- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Collapse
You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:
- You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
- You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
- If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
Logging in...
Previously on "Is it just me or is Itstics popping up for everyone?"
Collapse
-
Something very similar seems to be happening again, but not very often as it used to do before.
Leave a comment:
-
Originally posted by cojak View PostWhat malware blocker are you using bless 'em all?
S'free.
Leave a comment:
-
Originally posted by NickFitz View PostSome possibly pertinent information: I had another look at redgiant's thread in Technical; from the screenshot there the domain redirected to appears to be itstatics.in. Looking that up shows the owner to be a chap in Moscow.
The interesting thing is that the domain was registered on 5 March 2012, and last modified late on 5 March 2013. redgiant started his/her thread about it on 6 March 2013. The domain itself doesn't expire until 5 March 2014, although its status is AUTORENEWPERIOD which indicates that it's been tentatively extended by the registrar, giving the registrant a period to properly renew. (The registrar is Directi Web Services, who as far as I can tell are based in Mumbai.)
So it started causing trouble at the time that the registrar redirected it when the registration expired.
If you go to the site, it's one of those domain holding pages, and states that the domain is expired. That page itself seems quite legit and doesn't have anything untoward on it, although that's to be expected as an ICANN-accredited registrar wouldn't risk their status by deliberately hosting crap on their own pages.
So the implication is that the domain was originally registered by this chap in Moscow, who has now let it expire; the registrar is redirecting it to their expiry-message-with-ads page, at least in the short term; and somehow this is causing the browsers of our unfortunate victims to show that page in a new window or tab or whatever. (Actually I'm unclear on that: is it appearing instead of CUK, i.e. redirecting the same window, or in a new window/tab?)
The fact that it didn't do this until after the domain expired suggests that any such HTTP requests before weren't returning anything that could be displayed, such as a 204 No Content response. How it causes it to open a new window/tab (if that's what's happening) is a different question.
Google's cache doesn't have anything for the root of that domain, nor has it indexed any content from it, nor any links to it, nor anywhere that mentions it. (Expect that to change within minutes of me posting this )
The IP address 208.91.197.101 is associated with the domain via the DNS records:
Code:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54896 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;itstatics.in. IN ANY ;; ANSWER SECTION: itstatics.in. 300 IN PTR dns.parkpage.foundationapi.com. itstatics.in. 300 IN TXT "v=spf1 a -all" itstatics.in. 300 IN A 208.91.197.101 itstatics.in. 300 IN SOA dns.parkpage.foundationapi.com. abuse.opticaljungle.com. 2011062801 3600 900 604800 86400 itstatics.in. 300 IN NS dns.parkpage.foundationapi.com. itstatics.in. 300 IN NS dns2.parkpage.foundationapi.com.
Code:7 tcl3-ic-1-ae0-0.network.virginmedia.net (212.43.163.198) 25.459 ms 20.494 ms 20.290 ms 8 ldn-b2-link.telia.net (213.248.93.69) 17.336 ms 16.854 ms 15.840 ms 9 ldn-bb1-link.telia.net (80.91.250.225) 16.422 ms 13.913 ms 16.539 ms 10 nyk-bb1-link.telia.net (213.155.135.69) 86.264 ms 98.419 ms 87.544 ms 11 dls-bb1-link.telia.net (213.155.133.177) 126.358 ms 138.306 ms 128.323 ms 12 giganews-ic-300068-dls-bb1.c.telia.net (62.115.11.166) 132.155 ms 133.627 ms 133.209 ms 13 209-99-48-54.fwd.datafoundry.com (209.99.48.54) 138.153 ms 136.976 ms 135.792 ms 14 208.91.197.101 (208.91.197.101) 137.975 ms 138.342 ms 136.574 ms
One other thing I can suggest is checking your browser extensions, if any. I can't now find it, but earlier on I came across somebody who'd been getting a malware blocker triggered by that IP address, and it stopped when they disabled Colorzilla. That could have been caused if Colorzilla was phoning home and home happened to be on that same shared hosting at a time when it was being used by something dodgy on another domain (yet another example of IP blocking being ineffective or a downright nuisance in some circumstances); maybe something similar is going on here, with some extension using that domain for some purpose and having been cut off.
One last thing would be to try disabling JavaScript and seeing if that makes the problem go away. If so, it suggests that something is injecting JavaScript into the page which is trying to contact that domain: either something coming from CUK, or something (presumably malware of some kind) on the machine that's encountering the problem, or (just possibly) something being injected by the users' ISP.
That's all I've got for now
Leave a comment:
-
One further thought: the expired domain page contains some frame-busting JS. If it's appearing in the same window/tab then it implies that a concealed iframe is being inserted in the page (by whatever means), which could fly under the radar when the domain was returning whatever used to be hosted there, but is now exposed by the frame-busting.
On one of the occasions when my WordPress installation got hacked I noticed it because, although the page appeared normally, the browser's loading indicator kept going for a while afterwards. It turned out the hack had inserted a hidden iframe, which was loading the extremely image-heavy home page of a Russian porn site. I assume the owner thereof was getting ad revenue based on pageviews, and realised it wasn't necessary for anybody to actually view the site as long as browsers were loading it
This could be the leftovers of a similar hack. The question then is whether the iframe is being injected via CUK or at the user's end. To those affected, I'd suggest double-checking your browser plugins and extensions. It does seem odd that it's only CUK though. Maybe check out some other vBulletin-based forums and see if they show the problem, in case it's something exotic like malware that only injects stuff if it detects a vBulletin site? Sounds odd, I know, but stranger things have happened.
Leave a comment:
-
Some possibly pertinent information: I had another look at redgiant's thread in Technical; from the screenshot there the domain redirected to appears to be itstatics.in. Looking that up shows the owner to be a chap in Moscow.
The interesting thing is that the domain was registered on 5 March 2012, and last modified late on 5 March 2013. redgiant started his/her thread about it on 6 March 2013. The domain itself doesn't expire until 5 March 2014, although its status is AUTORENEWPERIOD which indicates that it's been tentatively extended by the registrar, giving the registrant a period to properly renew. (The registrar is Directi Web Services, who as far as I can tell are based in Mumbai.)
So it started causing trouble at the time that the registrar redirected it when the registration expired.
If you go to the site, it's one of those domain holding pages, and states that the domain is expired. That page itself seems quite legit and doesn't have anything untoward on it, although that's to be expected as an ICANN-accredited registrar wouldn't risk their status by deliberately hosting crap on their own pages.
So the implication is that the domain was originally registered by this chap in Moscow, who has now let it expire; the registrar is redirecting it to their expiry-message-with-ads page, at least in the short term; and somehow this is causing the browsers of our unfortunate victims to show that page in a new window or tab or whatever. (Actually I'm unclear on that: is it appearing instead of CUK, i.e. redirecting the same window, or in a new window/tab?)
The fact that it didn't do this until after the domain expired suggests that any such HTTP requests before weren't returning anything that could be displayed, such as a 204 No Content response. How it causes it to open a new window/tab (if that's what's happening) is a different question.
Google's cache doesn't have anything for the root of that domain, nor has it indexed any content from it, nor any links to it, nor anywhere that mentions it. (Expect that to change within minutes of me posting this )
The IP address 208.91.197.101 is associated with the domain via the DNS records:
Code:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54896 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;itstatics.in. IN ANY ;; ANSWER SECTION: itstatics.in. 300 IN PTR dns.parkpage.foundationapi.com. itstatics.in. 300 IN TXT "v=spf1 a -all" itstatics.in. 300 IN A 208.91.197.101 itstatics.in. 300 IN SOA dns.parkpage.foundationapi.com. abuse.opticaljungle.com. 2011062801 3600 900 604800 86400 itstatics.in. 300 IN NS dns.parkpage.foundationapi.com. itstatics.in. 300 IN NS dns2.parkpage.foundationapi.com.
Code:7 tcl3-ic-1-ae0-0.network.virginmedia.net (212.43.163.198) 25.459 ms 20.494 ms 20.290 ms 8 ldn-b2-link.telia.net (213.248.93.69) 17.336 ms 16.854 ms 15.840 ms 9 ldn-bb1-link.telia.net (80.91.250.225) 16.422 ms 13.913 ms 16.539 ms 10 nyk-bb1-link.telia.net (213.155.135.69) 86.264 ms 98.419 ms 87.544 ms 11 dls-bb1-link.telia.net (213.155.133.177) 126.358 ms 138.306 ms 128.323 ms 12 giganews-ic-300068-dls-bb1.c.telia.net (62.115.11.166) 132.155 ms 133.627 ms 133.209 ms 13 209-99-48-54.fwd.datafoundry.com (209.99.48.54) 138.153 ms 136.976 ms 135.792 ms 14 208.91.197.101 (208.91.197.101) 137.975 ms 138.342 ms 136.574 ms
One other thing I can suggest is checking your browser extensions, if any. I can't now find it, but earlier on I came across somebody who'd been getting a malware blocker triggered by that IP address, and it stopped when they disabled Colorzilla. That could have been caused if Colorzilla was phoning home and home happened to be on that same shared hosting at a time when it was being used by something dodgy on another domain (yet another example of IP blocking being ineffective or a downright nuisance in some circumstances); maybe something similar is going on here, with some extension using that domain for some purpose and having been cut off.
One last thing would be to try disabling JavaScript and seeing if that makes the problem go away. If so, it suggests that something is injecting JavaScript into the page which is trying to contact that domain: either something coming from CUK, or something (presumably malware of some kind) on the machine that's encountering the problem, or (just possibly) something being injected by the users' ISP.
That's all I've got for now
Leave a comment:
-
Originally posted by NickFitz View PostShould have mentioned, I'm on Virgin Media: to be precise, cable broadband (as opposed to their ADSL service) in the part of their network that used to be NTL.
Just tried turning off wifi on the iPad and browsing the site via O2 - nothing interesting happened
Originally posted by mudskipper View PostSimilar problems reported last year on the Benzworld site for the same IP
Malware in Affiliate Ad - Benzworld.org - Mercedes-Benz Discussion Forum
Anybody else noticing their antivirus popping up with alerts for this site? - Benzworld.org - Mercedes-Benz Discussion Forum
No resolution though...
Cheers all for your help, much appreciated.
Leave a comment:
-
MSIE 10, Windows 8, coming from outside the UK.
No problem seen.
I have tried both when logged into CUK and when logged out.
P.S. Also tried with Firefox on OS X and Windows 8, but those have Adblock Plus and NoScript enabled.Last edited by Sysman; 9 March 2013, 16:48.
Leave a comment:
-
I'm with BT, not happening with FF, IE and Chrome on two PC's and two VM's (Win & Linux)
Leave a comment:
-
Originally posted by fullyautomatix View PostNot happening for me. Firefox here with no adblock but have flashblock installed.
I am guessing this is a PC being infected issue.
Leave a comment:
-
Similar problems reported last year on the Benzworld site for the same IP
Malware in Affiliate Ad - Benzworld.org - Mercedes-Benz Discussion Forum
Anybody else noticing their antivirus popping up with alerts for this site? - Benzworld.org - Mercedes-Benz Discussion Forum
No resolution though...
Leave a comment:
-
Not happening for me. Firefox here with no adblock but have flashblock installed.
I am guessing this is a PC being infected issue.
Leave a comment:
-
Should have mentioned, I'm on Virgin Media: to be precise, cable broadband (as opposed to their ADSL service) in the part of their network that used to be NTL.
Just tried turning off wifi on the iPad and browsing the site via O2 - nothing interesting happened
Leave a comment:
-
Also VirginMedia here - have disabled adblock, no problems.
Also tried IE with the popup blocker switched off, no problems.
W7 with FF 19 (FFS!) and IE9
Leave a comment:
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Streamline Your Retirement with iSIPP: A Solution for Contractor Pensions Sep 1 09:13
- Making the most of pension lump sums: overview for contractors Sep 1 08:36
- Umbrella company tribunal cases are opening up; are your wages subject to unlawful deductions, too? Aug 31 08:38
- Contractors, relabelling 'labour' as 'services' to appear 'fully contracted out' won't dupe IR35 inspectors Aug 31 08:30
- How often does HMRC check tax returns? Aug 30 08:27
- Work-life balance as an IT contractor: 5 top tips from a tech recruiter Aug 30 08:20
- Autumn Statement 2023 tipped to prioritise mental health, in a boost for UK workplaces Aug 29 08:33
- Final reminder for contractors to respond to the umbrella consultation (closing today) Aug 29 08:09
- Top 5 most in demand cyber security contract roles Aug 25 08:38
- Changes to the right to request flexible working are incoming, but how will contractors be affected? Aug 24 08:25
Leave a comment: