Announcements > News Articles
Warning - DSLzone site compromised
kitz:
Looks like dslzone's website has been compromised.
1) Confidential email addresses held on their server have been disclosed and are now being subjected to spam from other parties.
It would therefore appear that their database has been hacked & email addresses harvested.
2) Visiting their site & it would appear that some of their CSS has gone haywire, and theres also php error messages indicating that the original code has been modified.
3) Avira gives warning messages about the site which it says is infected with malware & trojan.
--- Quote ---Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]'
detected in file 'C:\Documents and Settings\kitz\Local Settings\Temporary Internet Files\Content.IE5\D1NPA8P7\publ[1].htm.
Action performed: Delete file
-------
Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]'
detected in file 'C:\Documents and Settings\kitz\Local Settings\Temporary Internet Files\Content.IE5\D1NPA8P7\publ[1].htm.
Action performed: Deny access
--- End quote ---
--- Quote ---HTML/Infected.WebPage.Gen
Description:
A common attack against the web infrastructure can be the infection of harmless web pages. Some malware changes every HTML file stored on the disc and adds a link (very often an IFrame) to a site hosting malicious code. Other attacks can aim for the web servers and try to insert forwarding to the pages hosted there. The owner of these pages is advised to take them offline. Fix the hole (either on his own PC or on the server), check the pages for infections, clean them and go online again. Infected Web Pages often contain additional Iframe, Object or Script Tags. The Script Tags often contain encrypted Code.
--- End quote ---
I noticed this after receiving targeted spam mail with information that can only have been obtained from dslzone.
I was about to visit the site to report the issue and why information had been disclosed.... which is when my AV alerted me, and I also noticed all the other symptoms which indicate the site has been hacked and infected.
Proceed with caution.
kitz:
A quick scan of their forums (I'm not going to hang around it too long - nor log in to make a post), seems to indicate that some members have picked up a trojan and their machines are now showing signs of infection.
I suggest you stay away.
Ive contacted Thar - who seems to be the one doing most of the caretaking for dslzone these days - to advise him of the situation.
UncleUB:
I visited this morning before reading this and didn't have anything pick up on my McAfee security center...The site has been hard to get into of late,taking 4/5 attempts before it would load.This has been reported by quite a few members over there.
Thanks for the warning Kitz ;)
I have logged out and will stay away for the time being
kitz:
>> and didn't have anything pick up on my McAfee security center
Yeah I noticed that whilst some where saying that their AVs werent picking up anything, but they were seeing the site oddness, - yet others were saying their AV (not just Avira) were indicating trojan presence.
Whatever way - the database has definitely been compromised and information disclosed to 3rd parties .
Ive been a member of that forum before James even had the site properly live (I think my member number is something like no 4) as I used to advise on adsl problems on another of his previous forums, before James even knew anything at all about adsl/ISPs.
When I got the spam last night, I knew exactly where it had come from and the source of disclosure, which is why I headed over that way to report it.
Because the site hasn't been properly maintained for several years and much of the info is outdated, I would hazard a guess that the forum software hasn't had an essential phpbb security patch applied.... which is now a hacker has been able to get in, take info from the database, and inject malicious code. :(
If this is the case then the forum needs taking down until its patched and updated.
kitz:
OK - here goes... a bit of detective work on my part to find out what the problem is
[*] Database has been compromised
[*] dslzone Forum home page has been injected with malicious code
[*] Hackers have included a script hosted on a third party server, which carries a nasty payload
[*] This 3rd party server is well known to host exploits/trojans and malware
[/list]
I know which malicious code has been injected, I know where its being hosted on, but I wont publish that info here for the security of members of this forum.
This information should have been picked up yesterday by dslzone and acted upon immediately. It should not be down to another site to diagnose their problems whilst they remain live and continuing to infect machines for the past 24 hours, and no-one bothering to look into it.
What I also find worrying though is that certain AVs have not picked up on this either.
Navigation
[0] Message Index
[#] Next page
Go to full version