Malware detected?

Anything not specifically related to NBTV, but at least of some technical nature that might be of interest to NBTV members. Items for sale and links to retailers do not belong here.

Moderators: Dave Moll, Steve Anderson

Malware detected?

Postby Lawnboy » Tue Apr 08, 2014 7:30 am

Has anyone else seen this while using Google Chrome? It wasn't there a few hours ago. It keeps popping up whenever I click a link involving this site.
Attachments
Clipboard01.jpg
Clipboard01.jpg (61.81 KiB) Viewed 15290 times
Lawnboy
Just nod and pretend you understand me
 
Posts: 285
Joined: Sat Dec 06, 2008 1:02 am
Location: North Brookfield, MA, USA

Postby M3DVQ » Tue Apr 08, 2014 8:20 am

getting the same on firefox
M3DVQ
Just nod and pretend you understand me
 
Posts: 338
Joined: Sat Feb 10, 2007 10:52 am
Location: Lincolnshire

Postby Steve Anderson » Tue Apr 08, 2014 11:41 am

....and Firefox on Linux too...I'll give Andrew a prod...but I'm sure whatever it may be it hasn't originated here.

Steve A.
Attachments
Screenshot from 2014-04-08 07_31_51.jpg
Screenshot from 2014-04-08 07_31_51.jpg (35.96 KiB) Viewed 15285 times
Screenshot from 2014-04-08 07_27_12.jpg
Screenshot from 2014-04-08 07_27_12.jpg (39.68 KiB) Viewed 15285 times
User avatar
Steve Anderson
"Fester! Don't do that to 'Thing'"
 
Posts: 5360
Joined: Fri Mar 30, 2007 10:54 pm
Location: Bangkok, Thailand

malware warning - NBTV forum

Postby Andrew Davie » Tue Apr 08, 2014 1:39 pm

I am aware of the malware warnings. The forum pages were hacked, and included a link to a malware site. I have manually removed these links, and notified all forum members by email notification. Please scan your computer for malware/viruses, particualrly if you have visited this site on or since 05/April to 08/April 2014 inclusive.
My apologies; I have taken all steps I can to prevent; particulary, changing site passwords and checking all pages for the malware link. I believe things are OK now, but if you see warnings from Google/browser please take heed. Things should settle down in a few days and we'll be back to normal.
Cheers
A
User avatar
Andrew Davie
"Gomez!", "Oh Morticia."
 
Posts: 1590
Joined: Wed Jan 24, 2007 4:42 pm
Location: Queensland, Australia

Postby Steve Anderson » Tue Apr 08, 2014 7:36 pm

As of 0830 UTC/GMT the warnings have gone away - at least here. In the meantime I have totally restarted my PC and no warnings.

Interesting to note I deleted/banned a member on the 4th whose IP address was 173.193.202.*, spamming new kitchens - I wonder if there's any connection?

Steve A.
User avatar
Steve Anderson
"Fester! Don't do that to 'Thing'"
 
Posts: 5360
Joined: Fri Mar 30, 2007 10:54 pm
Location: Bangkok, Thailand

Re: Malware detected?

Postby Andrew Davie » Tue Apr 08, 2014 11:52 pm

Now definitively fixed with the new forum software installation.
User avatar
Andrew Davie
"Gomez!", "Oh Morticia."
 
Posts: 1590
Joined: Wed Jan 24, 2007 4:42 pm
Location: Queensland, Australia

Re: Malware detected?

Postby Dave Moll » Wed Apr 09, 2014 12:43 am

Following Andrew's warning, I performed a scan and found one infected file. Ironically it was "mseinstall.exe", having just ditched Microsoft Security Essentials for Avast!
User avatar
Dave Moll
Anyone have a spare straightjacket?
 
Posts: 460
Joined: Tue Feb 27, 2007 9:11 am

Re: Malware detected?

Postby Andrew Davie » Wed Apr 09, 2014 1:09 am

Although the site is now safe, some of us will still see "attack site" warnings for a short while. I have seen these warnings myself. However, when I visit google and do an analysis, all is OK. I think there are some cached blacklist database locations which are taking a while to update with the revised list, and that may take a short while to resolve. Rest assured, the site has not been re-hacked (yet!) and that everything is operating normally as I write.
Cheers
A
User avatar
Andrew Davie
"Gomez!", "Oh Morticia."
 
Posts: 1590
Joined: Wed Jan 24, 2007 4:42 pm
Location: Queensland, Australia

Re: Malware detected?

Postby Harry Dalek » Wed Apr 09, 2014 8:50 pm

I am still getting the warning using opera browser..only way i can get to the best forum on earth ; ) is via the link in the NBTV Hand Book.
The electromagnetic spectrum has no theoretical limit at either end. If all the mass/energy in the Universe is considered a 'limit', then that would be the only real theoretical limit to the maximum frequency attainable.
User avatar
Harry Dalek
"Fester! Don't do that to 'Thing'"
 
Posts: 5364
Joined: Fri Sep 26, 2008 4:58 pm
Location: Australia

Re: Malware detected?

Postby Andrew Davie » Wed Apr 09, 2014 9:29 pm

Here's what's happened over the past day.

1. I received reports via private email that the forum was listed as a malware site. Investigated, see the same thing.
2. Via Google website analysis I determine that HTML and PHP files are 'infected' with a javascript snippet which causes access to a malware distribution site.
3. I report via private email to all NBTV forum members, advising caution
4. I manually remove the javascript from all HTML and PHP files used by the forum
5. I advise Google the site is now clean.
6. I decide to upgrade the forum to the new software, in case the old software had a backdoor/bug allowing a hacker in.
7. I change all my access passwords for the site.
8. All looks OK with new forum, and I advise NBTV members it's OK to visit.
9. Google marks the site as OK
10. Google marks the site (http://www.taswegian.com) as NOT OK
11. I investigate further and to my horror find that not only was the forum infected (the original one, not the new one), but ALL of my websites were.
12. I immediately remove all access by anyone -- hence the forum went down
13. I deleted ALL files on my server (there were some 600 infected files, and much of these, alas, will never go back up -- I don't have the time to fix them)
14. I re-uploaded the forum (this took about 8 hours)
15. I advised google the site is now clean.

So, that's the progress so far. Those people who visited the FORUM after I advised it was fixed are OK -- it was, indeed, fixed. It was only the files on my other websites that were still infected and thus triggering Google marking 'www.taswegian.com' as a bad site to visit. Right now we're waiting on Google to revisit the site and determine all is OK. That's when the "reported attack site" messages will dissapear.

Once again, all I can say is what annoying little fucks the people who do this sort of thing are.
User avatar
Andrew Davie
"Gomez!", "Oh Morticia."
 
Posts: 1590
Joined: Wed Jan 24, 2007 4:42 pm
Location: Queensland, Australia

Re: Malware detected?

Postby Andrew Davie » Wed Apr 09, 2014 11:40 pm

Following review of site logs by my domain host (and boy are they fantastic at support)...

Hello,

Thank you for your input. We confirm that your account was hacked. The attack was actually performed via FTP; the attackers used your "andrew" FTP user, so we encourage you to check all computers and devices that were configured with this user for viruses and malware.

We prepared an excerpt from our logs that show all of the files uploaded with this FTP user since the start of April. The file is in your /home/taswegian/private directory, and is called ftp-uploaded-files-april.log. You can view it via the File Manager of your Control Panel, or with any FTP client application.

We encourage you to update all of your passwords, as well as to limit the FTP access to your account to the IP addresses that you use only. You can do the latter from the Protection section of your Control Panel.

Please let us know if we can help you further.

Best regards,
Abuse Team



So, that's a bit of good news really. I had deleted that FTP account as a precaution and also changed passwords on the main domain access account. Now I know HOW it happened, I also know that I have closed that avenue of attack. We're back in business.

Cheers
A
User avatar
Andrew Davie
"Gomez!", "Oh Morticia."
 
Posts: 1590
Joined: Wed Jan 24, 2007 4:42 pm
Location: Queensland, Australia

Re: Malware detected?

Postby Panrock » Thu Apr 10, 2014 3:35 am

Something similar happened to all three of my sites a couple of years ago. Strong ftp passwords were already in use, so I presumed it had to be an inside job at the hosting company, after my reluctance to 'upgrade' to their more expensive package.

Needless to say I am no longer with that company!

Well done Andrew on getting a grip on things so efficiently.

Steve O
Panrock
Green padded cells are quite homely.
 
Posts: 870
Joined: Mon Feb 05, 2007 8:25 am
Location: Sedgeberrow, England

Re: Malware detected?

Postby Dave Moll » Thu Apr 10, 2014 5:40 am

I am pleased to report that the attack message that I was receiving this morning has now gone away.
User avatar
Dave Moll
Anyone have a spare straightjacket?
 
Posts: 460
Joined: Tue Feb 27, 2007 9:11 am

Re: Malware detected?

Postby Steve Anderson » Thu Apr 10, 2014 11:25 am

Yes, seconded. If I knew the process of upgrade/re-build was going on I wouldn't have sent that second e-mail - but you had enough on your hands without having to notify everyone r.e. downtime.

Otherwise all seems fine and back to normal...

Well done and thanks.

Steve A.
User avatar
Steve Anderson
"Fester! Don't do that to 'Thing'"
 
Posts: 5360
Joined: Fri Mar 30, 2007 10:54 pm
Location: Bangkok, Thailand

Re: Malware detected?

Postby AncientBrit » Thu Apr 10, 2014 5:24 pm

Thanks Andrew for sorting out the problems so efficiently.

It's much appreciated at this end as is the NBTV Forum.

Kind regards,

Graham
AncientBrit
Green padded cells are quite homely.
 
Posts: 858
Joined: Mon Mar 26, 2007 10:15 pm
Location: Billericay, UK


Return to Off Topic

Who is online

Users browsing this forum: No registered users and 11 guests