Jump to content

Community

Vroom

Warning for IPB owners

Recommended Posts

I just noticed three of my IPB sites had been compromised at the end of May (around the 24th), so I would like to give you guys a warning to check in case you may have been affected as well.

I noticed for the last couple months my adsense page views had dropped in half (exactly in half). At first I thought it was due to the google mobile updates. But after checking my analytics data I was still getting the same number of page views as before, only my adsense page views were down by half. After upgrading to 4.0 I saw my adsense page views instantly went back up to the regular 100%. Then I did a couple tests, going back to the 3.4 version for a day, then the 4.0 version for a day and see what happened to the adsense views. As I suspected, it would instantly revert to 50% adsense page views when I went back to 3.4 (I have the two versions in separate folders which I can rename to choose which version is live).

So the attack seems to inject their own ad code into 50% of the page views, but otherwise leave your site identical. I suspect they also do some check against IPs that access the admin CP, or perhaps against user ranks, and don't show their ads for such users. So if I check the site myself I always see my own ads and dont suspect anything.

If anyone else had this experience, please let me know.

Edited by Vroom

Share this post


Link to post
Share on other sites
Guest

How were they able to compromise your site?

Share this post


Link to post
Share on other sites

I am still looking into what is happening and how they are doing it, but probably they just searched for the copyright text in google or something like that, found an IPS board, and used an exploit. It's possible I was a day or two late on an upgrade around that time frame.

Share this post


Link to post
Share on other sites
Guest

I would suggest if you find what happend, and it wasn't one of the previously patched issues for 3.4.x, submit a ticket and our security department will evaluate it.

Share this post


Link to post
Share on other sites

I don't really follow the logic of the original post. You seem to be saying that because your adsense views are down and when you view your own site it looks normal that the most logical conclusion is a hack that hijacks adsense views and goes to the trouble of masking itself if a registered user looks at a page? That's quite a leap! :o Is there any tampering you've found at all or is this all based on adsense views?

My adsense earnings dropped significantly for a few weeks after upgrade to IPS4 but they are back to normal now (adsense likes content that changes infrequently, jumping from version to version for a day or two will skew your results). And because IPS4 shows ads much better in mobile view as well that part is improved. Just make sure you change all your ads to the google responsive type or you won't be getting the benefit. Mobile views alone could account for a large difference in the number of ad views when you go back to v3.

Share this post


Link to post
Share on other sites

It is like this:

New install (4.0), adsense views = 12,000 per day. analytics views =12,000 per day.

Old install (3.4), adsense views = 6,000 per day. analytics views = 12,000 per day.

Both installs use the same URLs, topics, posts, etc.

I can switch back and forth between both versions in a few seconds, so I have tested this over many days back and forth. As soon as I switch back to 3.4, the adsense views drop by 50%, but analytics views remain the same (over a 24 hour test period). And as soon as I switch to the clean 4.0 the adsense views go back up to 100% and analytics views remain the same at 100%.

Checking through my stats I can see the drop sometime in May.

Also, I have this same problem on three different sites.

I am in the process of testing various things, like disabling all plugins, testing on new refreshed default theme, testing with newly uploaded files of 3.4, etc., to try to pinpoint what is exploited. But it takes a few days to run proper tests on each aspect.

Edited by Vroom

Share this post


Link to post
Share on other sites

If you think someone changed your code, can you find the modified adsense code? If the publisher ID is not yours then you'll know for sure (and you could report it to Google)

Share this post


Link to post
Share on other sites

I follow with interest this discussion, because over the last months I have noticed a significant decrease in AdSense. I still use the IPB 3.4 on the live forum.

Share this post


Link to post
Share on other sites

It is like this:

New install (4.0), adsense views = 12,000 per day. analytics views =12,000 per day.

Old install (3.4), adsense views = 6,000 per day. analytics views = 12,000 per day.

Both installs use the same URLs, topics, posts, etc.

I can switch back and forth between both versions in a few seconds, so I have tested this over many days back and forth. As soon as I switch back to 3.4, the adsense views drop by 50%, but analytics views remain the same (over a 24 hour test period). And as soon as I switch to the clean 4.0 the adsense views go back up to 100% and analytics views remain the same at 100%.

Checking through my stats I can see the drop sometime in May.

Also, I have this same problem on three different sites.

I am in the process of testing various things, like disabling all plugins, testing on new refreshed default theme, testing with newly uploaded files of 3.4, etc., to try to pinpoint what is exploited. But it takes a few days to run proper tests on each aspect.

what version of 3.4 are you using?

Share this post


Link to post
Share on other sites

Are you sure this isn't something more straight forward than you think? Maybe 50% of your visitors are using mobiles, and your mobile skin on 3.4 doesn't have ads?

If 50% of your ads are really being loaded from elsewhere, then it should be simple enough to see what's happening by loading pages and digging into the code to see where the ads are loading from? 

Edited by Dll

Share this post


Link to post
Share on other sites

Are you sure this isn't something more straight forward than you think? Maybe 50% of your visitors are using mobiles, and your mobile skin on 3.4 doesn't have ads?

If 50% of your ads are really being loaded from elsewhere, then it should be simple enough to see what's happening by loading pages and digging into the code to see where the ads are loading from? 

Ding ding ding!

Could be it. I'd like to think so anyway, and that is good news for 4.0. ;)

Share this post


Link to post
Share on other sites

I know about a working exploit for the latest 3.4 version but that has nothing to do with ad code changes. It´s more or less an object insertion.

If you know about a working exploit for the latest 3.4 branch release, have you reported it to IPS? If not, please do.

(Submit a support ticket obviously, don't post it here.)

Edited by Kirito

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy