Alan, I've randomly been getting an error when I click an email about an update to a forum post. Instead of taking me to that thread, it takes me to a website, screen cap below. Re-clicking on the thread link will take me there, but for some reason, it randomly gives me this:

http://www.3sgto.org/members/ipd/albums/ipd-s-pile-crap/4895-3sgto-dont-load.jpg

Just a head's up. I have no idea what causes it.

You has a redirect virus...

How to Remove Google Redirect Virus | eHow.com (http://www.ehow.com/how_5842581_remove-google-redirect-virus.html)

1. kaspersky has no indication of a virus

2. this is me clicking a link from inside of my hotmail account, linking me to 3sgto. i do not have this error message appear for other forums i'm on.

3. this only happens about 1 time in 50-100. not very often.

4. i was told by dk77 that this appears to be a vbulletin issue.

I get this often when using my work PC for some reason. Never does it on any other forum. It did it right after I viewed this thread and hit new posts so I just hit the back boutton and posted about it. lol


Bad Request
Your browser sent a request that this server could not understand.
Client sent malformed Host header



--------------------------------------------------------------------------------

Web Server at 3sgto.org

i see a lot of issues like this with vbulletin. i don't know what's the implication in that. i was hoping alan would chime in and give us a 411 on it.

At work I use IE everywhere else I use Firefox. I don’t know if it’s that or some security stuff on the work PC. Like I said it doesn’t do it on any other V-bulletin sites I use. Like your issue it’s not a big deal but it’s a little annoying.

This happened to me maybe 2 days ago while google searching something. Hit a link to 3sgto and got something like that. Only time it has ever done it.

MyFileStore is redirect malware.

The bad Request issue has to do with IE. I get the issue often, only on 3sgto though.

MyFileStore is redirect malware.

The bad Request issue has to do with IE. I get the issue often, only on 3sgto though.

Ditto...but good luck telling him, i tried already :D

Ditto...but good luck telling him, i tried already :D

ok genius. i have no tdssserve.sys file anywhere in my device manager. i even downloaded this & used it:

How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)? (http://support.kaspersky.com/viruses/solutions?qid=208280684)

ZERO malware detected.

then i did this:

Google redirect virus – Remove Manually(latest update) (http://atechjourney.com/google-redirect-virus-remove-manually.html/)

again, nothing in devices, nothing in registry, nothing in msconfig.

if it's a redirect rootkit i've got on my PC, this would be the most obtuse, difficult to locate malware ever invented--because it apparently doesn't even have a filename.

any other ideas? i'll remind you that this doesnt' happen from search results on google/yahoo/bing. this only shows up inside a vbulletin email to my hotmail account notifying me of an update to a forum thread, and re-clicking on the link will take me to the thread. there is no search engine involved.

This is the thread I read through that had links showing it was an issue in Vbulletin. Redirects from google..... (http://www.grandprixforums.net/redirects-google-46160.html)

vbulletin hacked? (https://www.vbulletin.com/forum/showthread.php/397070-vbulletin-hacked)
vBulletin 3.x and 4.x Redirect Security Exploit (https://www.vbulletin.com/forum/showthread.php/380561-vBulletin-3-x-and-4-x-Redirect-Security-Exploit)

This is the thread I read through that had links showing it was an issue in Vbulletin. Redirects from google..... (http://www.grandprixforums.net/redirects-google-46160.html)

Ha ha ha... You linked off to a forum Stealthee is a member on concerning this same issue!!!

http://3s.gonzoinc.com/albums/userpics/10002/Screen%20Shot%202013-01-30%20at%209_03_12%20AM.png

I'll take a look when I get home.

I'll take a look when I get home.

thanks, alan.

if it's a redirect rootkit i've got on my PC, this would be the most obtuse, difficult to locate malware ever invented--because it apparently doesn't even have a filename.

alright, fair enough...

Redirects from google..... - Page 3 (http://www.grandprixforums.net/redirects-google-3-46160.html#post807453)

...sounds like theirs was a datashare issue, but wouldnt EVERYONE (or at least 50%) be seeing same?

I just got the redirect also doing a Google search.

Alan - Check your remote Mysql connections in cpanel. Remove any entries that have a wildcard "%", Then disable/renable all plugins in vbulletin. That will clear out the datastore on the DB where the exploit base64 is sitting. Change all passwords also.

Here is the full thread: https://www.vbulletin.com/forum/showthread.php/345283-Security-Redirction-to-file2store-info?highlight=myfilestore

Guys - This is not a virus on your PC. It is a hacking attempt on the 3sgto server.

This will only affect people searching on major search engines and clicking on a link from that search engine trying to get to this site. it will redirect them to the filestore site which contains malware.

Guys - This is not a virus on your PC. It is a hacking attempt on the 3sgto server.

This will only affect people searching on major search engines and clicking on a link from that search engine trying to get to this site. it will redirect them to the filestore site which contains malware.

but then why did i get it from a link to my email?

The exploit looks at the referrer in the request. Most likely your using an email client where the top level domain is also a well know search engine "IE Google, Yahoo, Etc"

The exploit looks at the referrer in the request. Most likely your using an email client where the top level domain is also a well know search engine "IE Google, Yahoo, Etc"

hotmail...so bing, i'm guessing?

Hotmail Referrer=bluXXX.mail.live.com. Live.com is probably part of the exploit check to redirect.

The redirect is taking you to a download page were it it saying you are missing a plugin and need to install it. The EXE download is the malware from what I can see. I'm trying to determine the extent of the damage if installed.

Guys - This is not a virus on your PC. It is a hacking attempt on the 3sgto server.

This will only affect people searching on major search engines and clicking on a link from that search engine trying to get to this site. it will redirect them to the filestore site which contains malware.

http://www.3sgto.org/f8/unseen-all-out-cyber-war-u-s-has-begun-11070.html

Those Iranian bastards have gone too far!!!!!

As an attempt at a temporary fix I have disabeled the SEO plugin.

Please report if this changes anything.

i'll let you know the next time i get it, alan.

Ha ha ha... You linked off to a forum Stealthee is a member on concerning this same issue!!!

Haha... yeah I noticed that when I read through it the first time. I scrolled down and recognized the avatar. Then realized it was Stealthee. Small world LOL.

4920So have we black listed 3Si?? LOL ....I keep getting this on most pages I visit and it seems that its just because of a link on the pages and cant work around it unless I open in IE

No it just means that someone is pulling an image or something from 3si. Probably their sig image or some other random image.

3si is on Google's blacklist again cause one of their advertisements was flagged for serving viruses/trojans/etc. Not the first time or the last time it has happened.

3si probably has more malware infested ads.

4920So have we black listed 3Si?? LOL ....I keep getting this on most pages I visit and it seems that its just because of a link on the pages and cant work around it unless I open in IE

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.3si.org

Related to what Tarzan is experiencing:


3si probably has more malware infested ads.

Brian, it seems your signature image is hosted on 3si (via their gallery), which is causing this thread and any thread you post up in to alert people of a potential malware attack here on this forum. If you can, I'd recommend re-uploading your sig image to the gallery here instead, or to any reputable host, and updating the link in your signature. Should fix the problem.

I actually forgot that was still hosted there. I am on my way out the door, I will fix it after work.

lol. half the forum left because of 3sdie's shiens with AF's ads (it was the last straw anyways...) and they keep going down the same profiteering path. fuck AF.

Related to what Tarzan is experiencing:



Brian, it seems your signature image is hosted on 3si (via their gallery), which is causing this thread and any thread you post up in to alert people of a potential malware attack here on this forum. If you can, I'd recommend re-uploading your sig image to the gallery here instead, or to any reputable host, and updating the link in your signature. Should fix the problem.

I rehosted it so hopefully that fixes issues for those getting alerts.

I rehosted it so hopefully that fixes issues for those getting alerts.

Seems all good now. :thumbup:

alan, i got that screen again this morning when i was clicking a link to the demotivators thread. don't really think the thread matters...but it did happen. it's been a few days though.

it's happening about 1-2 per day. maybe once every 30 clicks or so.

alan, this hasn't happened in several days. i think whatever was dorked up on forum software has been fixed. *fingers crossed*

cool. I was hoping the upgrades would kill it.

Why is there an ad covering my top right of screen options? The colour has changed as well.

Scotty

colors changes because of a site upgrade.

Can you post a screen shot showing the issue with the ad?

4988...........

Scotty, not sure what color theme you had before, but you are currently on Default (Dark V2). You can change that in the box below the chatbox, or in your usercp options.

As for the ad issue, thats an odd one. Maybe try clearing your cache and try again.

The ad is a bug in the header template. You just have to stretch your browser wide to make it show.

4988...........

This issue should be fixed now.

Success! :bigthumb:

Wait, it's now appearing on my keyboard. WTF?

Scotty