BC Fishing Reports banner

1 - 20 of 20 Posts

·
Registered
Joined
·
292 Posts
Wouldn't be surprised if LinkBucks is actually run by a bunch of snaggers.
After all this is a phishing site.::)
 

·
Registered
Joined
·
121 Posts
If you accessed the site ad got the LinkBucks redirect you should definitely run MalwareBytes. I found a bunch of trojans on my PC that I had to clean up. Don't trust Norton or MaCafee. Neither of these programs detected the trojans on my PC.
 

·
Registered
Joined
·
63 Posts
If you accessed the site ad got the LinkBucks redirect you should definitely run MalwareBytes. I found a bunch of trojans on my PC that I had to clean up. Don't trust Norton or MaCafee. Neither of these programs detected the trojans on my PC.
Untrue, as I was on iphone mobile and was redirecting me. It is a timer link then redirects you.
 

·
Registered
Joined
·
292 Posts
Seems like they injected the redirect again. Unfortunately these idiots are not that easy to remove. If they are doing it remotely they must be watching and somehow seeing an admin password with write access. Your logs might show access from someone strange if this is the case. But most likely they will be spoofing their IP so it will be almost impossible to track. However their Achilles heal is where they redirect the suckers they try to dupe with the phoney web sites. These redirects will show were they want the sucker to send money and it will not be a spoof site.

I suspect there is a hidden routine somewhere other than your bb code. I will run wireshark on their routines and report them to google and microsoft along with whatever server hops they make. Also usually any exe that they try to inject can be disassembled and the actual core sites it pings will show with a full numerical address. Google and Microsoft are starting to cooperate on tracking these guys down and getting them busted. The first step is getting their certs removed and all their phoney sites black listed.

EDIT:
This is the line being injected that wireshark picked up it is the actual redirect address and sure enough it is a classic refresh meta redirect.
I will put it in quotes and shut down the auto link so you should be able to easily search for it. It is right after the facebook section.
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=http://d8ftc.com/banners/index4.php">\n
The particulars have been sent to Google with a little bit of the log I just did. They are using certs so hopefully they will get yanked and blacklisted for good this time!
 
  • Like
Reactions: Rantalot

·
Registered
Joined
·
292 Posts
What is really funny about these LinkBucks idiots is that the hack is riding on a legitimate site! The D-8 Fertilizer Association http://d8ftc.com which is based out of Tehran LOL.

The LinkBucks scams have been hacking different insecure sites on the web since 2009 and are a royal PITA to say the least!
 

·
Registered
Joined
·
3,936 Posts
They did it again. Can get in using the browser on my BB but no go on other devices.

I did a google search of link bucks and vBulletin as vB has their own forum. Security patches/updates are available but link bucks also has a forum loooking for hackers (not as they refer to them) to make money for link bucks.

Interesting read on the first 2 pages I read on google.


Edit....I see it was fixed in the time I was typing.
 

·
Registered
Joined
·
363 Posts
Discussion Starter #14
They did it again. Can get in using the browser on my BB but no go on other devices.

I did a google search of link bucks and vBulletin as vB has their own forum. Security patches/updates are available but link bucks also has a forum loooking for hackers (not as they refer to them) to make money for link bucks.

Interesting read on the first 2 pages I read on google.


Edit....I see it was fixed in the time I was typing.
Already repaired it for now. We have to figure out how they are getting in.
 

·
Registered
Joined
·
363 Posts
Discussion Starter #16
Chech the actual vBulletin forum as their admin/tech guys are actively involved in discussions about this as of late.
Thanks Pippen. We know all about that, none of the discussions there helps.

vBulletin needs to come out with a fix.
 

·
Registered
Joined
·
954 Posts
I've noticed when checking the new members profiles lately that in the "about me" section it is just a bunch of crap with very poor spelling. These new members should be banned right away before even having a chance to gain access to the forum.
 

·
Administrator
Joined
·
3,732 Posts
Certainly a strong indicator but not absolute . I have been deleting just about every one of these profiles with
similar m.o.'s but it is impossible to get them all.....we try. :)
 

·
Registered
Joined
·
363 Posts
Discussion Starter #19
I've noticed when checking the new members profiles lately that in the "about me" section it is just a bunch of crap with very poor spelling. These new members should be banned right away before even having a chance to gain access to the forum.
They aren't gaining access through user accounts.
 

·
Registered
Joined
·
292 Posts
They aren't gaining access through user accounts.
If there is a routine that is timed and triggered to remotely re-inject the meta refresh it should show up as difference between a clean vbulletin install. Is there no checksum you can run on the install core files? Or at least a readme list of files which includes size parameters. Most server software has this as it is critical to security. It sounds like it is a timed routine that re-injects a strait meta header change that has been injected directly into the vbulletin program files. Or they could be somehow triggering it remotely with some access hole in vbulletin. If you manage to find an altered executable file I am sure that the coders at vbulletin will be able to reverse it to see how it manages to be injected in the first place.
Something similar happened to my wife on our old Windows XP computer that she used to work remotely, but that was years ago. It took me a month to find the problem.
 
1 - 20 of 20 Posts
Top