Hi all,
getting the following popup when visiting this site. Any advice appreciated.
This is a very busy site, plenty of forum members/ posts.
hxxp://www.comeonyouspurs.com
Your picture shows another site than the one you mentioned in the post.
The one in the post is not blocked.
utl4short is reported as not trustful/malicious:
https://www.virustotal.com/nl/url/0a30604db7912563535e656531a1d7a3316d598c1c627caea540372c16a8d66f/analysis/1398385521/
http://zulu.zscaler.com/submission/show/e9aa3fb507b65c844ed7c055d92629d6-1398385597
http://urlquery.net/report.php?id=1398385674986
Perhaps you can help me figure out what happened. I can certainly recreate it, I tried it again just now.
Using Firefox, I navigated to the yahoo.com homepage. In their search box at top I entered
“Tottenham forums”. In the search results I selected the result corresponding to the site I mentioned
in my first post (it’s on the first page of results), selected it, and this detection comes up.
However, if I close and re-open Firefox and type the name of the site myself into a new tab,
everything is fine. Something wrong with the search results? Firefox? My PC?
Thanks for any further info.
EDIT - tried it in IE8 (I’m using XP) and everything works normally.
I posted this at wilderssecurity and they seem to corroborate my findings.
Using the search results from Google, all is fine. As-is entering the site manually into a new tab.
Just the search results from Bing/Yahoo seem to re-direct to this malicious site.
http://www.wilderssecurity.com/threads/strange-result-with-yahoo-search-results.363500/#post-2370475
You don’t need to close/open FireFox, it also works without doing that.
And the same happens in other browsers as well.
It looks like bing/yahoo is using a redirector on certain search results to hide the referral.
If you go over search results with your mouse, some show the direct link to the website and others show r.search.yahoo.com or r.bing.com
http://clicky.com/blog/327/bings-secure-search-will-be-worse-than-googles-for-most-sites
it seems url4short also is a browser hijacker / PUP
More info here: http://abhisays.com/tips-and-tricks/how-to-fix-forum-redirecting-to-url2short-info.html
Annoying,
polonus
Pondus, I tested it and got the exact same results as the OP even in the safezone.
I don’t think his system is infected with the redirector.
I’ve looked at some of the sites mentioned, as well as further info here:
http://peter.upfold.org.uk/blog/2013/01/15/cleaning-up-the-ip-board-url4short-mess/
This guy gives a great analysis of how he tracked down this injection. If I understand correctly,
the problem is in the server responsible for the comeonyouspurs.com website.
Perhaps I should let the site know? One thing I was not able to clear up, nor do I understand,
is why it only occurs when you use the search results? If you enter the site name directly
on a new tab, you don’t see the problem. This is why I thought Bing/Yahoo was the culprit.
Bing/Yahoo IS the culprit.
It is how they redirect you to a site in a effort trying to hide things as used keywords for the search (and some other things)
The board shows up clean in all scans.
Thanks Eddy. I’ve opened a question in the Bing section at Microsoft Answers.
Let’s see if they have anything to say about it.
Hi davexnet,
It is the vulnerability to the use of a wildcard enabled, look for the the character %, for connections to the database.
It is the traffic reduction that makes it so annoying.
polonus
Polonus,
I am neither an administrator at the website in question nor a Bing representative.
I’m just a user who came upon this by chance.
From a response on Microsoft Answers I have filled in a form to Bing outlining this issue.
I read the info at http://peter.upfold.org.uk/blog/2013/01/15/cleaning-up-the-ip-board-url4short-mess/
I reread it again, and as far as I can see, nowhere does he mention the problem
was the fault of the search results themselves. He seems to say, (as do the comments at the bottom)
that the problem actually was in the “Invisionboard site”.
So, is it a Bing problem or the forum comeonyouspurs.com’s problem? Mixture of the two?