- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
				
					Collapse
				
			
		
	You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:
- You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
- You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
- If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
Logging in...
Previously on "Is it just me or is Itstics popping up for everyone?"
					Collapse
				
			
- 
	
		
		
		
		
		
	
	
	
	
 Something very similar seems to be happening again, but not very often as it used to do before.
 Leave a comment:
- 
	
		
		
		
		
		
	
	
	
	
 Malwarebytes.Originally posted by cojak View PostWhat malware blocker are you using bless 'em all?
 
 S'free.  
 Leave a comment:
- 
	
		
		
		
		
		
	
	
	
	
 Whatcha talkin bout Willis - YouTubeOriginally posted by NickFitz View PostSome possibly pertinent information: I had another look at redgiant's thread in Technical; from the screenshot there the domain redirected to appears to be itstatics.in. Looking that up shows the owner to be a chap in Moscow.
 
 The interesting thing is that the domain was registered on 5 March 2012, and last modified late on 5 March 2013. redgiant started his/her thread about it on 6 March 2013. The domain itself doesn't expire until 5 March 2014, although its status is AUTORENEWPERIOD which indicates that it's been tentatively extended by the registrar, giving the registrant a period to properly renew. (The registrar is Directi Web Services, who as far as I can tell are based in Mumbai.)
 
 So it started causing trouble at the time that the registrar redirected it when the registration expired.
 
 If you go to the site, it's one of those domain holding pages, and states that the domain is expired. That page itself seems quite legit and doesn't have anything untoward on it, although that's to be expected as an ICANN-accredited registrar wouldn't risk their status by deliberately hosting crap on their own pages.
 
 So the implication is that the domain was originally registered by this chap in Moscow, who has now let it expire; the registrar is redirecting it to their expiry-message-with-ads page, at least in the short term; and somehow this is causing the browsers of our unfortunate victims to show that page in a new window or tab or whatever. (Actually I'm unclear on that: is it appearing instead of CUK, i.e. redirecting the same window, or in a new window/tab?)
 
 The fact that it didn't do this until after the domain expired suggests that any such HTTP requests before weren't returning anything that could be displayed, such as a 204 No Content response. How it causes it to open a new window/tab (if that's what's happening) is a different question.
 
 Google's cache doesn't have anything for the root of that domain, nor has it indexed any content from it, nor any links to it, nor anywhere that mentions it. (Expect that to change within minutes of me posting this ) )
 
 The IP address 208.91.197.101 is associated with the domain via the DNS records:
 
 Visiting that IP address directly results in a redirect to searchtermresults.com. Repeating that with the Host header altered to itstatics.in ultimately returns the "expired domain" page (via some redirect shenanigans, which seemed innocuous). FWIW, here's the tail end of a traceroute to that address:Code:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54896 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;itstatics.in. IN ANY ;; ANSWER SECTION: itstatics.in. 300 IN PTR dns.parkpage.foundationapi.com. itstatics.in. 300 IN TXT "v=spf1 a -all" itstatics.in. 300 IN A 208.91.197.101 itstatics.in. 300 IN SOA dns.parkpage.foundationapi.com. abuse.opticaljungle.com. 2011062801 3600 900 604800 86400 itstatics.in. 300 IN NS dns.parkpage.foundationapi.com. itstatics.in. 300 IN NS dns2.parkpage.foundationapi.com. 
 
 The IP address itself appears in Google search results in various roles: being owned by Confluence Networks Inc. and hosted in the British Virgin Islands, being blocked for malware, being a Minecraft server. A reverse-DNS lookup from my location and from an EC2 server in Virginia, USA returns no response, but one comes back on Google saying "There are several thousand of domains that only use the IPv4 number 208.91.197.101." So it's probably just some cheap offshore virtual hosting that isn't too fussy about what people put on it. The malware blocks seem to have been for specific domains using that host and current records seem to indicate that it's not currently blocked.Code:7 tcl3-ic-1-ae0-0.network.virginmedia.net (212.43.163.198) 25.459 ms 20.494 ms 20.290 ms 8 ldn-b2-link.telia.net (213.248.93.69) 17.336 ms 16.854 ms 15.840 ms 9 ldn-bb1-link.telia.net (80.91.250.225) 16.422 ms 13.913 ms 16.539 ms 10 nyk-bb1-link.telia.net (213.155.135.69) 86.264 ms 98.419 ms 87.544 ms 11 dls-bb1-link.telia.net (213.155.133.177) 126.358 ms 138.306 ms 128.323 ms 12 giganews-ic-300068-dls-bb1.c.telia.net (62.115.11.166) 132.155 ms 133.627 ms 133.209 ms 13 209-99-48-54.fwd.datafoundry.com (209.99.48.54) 138.153 ms 136.976 ms 135.792 ms 14 208.91.197.101 (208.91.197.101) 137.975 ms 138.342 ms 136.574 ms 
 
 One other thing I can suggest is checking your browser extensions, if any. I can't now find it, but earlier on I came across somebody who'd been getting a malware blocker triggered by that IP address, and it stopped when they disabled Colorzilla. That could have been caused if Colorzilla was phoning home and home happened to be on that same shared hosting at a time when it was being used by something dodgy on another domain (yet another example of IP blocking being ineffective or a downright nuisance in some circumstances); maybe something similar is going on here, with some extension using that domain for some purpose and having been cut off.
 
 One last thing would be to try disabling JavaScript and seeing if that makes the problem go away. If so, it suggests that something is injecting JavaScript into the page which is trying to contact that domain: either something coming from CUK, or something (presumably malware of some kind) on the machine that's encountering the problem, or (just possibly) something being injected by the users' ISP.
 
 That's all I've got for now 
 
   
 Leave a comment:
- 
	
		
		
		
		
		
	
	
	
	
 One further thought: the expired domain page contains some frame-busting JS. If it's appearing in the same window/tab then it implies that a concealed iframe is being inserted in the page (by whatever means), which could fly under the radar when the domain was returning whatever used to be hosted there, but is now exposed by the frame-busting.
 
 On one of the occasions when my WordPress installation got hacked I noticed it because, although the page appeared normally, the browser's loading indicator kept going for a while afterwards. It turned out the hack had inserted a hidden iframe, which was loading the extremely image-heavy home page of a Russian porn site. I assume the owner thereof was getting ad revenue based on pageviews, and realised it wasn't necessary for anybody to actually view the site as long as browsers were loading it 
 
 This could be the leftovers of a similar hack. The question then is whether the iframe is being injected via CUK or at the user's end. To those affected, I'd suggest double-checking your browser plugins and extensions. It does seem odd that it's only CUK though. Maybe check out some other vBulletin-based forums and see if they show the problem, in case it's something exotic like malware that only injects stuff if it detects a vBulletin site? Sounds odd, I know, but stranger things have happened.
 Leave a comment:
- 
	
		
		
		
		
		
	
	
	
	
 Some possibly pertinent information: I had another look at redgiant's thread in Technical; from the screenshot there the domain redirected to appears to be itstatics.in. Looking that up shows the owner to be a chap in Moscow.
 
 The interesting thing is that the domain was registered on 5 March 2012, and last modified late on 5 March 2013. redgiant started his/her thread about it on 6 March 2013. The domain itself doesn't expire until 5 March 2014, although its status is AUTORENEWPERIOD which indicates that it's been tentatively extended by the registrar, giving the registrant a period to properly renew. (The registrar is Directi Web Services, who as far as I can tell are based in Mumbai.)
 
 So it started causing trouble at the time that the registrar redirected it when the registration expired.
 
 If you go to the site, it's one of those domain holding pages, and states that the domain is expired. That page itself seems quite legit and doesn't have anything untoward on it, although that's to be expected as an ICANN-accredited registrar wouldn't risk their status by deliberately hosting crap on their own pages.
 
 So the implication is that the domain was originally registered by this chap in Moscow, who has now let it expire; the registrar is redirecting it to their expiry-message-with-ads page, at least in the short term; and somehow this is causing the browsers of our unfortunate victims to show that page in a new window or tab or whatever. (Actually I'm unclear on that: is it appearing instead of CUK, i.e. redirecting the same window, or in a new window/tab?)
 
 The fact that it didn't do this until after the domain expired suggests that any such HTTP requests before weren't returning anything that could be displayed, such as a 204 No Content response. How it causes it to open a new window/tab (if that's what's happening) is a different question.
 
 Google's cache doesn't have anything for the root of that domain, nor has it indexed any content from it, nor any links to it, nor anywhere that mentions it. (Expect that to change within minutes of me posting this ) )
 
 The IP address 208.91.197.101 is associated with the domain via the DNS records:
 
 Visiting that IP address directly results in a redirect to searchtermresults.com. Repeating that with the Host header altered to itstatics.in ultimately returns the "expired domain" page (via some redirect shenanigans, which seemed innocuous). FWIW, here's the tail end of a traceroute to that address:Code:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54896 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;itstatics.in. IN ANY ;; ANSWER SECTION: itstatics.in. 300 IN PTR dns.parkpage.foundationapi.com. itstatics.in. 300 IN TXT "v=spf1 a -all" itstatics.in. 300 IN A 208.91.197.101 itstatics.in. 300 IN SOA dns.parkpage.foundationapi.com. abuse.opticaljungle.com. 2011062801 3600 900 604800 86400 itstatics.in. 300 IN NS dns.parkpage.foundationapi.com. itstatics.in. 300 IN NS dns2.parkpage.foundationapi.com. 
 
 The IP address itself appears in Google search results in various roles: being owned by Confluence Networks Inc. and hosted in the British Virgin Islands, being blocked for malware, being a Minecraft server. A reverse-DNS lookup from my location and from an EC2 server in Virginia, USA returns no response, but one comes back on Google saying "There are several thousand of domains that only use the IPv4 number 208.91.197.101." So it's probably just some cheap offshore virtual hosting that isn't too fussy about what people put on it. The malware blocks seem to have been for specific domains using that host and current records seem to indicate that it's not currently blocked.Code:7 tcl3-ic-1-ae0-0.network.virginmedia.net (212.43.163.198) 25.459 ms 20.494 ms 20.290 ms 8 ldn-b2-link.telia.net (213.248.93.69) 17.336 ms 16.854 ms 15.840 ms 9 ldn-bb1-link.telia.net (80.91.250.225) 16.422 ms 13.913 ms 16.539 ms 10 nyk-bb1-link.telia.net (213.155.135.69) 86.264 ms 98.419 ms 87.544 ms 11 dls-bb1-link.telia.net (213.155.133.177) 126.358 ms 138.306 ms 128.323 ms 12 giganews-ic-300068-dls-bb1.c.telia.net (62.115.11.166) 132.155 ms 133.627 ms 133.209 ms 13 209-99-48-54.fwd.datafoundry.com (209.99.48.54) 138.153 ms 136.976 ms 135.792 ms 14 208.91.197.101 (208.91.197.101) 137.975 ms 138.342 ms 136.574 ms 
 
 One other thing I can suggest is checking your browser extensions, if any. I can't now find it, but earlier on I came across somebody who'd been getting a malware blocker triggered by that IP address, and it stopped when they disabled Colorzilla. That could have been caused if Colorzilla was phoning home and home happened to be on that same shared hosting at a time when it was being used by something dodgy on another domain (yet another example of IP blocking being ineffective or a downright nuisance in some circumstances); maybe something similar is going on here, with some extension using that domain for some purpose and having been cut off.
 
 One last thing would be to try disabling JavaScript and seeing if that makes the problem go away. If so, it suggests that something is injecting JavaScript into the page which is trying to contact that domain: either something coming from CUK, or something (presumably malware of some kind) on the machine that's encountering the problem, or (just possibly) something being injected by the users' ISP.
 
 That's all I've got for now  
 Leave a comment:
- 
	
		
		
		
		
		
	
	
	
	
 Ah, cheers for confirming Nick. I know what you mean, I would be happier if I did see a redirect happening here, at least would have a better chance of working our what was happening thenOriginally posted by NickFitz View PostShould have mentioned, I'm on Virgin Media: to be precise, cable broadband (as opposed to their ADSL service) in the part of their network that used to be NTL.
 
 Just tried turning off wifi on the iPad and browsing the site via O2 - nothing interesting happened  
 
 Nice find! Cheers mudskipper. Seems like they found no solution either. Have also run a VBluuetin admin script to find suspect files, all clear there. Will try a diff against old template files on the dev server and this one to see if that picks anything up.Originally posted by mudskipper View PostSimilar problems reported last year on the Benzworld site for the same IP
 
 Malware in Affiliate Ad - Benzworld.org - Mercedes-Benz Discussion Forum
 
 Anybody else noticing their antivirus popping up with alerts for this site? - Benzworld.org - Mercedes-Benz Discussion Forum
 
 No resolution though...
 
 Cheers all for your help, much appreciated.
 Leave a comment:
- 
	
		
		
		
		
		
	
	
	
	
 MSIE 10, Windows 8, coming from outside the UK.
 
 No problem seen.
 
 I have tried both when logged into CUK and when logged out.
 
 P.S. Also tried with Firefox on OS X and Windows 8, but those have Adblock Plus and NoScript enabled.Last edited by Sysman; 9 March 2013, 16:48.
 Leave a comment:
- 
	
		
		
		
		
		
	
	
	
	
 I'm with BT, not happening with FF, IE and Chrome on two PC's and two VM's (Win & Linux)
 Leave a comment:
- 
	
		
		
		
		
		
	
	
	
	
 Possibly - but 3 users and this site only?Originally posted by fullyautomatix View PostNot happening for me. Firefox here with no adblock but have flashblock installed.
 
 I am guessing this is a PC being infected issue.
 Leave a comment:
- 
	
		
		
		
		
		
	
	
	
	
 Similar problems reported last year on the Benzworld site for the same IP
 
 Malware in Affiliate Ad - Benzworld.org - Mercedes-Benz Discussion Forum
 
 Anybody else noticing their antivirus popping up with alerts for this site? - Benzworld.org - Mercedes-Benz Discussion Forum
 
 No resolution though...
 Leave a comment:
- 
	
		
		
		
		
		
	
	
	
	
 Not happening for me. Firefox here with no adblock but have flashblock installed.
 
 I am guessing this is a PC being infected issue.
 Leave a comment:
- 
	
		
		
		
		
		
	
	
	
	
 Should have mentioned, I'm on Virgin Media: to be precise, cable broadband (as opposed to their ADSL service) in the part of their network that used to be NTL.
 
 Just tried turning off wifi on the iPad and browsing the site via O2 - nothing interesting happened  
 Leave a comment:
- 
	
		
		
		
		
		
	
	
	
	
 Also VirginMedia here - have disabled adblock, no problems.
 
 Also tried IE with the popup blocker switched off, no problems.
 
 W7 with FF 19 (FFS!) and IE9
 Leave a comment:
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Andrew Griffith MP says Tories would reform IR35 Oct 7 00:41
- New umbrella company JSL rules: a 2026 guide for contractors Oct 5 22:50
- Top 5 contractor compliance challenges, as 2025-26 nears Oct 3 08:53
- Joint and Several Liability ‘won’t retire HMRC's naughty list’ Oct 2 05:28
- What contractors can take from the Industria Umbrella Ltd case Sep 30 23:05
- Is ‘Open To Work’ on LinkedIn due an IR35 dropdown menu? Sep 30 05:57
- IR35: Control — updated for 2025-26 Sep 28 21:28
- Can a WhatsApp message really be a contract? Sep 25 20:17
- Can a WhatsApp message really be a contract? Sep 25 08:17
- ‘Subdued’ IT contractor jobs market took third tumble in a row in August Sep 25 08:07

 
				 
				 
				 
				
Leave a comment: