect rootkit in your browser. I fought one a few months back that actually had me stumped. Eventually saved all my bookmarks in a different folder and removed firefox completely including the registry entries. Then I ran the firefox that I saved from mozilla from my computer, re-added my bookmarks and was good to go since.

In works...


Really appreciated John.

Or you have a redirect rootkit in your browser. I fought one a few months back that actually had me stumped. Eventually saved all my bookmarks in a different folder and removed firefox completely including the registry entries. Then I ran the firefox that I saved from mozilla from my computer, re-added my bookmarks and was good to go since.

http://gold-silver.us/forum/showthread.php?94752-Is-anyone-else-getting-rerouted-from-GSUS-to-a-virus-program-when-you-use-Google&p=885228&viewfull=1#post885228

The redirection seems to have stopped. I disabled forum runner. Froum runner has stoppped support, and I think someone exploited a vulnerability in it.

It's working now thanks! Maybe some new visitors will come? http://www.clipartbest.com/cliparts/4Tb/4Br/4Tb4Br7Tg.jpeg

Aw jez....there goes the neighborhood ;)
It's working now thanks! Maybe some new visitors will come? http://www.clipartbest.com/cliparts/4Tb/4Br/4Tb4Br7Tg.jpeg

The redirection seems to have stopped. I disabled forum runner. Froum runner has stoppped support, and I think someone exploited a vulnerability in it.

Dogman always uses that program, must've been the cousins...

Dogman always uses that program, must've been the cousins...

I just logged in with forum runner. I can read the forum, but if I try to post it crashes.

Forum runner has not been working well for me for about a year. They stopped supporting it, and I suspect it is no longer safe.

Forum runner has not been working well for me for about a year. They stopped supporting it, and I suspect it is no longer safe.

I haven't been able to post from it for a long time. It crashes. I use it on my phone to read the forum when I am out.

on the face of it: Because cloudflare is so widespread and caches so many sites to provide faster access close to the internet user, it's likely many other sites are affected.

If anyone comes across more info to clarify how widespread the problem is please post it.


Here Are The Passwords You Should Change Immediately
If you have or had accounts on Fitbit, Uber, OkCupid, Medium, or Yelp, you should probably change your passwords. In a blog post (https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/) published on Thursday, the web performance and security company Cloudflare said it had fixed a critical bug, discovered over the weekend, that had been leaking sensitive information such as website passwords in plain text from September 2016 to February 2017. Over 5.5 million websites use Cloudflare, including Fitbit, Uber, OkCupid, Medium, and Yelp

Some website sessions accessed through HTTPS, a secure web protocol that encrypts data sent to and from a page, have been compromised as a result, and what makes the bug particularly serious is that some search engines (including Bing, Google, and DuckDuckGo) had cached, or saved, some of the leaked data for some time. This data isn’t easy for a nontechnical person to find, but for someone with knowledge of how to craft specific queries for affected websites’ leaked data on search engines, it was well within their reach.

http://www.orrazz.com/2017/02/here-are-passwords-you-should-change.html


Incident report on memory leak caused by Cloudflare parser bug
Last Friday, Tavis Ormandy (https://twitter.com/taviso) from Google’s Project Zero (https://googleprojectzero.blogspot.co.uk/) contacted (https://twitter.com/taviso/status/832744397800214528) Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.

It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.

For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug.

We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation (https://support.cloudflare.com/hc/en-us/articles/200170016-What-is-Email-Address-Obfuscation-), Server-side Excludes (https://support.cloudflare.com/hc/en-us/articles/200170036-What-does-Server-Side-Excludes-SSE-do-) and Automatic HTTPS Rewrites (https://support.cloudflare.com/hc/en-us/articles/227227647-How-do-I-use-Automatic-HTTPS-Rewrites-)) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response.

Because of the seriousness of such a bug, a cross-functional team from software engineering, infosec and operations formed in San Francisco and London to fully understand the underlying cause, to understand the effect of the memory leakage, and to work with Google and other search engines to remove any cached HTTP responses.

Having a global team meant that, at 12 hour intervals, work was handed over between offices enabling staff to work on the problem 24 hours a day. The team has worked continuously to ensure that this bug and its consequences are fully dealt with. One of the advantages of being a service is that bugs can go from reported to fixed in minutes to hours instead of months. The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under 7 hours with an initial mitigation in 47 minutes.

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of request
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/