swordofmoonlight.com issue

[HwitVlf]

I've only had it happen with links to the forum. Just now, I did a google search for "sword of moonlight forum" HERE and clicked on the top result and it sent me to [Don't go to these links as they may be infected sites!!]:
institutoculinario.com/omwi.htm?h=1222197
Clicked a second time and it sent me to:
rarechristianbooks.com/omwi.html?h=1222197

I've found reference to the above sites being used with the Redkit exploit to spread malicious script through Java or an Adobe Reader exploit. There's some info on how it works here. But if I understand correctly, it means SoM.com may have been hacked to add script that forwards people to randomly generated malicious sites.

[Guyra]

Yeah, I still get the same as John, I'm afraid. :/

[Holy_Diver]

Still happening. It's very possible the host is hacked, but it is a black eye on the hosting service to not have been noticed any sooner than this. Either way you shouldn't have to fix it. Just open a support ticket. If it doesn't get fixed find a better host.

Request URL:https://www.swordofmoonlight.com/
Request Method:GET
Status Code:302 Found
Request Headersview source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Cookie:SMFCookie304=a%3A4%3A%7Bi%3A0%3Bs%3A2%3A%2219%22%3Bi%3A1%3Bs%3A40%3A%22f91af15fffb6be63e12e613b62867f9a6fa5bf77%22%3Bi%3A2%3Bi%3A1452443720%3Bi%3A3%3Bi%3A0%3B%7D; __utma=15287220.894236322.1257141082.1312101578.1315202564.93; PHPSESSID=9cb4d09915f5ba314899a6afaa761a19; tapatalk_redirect3=false
Host:www.swordofmoonlight.com
Referer:\<span> site blocked, contact your administrator/
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11
Response Headersview source
Cache-Control:private, must-revalidate, max-age=0
Connection:close
Content-Encoding:gzip
Content-Length:208
Content-Type:text/html; charset=iso-8859-1
Date:Fri, 25 Jan 2013 04:53:14 GMT
Location:https://rarechristianbooks.com/omwi.html?h=1222197
Server:Nginx / Varnish
Vary:Accept-Encoding

See if Referer:\<span> site blocked, contact your administrator/ said som.com or was empty then the link would work. Otherwise it gets redirected. That's just the logic of the hack so that it is more likely to go unnoticed.

It doesn't look like any scripting is involved. If an application was involved it seems like your website would not be targeted specially unless there is something about your host that makes it vulnerable, but an application could do all of this without ever connecting to your host.

[Holy_Diver]

I've found reference to the above sites being used with the Redkit exploit to spread malicious script through Java or an Adobe Reader exploit. There's some info on how it works here. But if I understand correctly, it means SoM.com may have been hacked to add script that forwards people to randomly generated malicious sites.

The ondailybasis link doesn't make a whole lot of sense. Any idea if these infected sites with a working omwi.html page are able to install/run anything on the computers that visit them. Presumably via Java?

I swear I don't know why the hell I even have Java installed anymore. The updates are annoying, but it seems like every time I go and uninstall it within not long I find myself having to install it for some reason. For reasons I can't even recall

This is why browsers should probably not even have plugins. If you can't do it with Javascript or equivalent then it just shouldn't be done. I mean why the hell can a PDF file be made to install and run things? That's nuts. Can't we at least be safe from media formats

[dmpdesign]

Thanks for the heads up, im online with the domain folks now, its painful trying to explain how to get this to happen and that it isnt google and the rest of the world that is messed up lol. ‎  thankfully i have a patient tech, hopefully this gets resolved. ‎  all domains i have registerd appear to be hacked...tiamatgames.com and hguols.com are doing the same thing.

from my ftp site i can see a bunch of new php files were loaded on each domain around the same time on the 17th of january. ‎  not sure how to fix it yet but working on it.

[dmpdesign]

well i fixed the issue myself, but i dont know how it happened or how to prevent it. ‎  let me know if you see any residual issues.

[dmpdesign]

I think I know the 'how'.

I peeked at all the ways to access the backend that I could find, unfortunately an ftp account I had for Tom so he could update his own hguols domain appears to be the culprit. ‎  It last logged in at the exact time all those new htaccess and default.php files were added to the sites (which was the cause). ‎  So I dont know if someone used his credentials to load us up with all that malware or if a java plugin he installed for his music player gave someone access on that day, either way though, I have removed that access and hopefully any further issues.

I hope everything is gtg now, I appreciate your guys help and patience. ‎  Special thanks to holy for visiting so often, if you hadn't OP'd on the date everything went awry, I probably never would have made the connection to the problem! ‎  (I am just teasing you HD)

[Guyra]

There we go! Really nice! :)

[HwitVlf]

I knew Tom was actually a Russian hacker in disguise!

Thanks for all that effort Todd

[Holy_Diver]

FWIW: I was double checking the links to Verdite's demo thread since they seem to change on a daily basis.

I haven't updated the software on my websites in so long its a wonder they don't explode from all of the published exploits that must be floating around out there. I don't even back them up but once a year. Edited: I've made a not to remedy that now that I think my ISP is up to it. It would be nice if folks developing website software would start with a 100% seamless update scheme and branch out from there.

To be honest it says something for all the problems the hackers cause they could really cause a lot of damage if they wanted to. Most of the hacks might (might) be of some value to someone but you don't hear many stories of whole sites being wiped out or broken beyond repair. Knock on wood.