Kitz Forum
Announcements => News Articles => Topic started by: kitz on March 22, 2010, 02:53:03 AM
-
Looks like dslzone's website has been compromised.
1) Confidential email addresses held on their server have been disclosed and are now being subjected to spam from other parties.
It would therefore appear that their database has been hacked & email addresses harvested.
2) Visiting their site & it would appear that some of their CSS has gone haywire, and theres also php error messages indicating that the original code has been modified.
3) Avira gives warning messages about the site which it says is infected with malware & trojan.
Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]'
detected in file 'C:\Documents and Settings\kitz\Local Settings\Temporary Internet Files\Content.IE5\D1NPA8P7\publ[1].htm.
Action performed: Delete file
-------
Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]'
detected in file 'C:\Documents and Settings\kitz\Local Settings\Temporary Internet Files\Content.IE5\D1NPA8P7\publ[1].htm.
Action performed: Deny access
HTML/Infected.WebPage.Gen
Description:
A common attack against the web infrastructure can be the infection of harmless web pages. Some malware changes every HTML file stored on the disc and adds a link (very often an IFrame) to a site hosting malicious code. Other attacks can aim for the web servers and try to insert forwarding to the pages hosted there. The owner of these pages is advised to take them offline. Fix the hole (either on his own PC or on the server), check the pages for infections, clean them and go online again. Infected Web Pages often contain additional Iframe, Object or Script Tags. The Script Tags often contain encrypted Code.
I noticed this after receiving targeted spam mail with information that can only have been obtained from dslzone.
I was about to visit the site to report the issue and why information had been disclosed.... which is when my AV alerted me, and I also noticed all the other symptoms which indicate the site has been hacked and infected.
Proceed with caution.
-
A quick scan of their forums (I'm not going to hang around it too long - nor log in to make a post), seems to indicate that some members have picked up a trojan and their machines are now showing signs of infection.
I suggest you stay away.
Ive contacted Thar - who seems to be the one doing most of the caretaking for dslzone these days - to advise him of the situation.
-
I visited this morning before reading this and didn't have anything pick up on my McAfee security center...The site has been hard to get into of late,taking 4/5 attempts before it would load.This has been reported by quite a few members over there.
Thanks for the warning Kitz ;)
I have logged out and will stay away for the time being
-
>> and didn't have anything pick up on my McAfee security center
Yeah I noticed that whilst some where saying that their AVs werent picking up anything, but they were seeing the site oddness, - yet others were saying their AV (not just Avira) were indicating trojan presence.
Whatever way - the database has definitely been compromised and information disclosed to 3rd parties .
Ive been a member of that forum before James even had the site properly live (I think my member number is something like no 4) as I used to advise on adsl problems on another of his previous forums, before James even knew anything at all about adsl/ISPs.
When I got the spam last night, I knew exactly where it had come from and the source of disclosure, which is why I headed over that way to report it.
Because the site hasn't been properly maintained for several years and much of the info is outdated, I would hazard a guess that the forum software hasn't had an essential phpbb security patch applied.... which is now a hacker has been able to get in, take info from the database, and inject malicious code. :(
If this is the case then the forum needs taking down until its patched and updated.
-
OK - here goes... a bit of detective work on my part to find out what the problem is
- Database has been compromised
- dslzone Forum home page has been injected with malicious code
- Hackers have included a script hosted on a third party server, which carries a nasty payload
- This 3rd party server is well known to host exploits/trojans and malware
I know which malicious code has been injected, I know where its being hosted on, but I wont publish that info here for the security of members of this forum.
This information should have been picked up yesterday by dslzone and acted upon immediately. It should not be down to another site to diagnose their problems whilst they remain live and continuing to infect machines for the past 24 hours, and no-one bothering to look into it.
What I also find worrying though is that certain AVs have not picked up on this either.
-
What I also find worrying though is that certain AVs have not picked up on this either.
:o
Are you saying that my av (McAfee) might have missed this and I could be infected without me knowing about it.......
What steps can I take to check this.......I ran a full scan on Friday of last week and nothing was reported.Is it worth running again?
Edit......I have not noticed any irregularity on my pc.
-
I notice in the thread discussion that some members were reporting that their AV wasnt picking up on it.
From what I can see the malicious code isnt being injected on all pages, so you may be ok, but just to be on the safe side I'd run housecall and/or spybot S+D. I notice someone else in that thread say that lavasoft also picks up on it.
-
Hi kitz,
I've joined this forum to say thanks for the above warning, no doubt you will have seen me in the thread regarding the problem on the DSLzone site.
MSE didn't pick up on it but FF threw a wobbly and my java runtime got kicked from memory.
To be safe, I did a system restore to 2 days before, ran housecall & also ran malwarebytes anti malware (the latter confirming I'm clean.
-
From what I can see the malicious code isnt being injected on all pages, so you may be ok, but just to be on the safe side I'd run housecall and/or spybot S+D.
Can you run these along side my existing McAfee security center?
-
On the Laptop yesterday when going to DSL ZONE the free Avira AV on it picked it up but on this desktop running Norton 2010 security suite it hasnt mentioned it.Anyway I believe thar sent a message to James but just in case I have also done so this morning.
-
From what I can see the malicious code isnt being injected on all pages, so you may be ok, but just to be on the safe side I'd run housecall and/or spybot S+D.
Can you run these along side my existing McAfee security center?
Yes, these are on demand scanners.
-
But be careful with Spybot Search and Destroy if you install it, unkyUb, and make sure that it's resident scanner is disabled.....that part of the prog is styled "Teatimer" and can be a pain when trying to work alongside certain av progs.
-
But be careful with Spybot Search and Destroy if you install it, unkyUb, and make sure that it's resident scanner is disabled.....that part of the prog is styled "Teatimer" and can be a pain when trying to work alongside certain av progs.
Of course, I forgot about that nuisance called teatimer !
-
But be careful with Spybot Search and Destroy if you install it, unkyUb, and make sure that it's resident scanner is disabled.....that part of the prog is styled "Teatimer" and can be a pain when trying to work alongside certain av progs.
This sounds very complicated to me ..........Teatimer?
-
Don't ask where the name comes from....even the Spybot people at Safer Networking don't seem to know.
It is disabled by default ( IIRC )......just don't switch it on..
-
Don't ask where the name comes from....even the Spybot people at Safer Networking don't seem to know.
It is disabled by default ( IIRC )......just don't switch it on..
I see.
So I have now seen..Spybot S&D,Housecall,and one called Malwarebytes......Which would be the best (easiest) for me (the wuss) to use.
-
Malwarebytes.
Get it from here.....http://www.malwarebytes.org/ .using the blue button to get the free version.
Install, update and then do a full scan...................good program and constructed specifically so that you can do effective scan in "normal" mode...no need to put the PC into safe mode........and scans very quickly.
Also, it is reliable...if it finds something, let it deal with it.
Further, the free version has no resident component so no clash with your av.
-
-edited - keep going to reply but TD is very much on the ball with this thread and beat me to it..- so follow his advice :)
-
Beat me to it tufted!
I'm moderating a local Freegle group just now so can't be just as quick on the keyboard as you!
-
I will run some scans, I personally think its poorly written scripts as someone said Admin has been in and done summit
I can guarantee it isnt - the database has definitely been compromised by a 3rd party...and I know exactly what code has been modified, and where the payload is coming from.
Doesnt take a genius to do a proper bit of detective work to find that out. Once you have that info then the alarm bells start ringing with all the protection sites as its well known to host trojan payloads of this type
Theres a very obvious reason why I wont disclose that info on a public forum. :no:
-
Not going to waste any more of my time on this.
Not my problem... and I have more than enough to do on my own site.
I cared about those that did use that site and didnt want them being infected.
Ive done my bit for the diagnostics.... far more than they (site owners) have. Its now up to the other site to properly act upon the information passed on to them.
-
Kitz,
I think what you have done is admirable.
-
I downloaded malwarebytes and did a full scan as requested.
It found 1 infected item,what's the best way to proceed with it?
This was the result
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi246.photobucket.com%2Falbums%2Fgg87%2FUncleUB%2FMalwarebytes.jpg&hash=ba5d355d0903f53edc6c392e605364c737d8b24c)
I think it is adware.mywebsearch......
-
Not going to waste any more of my time on this.
Not my problem... and I have more than enough to do on my own site.
I cared about those that did use that site and didnt want them being infected.
Ive done my bit for the diagnostics.... far more than they (site owners) have. Its now up to the other site to properly act upon the information passed on to them.
Thanks very much for your warning :thumbs:
You confirmed my suspicions, as ever since visiting DSL Zone yesterday, my internet connection was playing up.
I was unable to update NOD32, Spybot and was even prevented from downloading Trend Micro House Call and MalwareBytes :o
Worringly for me was the fact that NOD32 didn't give me any warning and yet the free version of Avast did ???
What's more NOD32 was disabled and, when I tried to enable it, (after being alerted by Windows Security Center that my AV was switched off), I got an error saying that there was no communication with the kernel :hmm:
I think I'm going to change my AV - I think I'll give Kaspersky a try as it gets good reviews.
Thanks again, Mike
p.s. as much as I enjoy DSL Zone, if the Admin team can't even update the site (with security patches, etc) to keep members safe then I'll not be returning and I've been a member for 4 years :no:
-
@ unkyUb
In malwarebytes......select that item by putting a tick in the little box to the left of the description and then hit the "remove selected" button.
Reboot, then follow the following just to make sure..:-
Most of the program can be remove by clicking on Start->Settings->Control Panel and double clicking on Add/Remove Programs. Then find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with
FunWebProducts
My Web Search (Smiley Central or FWP product as applicable)
My Way Speedbar (Smiley Central or other FWP as applicable)
My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
Search Assistant - My Way
To clean up the registry, delete the keys and value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyWebSearch Email Plugin.
Reboot your Computer.
Next, open My Computer, Drive C, and double-click on the Program Files folder
Right-click and delete the folders for:
FunWebProducts
MyWebSearch
MyWebSearch should now be completely uninstalled from your computer.
Fingrs crossed, that should do it.
-
Followed your advice TD......let Malwarebytes delete it,
Re booted
looked in my computer/add/remove programmes......nothing there.
Went into registry re your link........nothing there.
So hopefully it will have gone. :fingers:
Thanks for taking the time to help me. :)
Edit,as regards smiley central.......That might have been a site I looked at when I first got this pc (April 2007) and unknowingly downloaded something I shouldn't :no:
Edit2,Re Malwarebytes........do you just scan if and when needed,I can't seem to see anything about scheduling a scan at certain times/days/weeks?
-
>>>So hopefully it will have gone <<<<............sounds like it.. :clap2:
I don't think you can schedule scan in the free version.......just fire him up now and again and have a wee scan...the "quick scan" option is normally sufficient unless you have strong reason to suspect that you are infected.
>>Thanks for taking the time to help me.<<.............my pleasure, unkyUb and I am sure that your machine is clean again. :)
Sometime when you have a minute or two to spare, do a quick scan just to make sure.. ;)
-
Yep as curly said thanks for the help kitz,as said the keys to the site need to be handed over to thar and the site looked after.
I think the PC'S here are clean now not 100% sure but cant find anything else on them,cant believe norton 2010 security suite never even blinked :no: :o it was on a 3 month free trial but no more!put microsofts MSE on for now as i decide what to do.either go back to nod32 which did pick up a trojan or try gdata again which i liked but was a bit of a resource hog.
-
Did anyone with mse detect anything.. ive run that and prevx through my 64 bit pc. didnt pick up nothing
has it taken down 24 as well..
-
Did anyone with mse detect anything.. ive run that and prevx through my 64 bit pc. didnt pick up nothing
has it taken down 24 as well..
I use MSE and it didn't detect anything but when accessing the home page FF went loopy.
-
Hi all :)
Nice to be sumwhere virus free. :P
James seems to have turned up at last and fixed it, but he didn't say any more about it.
Would have been nice if he'd posted something advising ppl to virus check their PCs. And said what the problem was and what he was doing about it.
Avast free picked it up alright so that would be a gd alternative for ppl with the paid ones that missed it.
-
Sometime when you have a minute or two to spare, do a quick scan just to make sure.. ;)
Just run a quick scan and ........clean. :)
-
:thumbs: :clap: :clap2:
-
I use MSE and it didn't detect anything but when accessing the home page FF went loopy.
Define loopy... it crashed it?
-
I use MSE and it didn't detect anything but when accessing the home page FF went loopy.
Define loopy... it crashed it?
It froze the machine for about 5 minutes before I could kill the process.
Then I started my recovery process.
OT I just believe I have seen a monsoon going past my window!
If you are in the NW, watch out!
-
Hi all :)
Nice to be sumwhere virus free. :P
James seems to have turned up at last and fixed it, but he didn't say any more about it.
Would have been nice if he'd posted something advising ppl to virus check their PCs. And said what the problem was and what he was doing about it.
Avast free picked it up alright so that would be a gd alternative for ppl with the paid ones that missed it.
Did he have plumbers jeans on showing bum cleavage... ??? :lol:
-
Did he have plumbers jeans on showing bum cleavage... ??? :lol:
He was in and out like a rat up a drainpipe so nobody saw him till he'd gone.
At least he didnt tell us to turn it off and on again. :P
-
The only problem doing that is it will hapen again. quick fix.. it wants updating badly... :no:
-
. it wants updating badly... :no:
isnt the problem that it's been updated badly?
I think it badly wants updating :lol: :lol: :lol:
he hasnt said what was wrong or what he's done about it.
-
My guess.. hes unpluged it gave it 40 and pluged it back in.... :lol:
-
My guess.. hes unpluged it gave it 40 and pluged it back in.... :lol:
Hey that shows why he's an admin and we're peasants - I'd only have given it 30 :P
-
More like big licks with a hammer and gone down pc world and got another one.... ;)
-
Thanks to kitz for your help in resolving this...I've sent you a PM.
-
Thanks to kitz for your help in resolving this...I've sent you a PM.
Is it sorted yet?
-
I havent visited dslzone for a while, it became very evident the owner had left it to rot as there was no maintenance been done on it.
my email address there is a free hotmail account so not too bothered, but contents of some of my pm's had confidental info in them.
I dont plan to even access the site now since I dont know which urls' are infected and it seems from what another person has posted nod32 may not be able to detect the trojan.
-
Thanks to kitz for your help in resolving this...I've sent you a PM.
Is it sorted yet?
According to the post James made at 12:26 today it is. I'm not getting any more warnings and have scanned my PC and not come up with any nasties thank goodness!
-
Yep as curly said thanks for the help kitz,as said the keys to the site need to be handed over to thar and the site looked after.
Well someone has to look after the site as James has lost all interest as he's too busy running ADSL24.
I think the PC'S here are clean now not 100% sure but cant find anything else on them,cant believe norton 2010 security suite never even blinked :no: :o it was on a 3 month free trial but no more!put microsofts MSE on for now as i decide what to do.either go back to nod32 which did pick up a trojan or try gdata again which i liked but was a bit of a resource hog.
I'm running NOD32 V4 and I got no malware warnings!
That's worrying for me as I thought that NOD32 was one of the best AV's out there :(
-
I dont plan to even access the site now since I dont know which urls' are infected and it seems from what another person has posted nod32 may not be able to detect the trojan.
NOD32 didn't detect the trojan at least on my PC.
I ran Malwarebytes and it came up with malware that had got into the registry (in bold):
Malwarebytes' Anti-Malware 1.44
Database version: 3898
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882
22/03/2010 13:07:33
mbam-log-2010-03-22 (13-07-33).txt
Scan type: Full Scan (C:\|)
Objects scanned: 254785
Time elapsed: 46 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
All is okay now as Malwarebytes sorted it out and I'm thinking of purchasing the paid version as it detected something that NOD32 and Spybot missed.
-
I'm glad that everyone seems to have got their PC's in good order once again. :)
It is disturbing that certain AVs didnt pull this up - why they didnt I dont know. There are new viruses coming out every day, but one would hope that most AVs would be able to sense a virus pattern!
I strongly suspect the site was first compromised several days ago which would have been when the database was first accessed. It would appear that any email addresses/peronal info has already been harvested for possible spam targets.
I'm not certain on this... but I would suspect that the most likely cause is that someone took advantage that the forum software was not maintained, and any security patches werent installed.
The latest events cumulating yesterday appear to be a 2nd compromise and someone taking advantage that the site was still unsecure. They edited the main forum index page to include some malicious code. The php warnings were an indication that the original code had in some way been altered. Whoever did this then inserted a fake image banner file, which was actually a payload hosted at another domain. The probable idea is to trick your browser into thinking its an image rather than a virus.
The website behind this is well known to host virus/trojan/malware files, and according to various security reports has been responsible for taking down and/or injecting malware into users of many other compromised sites over the past few days.
According to the diagnostic report it was hosting "23 exploit(s), 17 trojan(s)" specifically for infection of other sites.
I can confirm that the malicious code has been removed. Presumably James will at some point apply any patches and update the forum software. Nothing much can be done about the spam situation and any other information held on the database which may have been accessed.
-
Malwarebytes found it on my pc to.. MSE nothing prevex nothing...
-
Done a bit more digging and this looks to be a false positive.. http://forums.malwarebytes.org/index.php?showtopic=7653&st=0
-
I can confirm that the malicious code has been removed. Presumably James will at some point apply any patches and update the forum software. Nothing much can be done about the spam situation and any other information held on the database which may have been accessed.
Well I won't be posting on DSL Zone anymore as I think that malware had got on my PC because I visited the site.
I haven't been affected by these sorts of problems for years (touchwood) unless it was sheer coincidence that I got infected after visiting DSL Zone ::)
James is always too busy with ADSL24 and so I don't think that he will keep the site secure with security patches although it's just my personal opinion.
I've asked to have my e-mail address removed in case similar types of security exploits happen in the future although I'm not holding my breath!
-
Can you name the website...
-
>> Can you name the website...
Yes I can
- I still even have a copy of part of the code which was injected into the forum index page using javascript.
However I dont think its wise putting the url up, in case anyone goes clicking or looking at the site... other than to say it starts with gold.
------
btw - those php errors being seen, were a result of the hackers changing the header in one of the phpbb files when they inserted their own script
-
>> Can you name the website...
Yes I can
- I still even have a copy of part of the code which was injected into the forum index page using javascript.
However I dont think its wise putting the url up, in case anyone goes clicking or looking at the site... other than to say it starts with gold.
------
btw - those php errors being seen, were a result of the hackers changing the header in one of the phpbb files when they inserted their own script
Go like w w w dot msn dot co dot uk so it's not click-able with a big warning not to type it in their address bar. Or a partial part of the address bar, thingymajig busted site dot net. One would have to be a right moron to even enter it into their address bar.
Oh and by the way will spy bot search and destroy pick this up? I barely ever have the pc on dslzone since my main machine is OS X.
Saying that I do wonder if this is related... any users here remember a while back from dslzone how I got a nasty going on with Windows7 way back? remember my black screen incident at login? long long welcome screen cycling and DHCP/event logging failing to start and the network adapters was busted etc etc
I did find a trojan in the system restore. Maybe it wasn't related, or maybe it was a fluke I don't know to be honest. I never done anything dodgy or browsing any dodgy sites either so I have no idea how I got that.
It was sorted from way back though. It was evil though! I was dreading a reformat with that.
-
any users here remember a while back from dslzone how I got a nasty going on with Windows7 way back? remember my black screen incident at login? long long welcome screen cycling and DHCP/event logging failing to start and the network adapters was busted etc etc
I did find a trojan in the system restore. Maybe it wasn't related, or maybe it was a fluke I don't know to be honest. I never done anything dodgy or browsing any dodgy sites either so I have no idea how I got that.
Yes I remember.
I am wary of going on to DSL Zone now in case I get an infection as the security of the site is being put at risk by the lack of security updates and lack of general housekeeping.
Like you, my PC was playing up a few days ago and I don't think it is a coincidence that this happened after visiting DSL Zone!
-
I am wary of going on to DSL Zone now in case I get an infection as the security of the site is being put at risk by the lack of security updates and lack of general housekeeping.
The site imo has been poorly run and very rarely updated for a long long time now.I also shall not be returning in the near future.Quite a few members had difficulties actually getting on to the site over the last few weeks,I wonder if that was connected to the attack.
-
I am wary of going on to DSL Zone now in case I get an infection as the security of the site is being put at risk by the lack of security updates and lack of general housekeeping.
The site imo has been poorly run and very rarely updated for a long long time now.I also shall not be returning in the near future.
Same here and I'm not happy that my e-mail address may have been harvested by spammers >:(
Mind you it didn't help that I had used my O2 e-mail address and not a disposable e-mail address like Yahoo for example :-[
Quite a few members had difficulties actually getting on to the site over the last few weeks,I wonder if that was connected to the attack.
I was wondering about this too as I also had trouble getting on to the site recently.
-
Will be sorry to see you guys go... :cry2:
Regards,
thar
-
Ill be back when my suit comes back from the cleaners.... (https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi281.photobucket.com%2Falbums%2Fkk238%2Fcyber-human_2008%2Funtitled-37.jpg&hash=a43d853250534e76e0ca19d7f6199b8079f8d9c0) (http://s281.photobucket.com/albums/kk238/cyber-human_2008/?action=view¤t=untitled-37.jpg)
-
@ the doctor,
I don't see how you can make jokes about something so serious as a malicious website attack >:(
-
@ the joke is.. it could have been prevented.... >:( >:( >:( >:( >:( >:( >:( >:(
-
Could any of these noscript firefox extensions or such have stopped this getting in through firefox? or would it have gotten in regardless?
-
Hi Quasimoto, I use noscript with FF although I run a Linux OS. I don't think the extension would stop something like you all experienced because it did not show up on my machine. My experience with noscript is that it is excellent at stopping unwanted scripts running on the page itself, as for the page banner I don't know. Maybe you could get more information from the noscript website.
-
Will be sorry to see you guys go... :cry2:
Regards,
thar
Cheers thar.
I can't risk malware getting onto my PC as I use my PC for online banking and also buying stuff online.
I value my security and won't go on to websites that could pose a risk in the future.
We have heard virtually nothing about the type of malware (trojans) and who is to say that it is only our e-mail addresses that have been harvested by spammers?
If the site wasn't kept up to date there could be a case of us having our passwords harvested for example :hmm:
-
Could any of these noscript firefox extensions or such have stopped this getting in through firefox? or would it have gotten in regardless?
I also use NoScript and it didn't stop wierd things happening on my PC which I assume was caused by the malware?
-
I'm not sure if theres some new and weird stuff thats going around atm.
I currently have here a laptop for repair that appears to have been root-kitted :(
Its a bit of a nightmare this one - it got past AVG, and according to the owner, got in via an ad displayed on a website that they frequent (nothing naughty). The time of the attack, and also from looking at their browser history would seem to confirm this.
Over the years I normally enjoy the challenge of sweeping up infected PCs as viruses are something I sidetracked into when doing my dissertation.
.. But this one is a real nasty.
Im still working on it.... as malware bytes says its clean, but Rootkitrevealer is still showing something weird and Im still having probs accessing some essential windows files but so far this is what its done/did
~ Disabled access to Control Panel, Task Manager, Sys restor, cmd, windows event logging and various sys32 files.
~ Disabled regedit - no access to the registry.
~ Disabled:AVG. Stopped access to M$ sites & other AV type sites.
~ Stopped any AV or malware scanners being run such as HJT, malwarebytes.
~ Trojan still ran when in safe mode - had also accessed memory module.
~ Multipart which regenerated itself using polymorphic naming. Was about a dozen parts so if you didnt get it all at once, it just simply regen'd itself.
~ Took over Windows Administrator account. I tried to access via administrator in safe mode and it had changed the main admin password so you couldnt get in.
~ Changed numerous policies & permissions (machine was XPHome so no gpedit :/)
~ Blew a massive hole in the firewall and opened various ports, and now the machine was a nice target for just about any piece of crap that was floating around the internet. - To be precise another 23 viruses, trojans and other assorted malware.
Stresses that the above did NOT come from the dslzone attack.. and its NOT the same thing that you guys are seeing.
The point being that new variants of viruses are being released all the time and thats why making sure our AV is kept up to date and patched.
Ive been online now for about 13/14 yrs and iirc the only time ive ever suffered from such like is back in 2002/2003 on the very night that sql slammer was released into the wild. It got me about 30mins after it was released... but it was so new that none of the AVs could offer any protection against it. It was a few days before M$ released a patch for MSDE sql and even longer before the AVs started offering protection.
:'(
None of us should be too complacent either, because I know of several forums which have been attacked through brand new security issues that have come to light, luckily these were more minor stuff such as spam bots type and not malicious stuff... but in the world of computing we all have constantly alert :/
-
The thing here is thar has done a damn good job trying to keep things running smoothly over at dslzone and its a shame that its come to this. Im pretty sure no-one could have done anymore in the same situation.
I will re-iterate and confirm that the malicious code that was injected has now been removed.
The only person that can advise if the forum software has now been updated and patched is James.
-
Yeah, thar has limited access. :/ If only he had full access he could have fixed it much quicker than James.
It really makes one paranoid browsing the net. It took me nearly a whole day to fix mine from Feb 6. So hard to pin point these problems down and whatever nasties it disables etc.
The one that happened to mine nuked the login info for the DHCP service as well as other nasties. Thankfully I was triple booting to solve this as it was also stalling or hanging Trend Micro Pro 2010. It just wouldn't load but it wasn't crashing either. I'd probably be in serious snook if my only install was Win7.
I really wish UAC was like OS X accounts or such. Nothing can change unless you enter the admin username and pass. Goes to show how somewhat useless UAC really is.
Saying that, nobody is safe. http://www.neowin.net/news/safari-firefox-and-ie8-hacked-chrome-left-untested
-
I will re-iterate and confirm that the malicious code that was injected has now been removed.
The only person that can advise if the forum software has now been updated and patched is James.
Yes it is for this very reason that I won't be visiting there anymore.
I know James is a busy man (running ADSL24) but the lack of clarification is wrong in my opinion.
-
Im still working on it.... as malware bytes says its clean, but Rootkitrevealer is still showing something weird.
Mmm... I just tried to install the trial version of RootKit Revealer and I got this error message:
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi44.tinypic.com%2F25u0js8.jpg&hash=5f042c65c638e3602c354509549b521d322cc3b1)
I've not run a rootkit utility before but surely this shouldn't happen?
I think I'm going to restore a Norton Ghost backup image before all this weird behaviour started i.e. around a week ago ???
-
From the screen cap it seems like youre using Vista. Unfort RKR doesnt work properly on Vista due to some differences in the O/S .
http://forum.sysinternals.com/topic12028&KW=Vista.html
-
From the screen cap it seems like youre using Vista. Unfort RKR doesnt work properly on Vista due to some differences in the O/S .
http://forum.sysinternals.com/topic12028&KW=Vista.html
Yes I'm using Vista Home Premium 64-bit.
That explains it, thanks.
-
Mmm... I just tried to install the trial version of RootKit Revealer and I got this error message:
http://i44.tinypic.com/25u0js8.jpg
I've not run a rootkit utility before but surely this shouldn't happen?
I think I'm going to restore a Norton Ghost backup image before all this weird behaviour started i.e. around a week ago ???
Makes you feel kind of paranoid after this doesn't it? I felt all dirty when I cleaned the system out from the infection way back. Somewhat shatters the trust thinking things are failing to work.
-
I currently have here a laptop for repair that appears to have been root-kitted :(
I've seen quite a few systems in recent weeks with any/all of the "symptoms" you listed, there's been quite a rash of them.
And in most cases once the defences are breached a whole horde of nasties flood in behind.
The worrying thing is that in most cases the users are cautious people with proper protection in place and have no recollection of doing anything risky at all.
-
My greatest sympathies are with anyone who catches one of these nasties. I just wonder though, how many users are running their computer in administrator mode. I have yet to meet a Windows user who runs their computer with a restricted account. One that requires a strong administrator password to allow the installation of application/executables etc. I frequent a couple of Linux forums, as that is my system choice, and I am amazed how many Windows users want to compromise there Linux system by running it in Root User mode. One can live in the strongest well protected castle going but if the front door has the key left in it then the protection is useless. I know the only sure fire way of not getting infected is to never switch the machine on, but, why not cut the risks and make a user account on the computer? One without administrator privileges.
-
I've seen quite a few systems in recent weeks with any/all of the "symptoms" you listed, there's been quite a rash of them.
And in most cases once the defences are breached a whole horde of nasties flood in behind.
The worrying thing is that in most cases the users are cautious people with proper protection in place and have no recollection of doing anything risky at all.
That's what got to me, I don't visit dodgy websites or bother with P2P and yet something definently was up and I only visited a forum!
-
My greatest sympathies are with anyone who catches one of these nasties. I just wonder though, how many users are running their computer in administrator mode. I have yet to meet a Windows user who runs their computer with a restricted account. One that requires a strong administrator password to allow the installation of application/executables etc. I frequent a couple of Linux forums, as that is my system choice, and I am amazed how many Windows users want to compromise there Linux system by running it in Root User mode. One can live in the strongest well protected castle going but if the front door has the key left in it then the protection is useless. I know the only sure fire way of not getting infected is to never switch the machine on, but, why not cut the risks and make a user account on the computer? One without administrator privileges.
This latest episode has made me think twice about running my Windows installation in Administrator mode (I have always run it in this mode as it's the default option and I've never bothered to change it :-[ )
In general everyday use is it a lot of hassle?
I'm running Vista on both my PC's and I found the constant UAC warnings a pain ???
-
Not wishing to go off topic here, but Mike you are spot on when you say the administrator mode is the default option. That is purely the fault of Microsoft. They do not put any emphasis on running in administrator mode. They could change it if they wish and make it a lot harder for the vagabonds. Unfortunately it may put a few anti-virus companies out of business as well ::)
-
Not wishing to go off topic here, but Mike you are spot on when you say the administrator mode is the default option. That is purely the fault of Microsoft. They do not put any emphasis on running in administrator mode. They could change it if they wish and make it a lot harder for the vagabonds.
Unfortunately it may put a few anti-virus companies out of business as well ::)
I didn't know that !
In hindsight it's a wonder that Microsoft have not been hassled by the EU for their own AV solution, mind you that's the subject for another debate!
-
>> Can you name the website...
Yes I can
- I still even have a copy of part of the code which was injected into the forum index page using javascript.
However I dont think its wise putting the url up, in case anyone goes clicking or looking at the site... other than to say it starts with gold.
------
btw - those php errors being seen, were a result of the hackers changing the header in one of the phpbb files when they inserted their own script
please if you dont mind pm me this information.
-
Stresses that the above did NOT come from the dslzone attack.. and its NOT the same thing that you guys are seeing.
The point being that new variants of viruses are being released all the time and thats why making sure our AV is kept up to date and patched.
Ive been online now for about 13/14 yrs and iirc the only time ive ever suffered from such like is back in 2002/2003 on the very night that sql slammer was released into the wild. It got me about 30mins after it was released... but it was so new that none of the AVs could offer any protection against it. It was a few days before M$ released a patch for MSDE sql and even longer before the AVs started offering protection.
:'(
None of us should be too complacent either, because I know of several forums which have been attacked through brand new security issues that have come to light, luckily these were more minor stuff such as spam bots type and not malicious stuff... but in the world of computing we all have constantly alert :/
What would likely have worked is using a 'proper' limited account alongside software restriction policy. However is a bit of hassle setting it up. That alone is more powerful than any A/V can ever be.
The problem with A/V is its a game of cat and mouse, trojan coder only needs to change a few bytes and suddenly the virus database cant pick it up and then the A/V relies on heuristics which is always hit and miss. There will always be 0day viruses that are not detected and this situation will never change.
I am very curious to see the infection code as well as the well known trojan site you reffer to in pm. I will then put nod32 on max hardcore settings on a spare pc to see how that handles it, after that test I will then deploy SRP+limited account setup and see if it can infect me.
Finally was this virus able to infect via all browsers or just specific ones?
-
Not wishing to go off topic here, but Mike you are spot on when you say the administrator mode is the default option. That is purely the fault of Microsoft. They do not put any emphasis on running in administrator mode. They could change it if they wish and make it a lot harder for the vagabonds. Unfortunately it may put a few anti-virus companies out of business as well ::)
Windows 8 will very likely change this.
After XP microsoft realised using admin accounts (finally) is a bad thing to do for general use, admin accounts should only be used for maintanence tasks. So they deployed UAC in vista, the problem they had was they could not just change the default to limited accounts since virtually all software was designed to work with admin priviledges. UAC is there to make software developers change their behaviour. It is a stop gap measure. The end game is to have limited accounts the default which I am hoping will be the case in windows 8. Saying that tho I expect most software now days will work in limited accounts.
Software restriction policies is a fairly unknown option available, what it does is restrict what paths programs can be executed from. eg. just from program files and the windows folder can be set. Since a limited user cannot write to those folders then you have a nightmare scenario for trojans. That is the limited user cannot execute programs from a folder they can write to. So payload at worst would be able to get itself on the end user hdd in a writeable folder via browser exploit etc. however will not be able to run due to SRP.
-
>> please if you dont mind pm me this information
Done
-
I am very curious to see the infection code as well as the well known trojan site you reffer to in pm. I will then put nod32 on max hardcore settings on a spare pc to see how that handles it, after that test I will then deploy SRP+limited account setup and see if it can infect me.
Your braver than me ???
I would only attempt something like this in a sandbox environment !
-
site still playing up and james hasnt been back on the site since 22nd march when he sorted out then :( he has had messages sent to him on adsl24 but nothing and its april 10th now. :no:
-
site still playing up and james hasnt been back on the site since 22nd march when he sorted out then :( he has had messages sent to him on adsl24 but nothing and its april 10th now. :no:
I like many others have not been back and have removed it from my bookmarks and into the old dustbin.Its a shame because the site could have been really good if run and maintained properly
-
I noticed several days ago that the forums seemed to have vanished.
-
The forum is still there, it seems that the home page is broken.
My link to the form is http://www.dslzoneuk.net/forum/search.php?search_id=newposts
EDIT: Sods law! As soon as I post that link it goes down :)
-
Your link opens fine for me, Browni :)
-
;D James there now finally,updating. ;D
-
Your link opens fine for me, Browni :)
It's working fine for me now as well.
Just after I posted, James updated the forum software so I was recieving 404 errors :D
-
Looks like a complete new look for the forums :o
Is the problem with the site security sorted now?
-
Thats the default phpBB look you can see now James post said,
Hi guys
Please bear with me as I get it upgraded to the latest secure version and also customise the skin etc.
Thanks,
James
-
I have lost confidence in the site, he may be playing catch up now but will it just sit there for another load of months without maintenance again afterwards.
-
I have lost confidence in the site, he may be playing catch up now but will it just sit there for another load of months without maintenance again afterwards.
Same here, I'm not going back either.
-
I have recently received an e-mail which I assume is SPAM containing a trojan.
NOD32 seems to have dealt with it by deleting the trojan (below)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi42.tinypic.com%2F25k7n7k.jpg&hash=d393f1bfd86c045e7c16af262864b41f0f41b88c)
Just to be on the safe sode, I've just ran a NOD32 in-depth scan and also a MalwareBytes Anti-Malware scan and both scans haven't found any malware so I assume I'm okay?
I've never had SPAM e-mail in the 2 years that I've been with O2 and so it must be down to the security breach at DSL Zone ?
Below is the Properties info:
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi43.tinypic.com%2F24yxwlh.jpg&hash=546cd3cb8fbc87ea26ac8c25a6ae0e2d720d6bd7)
p.s. I don't understand how I received it as it isn't really my e-mail address i.e. the portion of the e-mail address that is blacked out ???
I also knew that it wasn't a genuine e-mail as although I do have a UPS, I certainly didn't send out a UPS on the 13th February to the United States ::)
-
I've also had more sense as to reply to it as doing so would only confirm that my e-mail address is active even though it isn't really my e-mail address if you see what I mean ???
Edit: UPS could possibly stand for 'United Parcel Service' and not 'Interruptible Power Supply' :-[