Runbox blog appears to have been partially hacked

na_mirage · 28 Mar 2013, 02:34 AM

The runbox blog site

seems to be serving up adverts to payday loan sites in the banner.

I assume it isn't intentional. It doesn't inspire confidence....

Geir · 28 Mar 2013, 02:49 PM

There are no ads on our blog.

Are you sure your computer isn't infected with adware?...

- Geir

na_mirage · 28 Mar 2013, 10:32 PM

Quote:

Originally Posted by Geir

There are no ads on our blog.

Are you sure your computer isn't infected with adware?...

- Geir

, you're right of course to suggest that as the most probable reason, but thank you no, no adware here. Kaspersky says I'm up to date and clean and I have no browser extensions installed in either chrome or opera browsers.

Its not displayed when using chrome, looking at the same page using Opera with scripting disabled shows it up. It also shows up using firefox with noscript installed and blocking all scripts on the page.

This is what it looks like in opera

I've copied some of the page source into a pastebin here It looks like its coming out of the google analytics embedded in the page, or possibly the SEO code.

PS - I've just checked using a linux livecd and the ads are embedded in the page source on that system as well, so it looks like its on the runbox end.

gecko · 28 Mar 2013, 10:49 PM

@na_mirage: I cannot confirm this here.
Opera (with adblocking) doesn't show anything the like as on your screenshot.
Nor does Firefox (no adblocking).

Anyway, since the original post gave rise to concern, I would highly value if we could get an authoritative answer from Runbox whether this is a problem on na_mirage's end or whether something is indeed wrong with Runbox.

Above all, please let us users know asap should there be any security problems with our email accounts.

BR,
gecko

na_mirage · 28 Mar 2013, 10:54 PM

I doubt the email accounts are affected or compromised.

It looks like a piece of code a runbox developer has accidentally or intentionally left in, thinking it would never be displayed.

It also looks limited to the blog.runbox.com domain as I'm not seeing anything similar on the other domains.

The original thread title, is a bit too alarmist if all that is the case, I'll try and re-title it if the board will allow me to do that.

** It doesn't look like it it will allow me to retitle the thread, if a mod wants to do this; 'blog.runbox.com serving hidden ads' would be a more appropriate title.

gecko · 28 Mar 2013, 10:59 PM

Quote:

Originally Posted by na_mirage

It also looks limited to the blog.runbox.com domain as I'm not seeing anything similar on the other domains.

As I said, I cannot confirm your observations here, not even at the link to the blog you provided. Just trying to think of a possible cause for what you describe... are there any other sources of the unwanted ads which only affect you? Is it possible that this code is injected somewhere along the way while the web page is being delivered to you? Just wondering, please take no offence.

BR,
gecko

na_mirage · 28 Mar 2013, 11:14 PM

Its possible its being injected by the ISP, but I think its unlikely.

I think the reason why your not seeing it, is because you don't have javascript scripting sufficiently disabled, but instead of messing about with that,

can you just try 'view source' in whichever browser you are using and search for the word 'smoke' or 'paydayloans' and report back if it is there?

gecko · 28 Mar 2013, 11:21 PM

Quote:

Originally Posted by na_mirage

can you just try 'view source' in whichever browser you are using and search for the word 'smoke' or 'paydayloans' and report back if it is there?

Well, unfortunately (in the sense that Runbox has some sort of issue) this I can indeed confirm. There is some JavaScript code in the page source that corroborates your assumptions.

One thing I would like to know though is whether this is new or has been buried there for a while without anyone noticing it!?

BR,
gecko

gecko · 28 Mar 2013, 11:30 PM

BTW, if you search with your favourite search engine for

wordpress pay day

you'll get heaps of hits. Seems to be quite a common problem

.

na_mirage · 28 Mar 2013, 11:41 PM

Hmm, I see what you mean, that looks nasty and pretty widely known

Hopefully Geir will get someone to fix the runbox wordpress installation asap.

kservik · 29 Mar 2013, 09:07 AM

I am looking into this now. Thanks for alerting me, Gecko.

Our email systems are never affected by any of our public web sites. It is on a completely different network and are very secure.

Kim

kservik · 29 Mar 2013, 09:41 AM

I cant find anything and I have taken screenshots with external services and no mention of any "payday loans" in the header.

Kim

kservik · 29 Mar 2013, 09:44 AM

I found it.

kservik · 29 Mar 2013, 10:14 AM

Seems that a plugin had done some nasty stuff. Fixing it now.

Kim

Geir · 29 Mar 2013, 04:21 PM

I was a bit too quick there -- thank you for alerting us and detailing the problem!

We have reinstalled WordPress on our blog server so we should be rid of this nastiness.

As Kim said there was no danger to our email rig at all since they are entirely separate systems.

- Geir

28 Mar 2013, 02:34 AM	#1
na_mirage Member Join Date: Dec 2008 Location: UK Posts: 50	Runbox blog appears to have been partially hacked The runbox blog site seems to be serving up adverts to payday loan sites in the banner. I assume it isn't intentional. It doesn't inspire confidence....

28 Mar 2013, 11:14 PM	#7
na_mirage Member Join Date: Dec 2008 Location: UK Posts: 50	Its possible its being injected by the ISP, but I think its unlikely. I think the reason why your not seeing it, is because you don't have javascript scripting sufficiently disabled, but instead of messing about with that, can you just try 'view source' in whichever browser you are using and search for the word 'smoke' or 'paydayloans' and report back if it is there? Last edited by na_mirage : 29 Mar 2013 at 03:00 AM.

29 Mar 2013, 09:07 AM	#11
kservik Cornerstone of the Community Join Date: Sep 2005 Location: Oslo, Norway Posts: 555 Representative of: Runbox.com	I am looking into this now. Thanks for alerting me, Gecko. Our email systems are never affected by any of our public web sites. It is on a completely different network and are very secure. Kim Last edited by kservik : 29 Mar 2013 at 09:13 AM.

28 Mar 2013, 02:49 PM	#2
Geir The "e" in e-mail Join Date: Sep 2001 Location: Oslo, Norway Posts: 2,938 Representative of: Runbox.com	There are no ads on our blog. Are you sure your computer isn't infected with adware?... - Geir

28 Mar 2013, 10:49 PM	#4
gecko Senior Member Join Date: Feb 2010 Posts: 107	@na_mirage: I cannot confirm this here. Opera (with adblocking) doesn't show anything the like as on your screenshot. Nor does Firefox (no adblocking). Anyway, since the original post gave rise to concern, I would highly value if we could get an authoritative answer from Runbox whether this is a problem on na_mirage's end or whether something is indeed wrong with Runbox. Above all, please let us users know asap should there be any security problems with our email accounts. BR, gecko

28 Mar 2013, 10:54 PM	#5
na_mirage Member Join Date: Dec 2008 Location: UK Posts: 50	I doubt the email accounts are affected or compromised. It looks like a piece of code a runbox developer has accidentally or intentionally left in, thinking it would never be displayed. It also looks limited to the blog.runbox.com domain as I'm not seeing anything similar on the other domains. The original thread title, is a bit too alarmist if all that is the case, I'll try and re-title it if the board will allow me to do that. ** It doesn't look like it it will allow me to retitle the thread, if a mod wants to do this; 'blog.runbox.com serving hidden ads' would be a more appropriate title.

28 Mar 2013, 11:30 PM	#9
gecko Senior Member Join Date: Feb 2010 Posts: 107	BTW, if you search with your favourite search engine for wordpress pay day you'll get heaps of hits. Seems to be quite a common problem .

28 Mar 2013, 11:41 PM	#10
na_mirage Member Join Date: Dec 2008 Location: UK Posts: 50	Hmm, I see what you mean, that looks nasty and pretty widely known Hopefully Geir will get someone to fix the runbox wordpress installation asap.

29 Mar 2013, 09:41 AM	#12
kservik Cornerstone of the Community Join Date: Sep 2005 Location: Oslo, Norway Posts: 555 Representative of: Runbox.com	I cant find anything and I have taken screenshots with external services and no mention of any "payday loans" in the header. Kim

29 Mar 2013, 09:44 AM	#13
kservik Cornerstone of the Community Join Date: Sep 2005 Location: Oslo, Norway Posts: 555 Representative of: Runbox.com	I found it.

29 Mar 2013, 10:14 AM	#14
kservik Cornerstone of the Community Join Date: Sep 2005 Location: Oslo, Norway Posts: 555 Representative of: Runbox.com	Seems that a plugin had done some nasty stuff. Fixing it now. Kim

29 Mar 2013, 04:21 PM	#15
Geir The "e" in e-mail Join Date: Sep 2001 Location: Oslo, Norway Posts: 2,938 Representative of: Runbox.com	I was a bit too quick there -- thank you for alerting us and detailing the problem! We have reinstalled WordPress on our blog server so we should be rid of this nastiness. As Kim said there was no danger to our email rig at all since they are entirely separate systems. - Geir