Forum - Malware Attacks

[jimmy]

Hi All

As some of you may be aware, the forum has been attacked lately and has had malware inserted into it's code.

Stuart and I are aware of this, and once we are made aware, either of us can easily fix the problem. It is pretty basic attack, and it is obvious either by your virus scanner going off, or by seeing a lot of strange information at the top of pages.

If you see any of this, please advise either Stuart or me.

In the meantime, can you please ensure that you are running an up to date virus scanner and ensure that your OS is patched. Unless we get hit by a zero day attack, this should pretty much ensure that you are safe.

Stuart is going to look at updating the Forum software, so this should hopefully solve the issue.

James

[weiyun]

Questions: Was the forum p0rned or the main DHBC site?

[jimmy]

This time it mainly seems to be the forum.

[weiyun]

Interesting. Safari gave the warning message only on the DHBC site, not the forum.

[jimmy]

Weiyun

You were right, the main site had also been attacked. I didn't notice it as firefox on Linux doesn't bat an eyelid. There were no obvious errors on the page either.

I have now fixed this up too.

James

[micklan]

Can you ascertain where the malware is from by the code ?

[jimmy]

There's 10 minutes of my life I will never get back.

If you're interested, the code is 192 lines long, of which only about 4 do anything, the rest are no ops.

Luckily I have been learning about regular expressions so I could decipher it. The code is heavily obscurificated.

The domain that it points to is servtemp.info, and I did some hunting around, and it seems to be in the Ukraine.

In the short term, you could add this domain to your hosts file with an IP address of 127.0.01, this would hobble any attack that uses that domain.

James

[Stuart]

The homepage has been attacked, again.

I'm working on upgrading the forum but at the moment I'm testing it locally as it has to be upgraded - how bad would it be if we started with a fresh forum?

[weiyun]

Our web site's front page has appearance problems in the latest Firefox and Safari with large areas of white spaces. Will this be addressed by the planned upgrade? Or was it due to the codes produced by the authoring software used?

[jimmy]

Weiyun

I'm not seeing that, can you please email me a screenshot.

Thanks

James

[weiyun]

I'm not seeing that, can you please email me a screenshot.

Ok, I just played around with it a bit more and it would appear that it's related to the window size. If I expand the window to fill the full width of my screen, then everything will display properly. If I reduce the width of the window, then the main content of the front page will get pushed down, opening up a big block of white space b/n the top banner and the top of the main content (Welcome to Dulwich Hill Bicycle Club). Reducing the font size also has a similar effect.

Not sure if this helps. I'll separately email the screen shots.

[jimmy]

That is basically happening because of the width of the two images, they are limiting the minimum size of the table that they are part of, and so once the screen is reduced too much, the table is then pushed below the side navigation bar.

This is basically because of bad web design.

James

[atnan]

Firefox and Safari use Google's Safe Browsing service to determine whether or not a site is "safe" to visit. If a site is compromised (typically via known exploits in common software like phpBB) and malware is unknowingly added to the pages, browsers will display a warning.

You can access the report on dhbc.org.au here:

http://google.com/safebrowsing/diagnost ... hbc.org.au

I believe Google's Webmaster Tools will provide advice on removing the malware. Removing the compromised phpBB installation and installing the latest version (keeping the database, of course) is usually the best course of action.