Search Engine Malicious Redirection Issue

[Chris]

In order to properly investigate the issue I've mentioned here, I'll need to know the forum theme you guys are using when accessing the search engine link. Please mention that in this topic.

[Badnik Mechanic]

Theme = Sonical. 

 

Other details. Chrome Via Google links. --- Seems to only happen when it's a google link I haven't clicked before.

[spinny]

IP.Board, Chrome through a Google link too.

 

It's kinda irrelevant considering the concern is a malicious redirect in the first place, but going back and clicking on the SSMB link again actually takes you to SSMB.

[Radiant Hero Ike]

ip.board, Wii U Internet Browser using Google as my search engine. Got sent to filestore whatever.

On my grandma's Mac it was the same thing, but I got sent to adult friend finder. Thankfully my grandma wasn't standing next to me. ;;;;

[Ellipsis-Ultima]

Theme: Keeps changing, currently it's Seasonal Sonic.

 

Bowser: Google Chrome.

[Oscillo]

I got the link using Sonical & on Chrome via google on a Windows 7 laptop. Usually tend to use the address bar's autocomplete though. Can't remember it happening for a while though, guess mine has also stopped.

[Inkling Cooper]

Theme I use is Sonical. Browser is Google Chrome.

[Sky]

IP.Board, the issue I faced that one time was with Safari on a Mac.

[Chaos Warp]

I use Sonical. 

[Jin.]

Always Catfish.

Though it always appears on the school PC where I don't have adblock nor am logged in when entering so IP.Board

[Failinhearts]

I use Sonical because I like blue, and Sonic.

[Kaze no Klonoa]

I used Sonical, but it constantly keeps switching back to I.P. Board. The reason why this issue doesn't pop for me is because I directly access SSMB by typing in it's address.

 

EDIT: I use Google Chrome btw

[TCB]

Catfish; Google Chrome.

[Kittea]

I'm using the Sonical theme.

 

I'm having 2 major issues,

 

1. Occasionally when I visit SSMB I get directed to a porn site.

 

2. When I make a post and send a message I have to refresh the page because my "session" times out.

[Scarlett]

I'm using the Sonical theme.

 

I'm having 2 major issues,

 

1. Occasionally when I visit SSMB I get directed to a porn site.

 

2. When I make a post and send a message I have to refresh the page because my "session" times out.

Basically this. I'm using the Sonical theme on Chrome and the 2 points raised above sums up the errors I'm receiving at my side

[Bowbowis]

It happens to me all the time Sonical and IP Board on Chrome. It seems to have stopped since I switched over to Knucklehead though.

[Tara]

Hasn't really had any impact regardless of what skin I use, but IP.Board and Chrome at the moment.

[Nepenthe]

Tested it out myself: I use IP.Board and Chrome.

[Lisbon]

I use the Thief of Hearts theme and Google Chrome, and it worked fine for me when I tried it just now. I tried getting on here through Chrome at my school the other day and porn popped up, though - hopes that no one saw it aside, I hadn't accessed the site from that computer yet and so the link wasn't shown as having been visited before. I try it on this computer where the link is shown as having been clicked in the past, and it works just fine. Thought I might as well point that out.

[Char]

This is pretty interesting, I've never heard of anything like it and it's also never happened to me in particular. I use Sonical and Firefox (with a ton of security addons).

 

I was kind of confused and nothing I tried made things work in an unintended way, but I tried in a virtual machine (Windows XP and Firefox) and it actually redirected me to some really shady site that I'm pretty sure contained obfuscated Java code.

 

It won't redirect again until the cookie ssmb_lang_id is cleared. ssmb_session_id cookie doesn't appear to matter. I've also gotten redirected to other sites that appear to serve other purposes (ad revenue). If I find something else I'll update.

 

EDIT: I was tinkering with Wireshark and more or less traced the problem a bit. I have no clue what I'm doing, though, as my knowledge of html/java/web technologies is limited, so keep that in mind.

 

That said, there is an HTTP GET request that just returns a single line of code with the malicious URL:

document.location='http://filestore321 <dot> com/download.php?id=6304ad27'

(I replaced the dot with <dot> on purpose.) Apparently that may be the cause of the redirection.

 

The GET request is sent right after having received the response to the initial GET against board.sonicstadium.org. The suspicious URL for the suspicious GET is

http://board.sonicstadium<dot> org/index.php?ipbv=4609be755fe17f70c884029489c69a06&g=js, but the apparently random string changes depending on the machine.

 

Interestingly, trying to load the URL for the suspicious GET request in Firefox produces different results depending on cookies. If the cookie ssmb_lang_id isn't sent, nothing happens and the page stays blank. If it is set, it loads the board main page without redirecting. Loading the main SSMB page and clicking on the link in the source code view produces a lenghty javascript file, which I'm assuming is the right thing to happen under normal circumstances.

 

It also appears that the cookie ssmb_lang_id is only set if you access the site through google. If you load the site directly it doesn't appear to ever get set, even if you mess with the language selector on the bottom of the page. Only when explicitly setting a language with it does a language cookie get set, and it's called ssmb_language, so I've got no idea where does ssmb_lang_id comes into play.

 

 

Uh... anyway... It's gonna be 6 AM soon and I'm going to hit the bed. Sorry if this was messy or if it's not helpful (it sure was fun, though, which is why I did it).

 

Edit2: Oh, also, the cookie ssmb_lang_id is set by the response to the suspicious GET if you reach SSMB through google (not if you come directly), which is strange because the referrer for that GET is always SSMB and not google. So probably the file served to the client gets switched based on the referrer for the first GET against boards.sonicstadium.org and whether or not the cookie ssmb_lang_id is sent.

[-blank-]

I use the IP.Board and Firefox. However, it doesn't really matter, as I get directed to a different site whether I'm on my computer, my Wii U, or my Kindle.

[Kittea]

It happens to me all the time Sonical and IP Board on Chrome. It seems to have stopped since I switched over to Knucklehead though.

I'll try switching too to see if anything improves.

[Mando-Whirl-Wind]

Ok, so I just tried to go to Kodomin's Profile and I got a redirect there with a malicious site warning

[Spooky Mulder]

IP Board. Chrome.

 

I was redirected to adultfriendfinder which led to a rather unpleasant surprise when I was greeted, not by Sonic, but by a completely naked woman starring me in the face. Sure gave my boyfriend sitting next to me a shock too.