Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[kitz]

Looks like dslzone's website has been compromised.

1) Confidential email addresses held on their server have been disclosed and are now being subjected to spam from other parties.
    It would therefore appear that their database has been hacked & email addresses harvested.

2) Visiting their site & it would appear that some of their CSS has gone haywire, and theres also php error messages indicating that the original code has been modified.

3) Avira gives warning messages about the site which it says is infected with malware & trojan.

Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]'
detected in file 'C:\Documents and Settings\kitz\Local Settings\Temporary Internet Files\Content.IE5\D1NPA8P7\publ[1].htm.
Action performed: Delete file

-------

Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]'
detected in file 'C:\Documents and Settings\kitz\Local Settings\Temporary Internet Files\Content.IE5\D1NPA8P7\publ[1].htm.
Action performed: Deny access

HTML/Infected.WebPage.Gen

Description:
A common attack against the web infrastructure can be the infection of harmless web pages. Some malware changes every HTML file stored on the disc and adds a link (very often an IFrame) to a site hosting malicious code. Other attacks can aim for the web servers and try to insert forwarding to the pages hosted there. The owner of these pages is advised to take them offline. Fix the hole (either on his own PC or on the server), check the pages for infections, clean them and go online again. Infected Web Pages often contain additional Iframe, Object or Script Tags. The Script Tags often contain encrypted Code.

I noticed this after receiving targeted spam mail with information that can only have been obtained from dslzone.
I was about to visit the site to report the issue and why information had been disclosed.... which is when my AV alerted me, and I also noticed all the other symptoms which indicate the site has been hacked and infected.

Proceed with caution.

[kitz]

A quick scan of their forums (I'm not going to hang around it too long - nor log in to make a post), seems to indicate that some members have picked up a trojan and their machines are now showing signs of infection.

I suggest you stay away.

Ive contacted Thar - who seems to be the one doing most of the caretaking for dslzone these days -  to advise him of the situation.

[UncleUB]

I visited this morning before reading this and didn't have anything pick up on my McAfee security center...The site has been hard to get into of late,taking 4/5 attempts before it would load.This has been reported by quite a few members over there.

Thanks for the warning Kitz 

I have logged out and will stay away for the time being

[kitz]

>>  and didn't have anything pick up on my McAfee security center

Yeah I noticed that whilst some where saying that their AVs werent picking up anything, but they were seeing the site oddness, - yet others were saying their AV (not just Avira) were indicating trojan presence.

Whatever way - the database has definitely been compromised and information disclosed to 3rd parties .   
Ive been a member of that forum before James even had the site properly live (I think my member number is something like no 4) as I used to advise on adsl problems on another of his previous forums, before James even knew anything at all about adsl/ISPs.

When I got the spam last night, I knew exactly where it had come from and the source of disclosure, which is why I headed over that way to report it.

Because the site hasn't been properly maintained for several years and much of the info is outdated, I would hazard a guess that the forum software hasn't had an essential phpbb security patch applied.... which is now a hacker has been able to get in, take info from the database, and inject malicious code. 

If this is the case then the forum needs taking down until its patched and updated.

[kitz]

OK - here goes...   a bit of detective work on my part to find out what the problem is

• Database has been compromised
• dslzone Forum home page has been injected with malicious code
  
• Hackers have included a script hosted on a third party server, which carries a nasty payload
• This 3rd party server is well known to host exploits/trojans and malware

I know which malicious code has been injected, I know where its being hosted on, but I wont publish that info here for the security of members of this forum.

This information should have been picked up yesterday by dslzone and acted upon immediately.  It should not be down to another site to diagnose their problems whilst they remain live and continuing to infect machines for the past 24 hours, and no-one bothering to look into it.

What I also find worrying though is that certain AVs have not picked up on this either.

[UncleUB]

What I also find worrying though is that certain AVs have not picked up on this either.

 

Are you saying that my av (McAfee) might have missed this and I could be infected without me knowing about it.......

What steps can I take to check this.......I ran a full scan on Friday of last week and nothing was reported.Is it worth running again?

Edit......I have not noticed any irregularity on my pc.

[kitz]

I notice in the thread discussion that some members were reporting that their AV wasnt picking up on it.

From what I can see the malicious code isnt being injected on all pages, so you may be ok,  but just to be on the safe side I'd run housecall and/or spybot S+D.    I notice someone else in that thread say that lavasoft also picks up on it.

[Browni]

Hi kitz,

I've joined this forum to say thanks for the above warning, no doubt you will have seen me in the thread regarding the problem on the DSLzone site.

MSE didn't pick up on it but FF threw a wobbly and my java runtime got kicked from memory.

To be safe, I did a system restore to 2 days before, ran housecall & also ran malwarebytes anti malware (the latter confirming I'm clean.

[UncleUB]

From what I can see the malicious code isnt being injected on all pages, so you may be ok,  but just to be on the safe side I'd run housecall and/or spybot S+D.

Can you run these along side my existing McAfee security center?

[postie]

On the Laptop yesterday when going to DSL ZONE the free Avira AV on it picked it up but on this desktop running Norton 2010 security suite it hasnt mentioned it.Anyway I believe thar sent a message to James but just in case I have also done so this morning.

[Browni]

From what I can see the malicious code isnt being injected on all pages, so you may be ok,  but just to be on the safe side I'd run housecall and/or spybot S+D.

Can you run these along side my existing McAfee security center?

Yes, these are on demand scanners.

[tuftedduck]

But be careful with Spybot Search and Destroy if you install it, unkyUb, and make sure that it's resident scanner is disabled.....that part of the prog is styled "Teatimer" and can be a pain when trying to work alongside certain av progs.

[Browni]

But be careful with Spybot Search and Destroy if you install it, unkyUb, and make sure that it's resident scanner is disabled.....that part of the prog is styled "Teatimer" and can be a pain when trying to work alongside certain av progs.

Of course, I forgot about that nuisance called teatimer !

[UncleUB]

But be careful with Spybot Search and Destroy if you install it, unkyUb, and make sure that it's resident scanner is disabled.....that part of the prog is styled "Teatimer" and can be a pain when trying to work alongside certain av progs.

This sounds very complicated to me ..........Teatimer?

[tuftedduck]

Don't ask where the name comes from....even the Spybot people at Safer Networking don't seem to know.
It is disabled by default ( IIRC )......just don't switch it on..