Is it just me or is Itstics popping up for everyone?

Similar problems reported last year on the Benzworld site for the same IP

Malware in Affiliate Ad - Benzworld.org - Mercedes-Benz Discussion Forum

Anybody else noticing their antivirus popping up with alerts for this site? - Benzworld.org - Mercedes-Benz Discussion Forum

No resolution though...

Possibly - but 3 users and this site only?

I'm with BT, not happening with FF, IE and Chrome on two PC's and two VM's (Win & Linux)

MSIE 10, Windows 8, coming from outside the UK.

No problem seen.

I have tried both when logged into CUK and when logged out.

P.S. Also tried with Firefox on OS X and Windows 8, but those have Adblock Plus and NoScript enabled.

Ah, cheers for confirming Nick. I know what you mean, I would be happier if I did see a redirect happening here, at least would have a better chance of working our what was happening then

Nice find! Cheers mudskipper. Seems like they found no solution either. Have also run a VBluuetin admin script to find suspect files, all clear there. Will try a diff against old template files on the dev server and this one to see if that picks anything up.

Cheers all for your help, much appreciated.

Some possibly pertinent information: I had another look at redgiant's thread in Technical; from the screenshot there the domain redirected to appears to be itstatics.in. Looking that up shows the owner to be a chap in Moscow.

The interesting thing is that the domain was registered on 5 March 2012, and last modified late on 5 March 2013. redgiant started his/her thread about it on 6 March 2013. The domain itself doesn't expire until 5 March 2014, although its status is AUTORENEWPERIOD which indicates that it's been tentatively extended by the registrar, giving the registrant a period to properly renew. (The registrar is Directi Web Services, who as far as I can tell are based in Mumbai.)

So it started causing trouble at the time that the registrar redirected it when the registration expired.

If you go to the site, it's one of those domain holding pages, and states that the domain is expired. That page itself seems quite legit and doesn't have anything untoward on it, although that's to be expected as an ICANN-accredited registrar wouldn't risk their status by deliberately hosting crap on their own pages.

So the implication is that the domain was originally registered by this chap in Moscow, who has now let it expire; the registrar is redirecting it to their expiry-message-with-ads page, at least in the short term; and somehow this is causing the browsers of our unfortunate victims to show that page in a new window or tab or whatever. (Actually I'm unclear on that: is it appearing instead of CUK, i.e. redirecting the same window, or in a new window/tab?)

The fact that it didn't do this until after the domain expired suggests that any such HTTP requests before weren't returning anything that could be displayed, such as a 204 No Content response. How it causes it to open a new window/tab (if that's what's happening) is a different question.

Google's cache doesn't have anything for the root of that domain, nor has it indexed any content from it, nor any links to it, nor anywhere that mentions it. (Expect that to change within minutes of me posting this )

The IP address 208.91.197.101 is associated with the domain via the DNS records:

Visiting that IP address directly results in a redirect to searchtermresults.com. Repeating that with the Host header altered to itstatics.in ultimately returns the "expired domain" page (via some redirect shenanigans, which seemed innocuous). FWIW, here's the tail end of a traceroute to that address:

The IP address itself appears in Google search results in various roles: being owned by Confluence Networks Inc. and hosted in the British Virgin Islands, being blocked for malware, being a Minecraft server. A reverse-DNS lookup from my location and from an EC2 server in Virginia, USA returns no response, but one comes back on Google saying "There are several thousand of domains that only use the IPv4 number 208.91.197.101." So it's probably just some cheap offshore virtual hosting that isn't too fussy about what people put on it. The malware blocks seem to have been for specific domains using that host and current records seem to indicate that it's not currently blocked.

One other thing I can suggest is checking your browser extensions, if any. I can't now find it, but earlier on I came across somebody who'd been getting a malware blocker triggered by that IP address, and it stopped when they disabled Colorzilla. That could have been caused if Colorzilla was phoning home and home happened to be on that same shared hosting at a time when it was being used by something dodgy on another domain (yet another example of IP blocking being ineffective or a downright nuisance in some circumstances); maybe something similar is going on here, with some extension using that domain for some purpose and having been cut off.

One last thing would be to try disabling JavaScript and seeing if that makes the problem go away. If so, it suggests that something is injecting JavaScript into the page which is trying to contact that domain: either something coming from CUK, or something (presumably malware of some kind) on the machine that's encountering the problem, or (just possibly) something being injected by the users' ISP.

That's all I've got for now

One further thought: the expired domain page contains some frame-busting JS. If it's appearing in the same window/tab then it implies that a concealed iframe is being inserted in the page (by whatever means), which could fly under the radar when the domain was returning whatever used to be hosted there, but is now exposed by the frame-busting.

On one of the occasions when my WordPress installation got hacked I noticed it because, although the page appeared normally, the browser's loading indicator kept going for a while afterwards. It turned out the hack had inserted a hidden iframe, which was loading the extremely image-heavy home page of a Russian porn site. I assume the owner thereof was getting ad revenue based on pageviews, and realised it wasn't necessary for anybody to actually view the site as long as browsers were loading it

This could be the leftovers of a similar hack. The question then is whether the iframe is being injected via CUK or at the user's end. To those affected, I'd suggest double-checking your browser plugins and extensions. It does seem odd that it's only CUK though. Maybe check out some other vBulletin-based forums and see if they show the problem, in case it's something exotic like malware that only injects stuff if it detects a vBulletin site? Sounds odd, I know, but stranger things have happened.

What malware blocker are you using bless 'em all?

Whatcha talkin bout Willis - YouTube

Malwarebytes.

S'free.