Narrow-Bandwidth Television Association

Has anyone else seen this while using Google Chrome? It wasn't there a few hours ago. It keeps popping up whenever I click a link involving this site.

getting the same on firefox

....and Firefox on Linux too...I'll give Andrew a prod...but I'm sure whatever it may be it hasn't originated here.

Steve A.

I am aware of the malware warnings. The forum pages were hacked, and included a link to a malware site. I have manually removed these links, and notified all forum members by email notification. Please scan your computer for malware/viruses, particualrly if you have visited this site on or since 05/April to 08/April 2014 inclusive.
My apologies; I have taken all steps I can to prevent; particulary, changing site passwords and checking all pages for the malware link. I believe things are OK now, but if you see warnings from Google/browser please take heed. Things should settle down in a few days and we'll be back to normal.
Cheers
A

As of 0830 UTC/GMT the warnings have gone away - at least here. In the meantime I have totally restarted my PC and no warnings.

Interesting to note I deleted/banned a member on the 4th whose IP address was 173.193.202.*, spamming new kitchens - I wonder if there's any connection?

Steve A.

Now definitively fixed with the new forum software installation.

Following Andrew's warning, I performed a scan and found one infected file. Ironically it was "mseinstall.exe", having just ditched Microsoft Security Essentials for Avast!

Although the site is now safe, some of us will still see "attack site" warnings for a short while. I have seen these warnings myself. However, when I visit google and do an analysis, all is OK. I think there are some cached blacklist database locations which are taking a while to update with the revised list, and that may take a short while to resolve. Rest assured, the site has not been re-hacked (yet!) and that everything is operating normally as I write.
Cheers
A

I am still getting the warning using opera browser..only way i can get to the best forum on earth ; ) is via the link in the NBTV Hand Book.

Here's what's happened over the past day.

1. I received reports via private email that the forum was listed as a malware site. Investigated, see the same thing.
2. Via Google website analysis I determine that HTML and PHP files are 'infected' with a javascript snippet which causes access to a malware distribution site.
3. I report via private email to all NBTV forum members, advising caution
4. I manually remove the javascript from all HTML and PHP files used by the forum
5. I advise Google the site is now clean.
6. I decide to upgrade the forum to the new software, in case the old software had a backdoor/bug allowing a hacker in.
7. I change all my access passwords for the site.
8. All looks OK with new forum, and I advise NBTV members it's OK to visit.
9. Google marks the site as OK
10. Google marks the site (http://www.taswegian.com) as NOT OK
11. I investigate further and to my horror find that not only was the forum infected (the original one, not the new one), but ALL of my websites were.
12. I immediately remove all access by anyone -- hence the forum went down
13. I deleted ALL files on my server (there were some 600 infected files, and much of these, alas, will never go back up -- I don't have the time to fix them)
14. I re-uploaded the forum (this took about 8 hours)
15. I advised google the site is now clean.

So, that's the progress so far. Those people who visited the FORUM after I advised it was fixed are OK -- it was, indeed, fixed. It was only the files on my other websites that were still infected and thus triggering Google marking 'www.taswegian.com' as a bad site to visit. Right now we're waiting on Google to revisit the site and determine all is OK. That's when the "reported attack site" messages will dissapear.

Once again, all I can say is what annoying little fucks the people who do this sort of thing are.

Following review of site logs by my domain host (and boy are they fantastic at support)...

Hello,

Thank you for your input. We confirm that your account was hacked. The attack was actually performed via FTP; the attackers used your "andrew" FTP user, so we encourage you to check all computers and devices that were configured with this user for viruses and malware.

We prepared an excerpt from our logs that show all of the files uploaded with this FTP user since the start of April. The file is in your /home/taswegian/private directory, and is called ftp-uploaded-files-april.log. You can view it via the File Manager of your Control Panel, or with any FTP client application.

We encourage you to update all of your passwords, as well as to limit the FTP access to your account to the IP addresses that you use only. You can do the latter from the Protection section of your Control Panel.

Please let us know if we can help you further.

Best regards,
Abuse Team



So, that's a bit of good news really. I had deleted that FTP account as a precaution and also changed passwords on the main domain access account. Now I know HOW it happened, I also know that I have closed that avenue of attack. We're back in business.

Cheers
A

Something similar happened to all three of my sites a couple of years ago. Strong ftp passwords were already in use, so I presumed it had to be an inside job at the hosting company, after my reluctance to 'upgrade' to their more expensive package.

Needless to say I am no longer with that company!

Well done Andrew on getting a grip on things so efficiently.

Steve O

I am pleased to report that the attack message that I was receiving this morning has now gone away.

Yes, seconded. If I knew the process of upgrade/re-build was going on I wouldn't have sent that second e-mail - but you had enough on your hands without having to notify everyone r.e. downtime.

Otherwise all seems fine and back to normal...

Well done and thanks.

Steve A.

Thanks Andrew for sorting out the problems so efficiently.

It's much appreciated at this end as is the NBTV Forum.

Kind regards,

Graham