Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[thar]

Thanks to kitz for your help in resolving this...I've sent you a PM.

Is it sorted yet?

According to the post James made at 12:26 today it is. I'm not getting any more warnings and have scanned my PC and not come up with any nasties thank goodness!

[CurlyWhirly]

Yep as curly said thanks for the help kitz,as said the keys to the site need to be handed over to thar and the site looked after.

Well someone has to look after the site as James has lost all interest as he's too busy running ADSL24.

I think the PC'S here are clean now not 100% sure but cant find anything else on them,cant believe norton 2010 security suite never even blinked  it was on a 3 month free trial but no more!put microsofts MSE on for now as i decide what to do.either go back to nod32 which did pick up a trojan or try gdata again which i liked but was a bit of a resource hog.

I'm running NOD32 V4 and I got no malware warnings!

That's worrying for me as I thought that NOD32 was one of the best AV's out there 

[CurlyWhirly]

I dont plan to even access the site now since I dont know which urls' are infected and it seems from what another person has posted nod32 may not be able to detect the trojan.

NOD32 didn't detect the trojan at least on my PC.

I ran Malwarebytes and it came up with malware that had got into the registry (in bold):

Malwarebytes' Anti-Malware 1.44
Database version: 3898
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

22/03/2010 13:07:33
mbam-log-2010-03-22 (13-07-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 254785
Time elapsed: 46 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

All is okay now as Malwarebytes sorted it out and I'm thinking of purchasing the paid version as it detected something that NOD32 and Spybot missed.

[kitz]

I'm glad that everyone seems to have got their PC's in good order once again.
It is disturbing that certain AVs didnt pull this up - why they didnt I dont know.  There are new viruses coming out every day, but one would hope that most AVs would be able to sense a virus pattern!

I strongly suspect the site was first compromised several days ago which would have been when the database was first accessed.  It would appear that any email addresses/peronal info has already been harvested for possible spam targets.
I'm not certain on this... but I would suspect that the most likely cause is that someone took advantage that the forum software was not maintained, and any security patches werent installed.


The latest events cumulating yesterday appear to be a 2nd compromise and someone taking advantage that the site was still unsecure.  They edited the main forum index page to include some malicious code.  The php warnings were an indication that the original code had in some way been altered.  Whoever did this then inserted a fake image banner file, which was actually a payload hosted at another domain.  The probable idea is to trick your browser into thinking its an image rather than a virus.

The website behind this is well known to host virus/trojan/malware files, and according to various security reports has been responsible for taking down and/or injecting malware into users of many other compromised sites over the past few days.
According to the diagnostic report it was hosting "23 exploit(s), 17 trojan(s)" specifically for infection of other sites.

I can confirm that the malicious code has been removed.  Presumably James will at some point apply any patches and update the forum software.  Nothing much can be done about the spam situation and any other information held on the database which may have been accessed.

[the doctor]

Malwarebytes found it on my pc to.. MSE nothing prevex nothing...

[the doctor]

Done a bit more digging and this looks to be a false positive..   http://forums.malwarebytes.org/index.php?showtopic=7653&st=0

[CurlyWhirly]

I can confirm that the malicious code has been removed.  Presumably James will at some point apply any patches and update the forum software.  Nothing much can be done about the spam situation and any other information held on the database which may have been accessed.

Well I won't be posting on DSL Zone anymore as I think that malware had got on my PC because I visited the site.

I haven't been affected by these sorts of problems for years (touchwood) unless it was sheer coincidence that I got infected after visiting DSL Zone  

James is always too busy with ADSL24 and so I don't think that he will keep the site secure with security patches although it's just my personal opinion.

I've asked to have my e-mail address removed in case similar types of security exploits happen in the future although I'm not holding my breath!

[the doctor]

Can you name the website...

[kitz]

>> Can you name the website...

Yes I can
- I still even have a copy of part of the code which was injected into the forum index page using javascript.

However I dont think its wise putting the url up, in case anyone goes clicking or looking at the site...   other than to say it starts with gold.

------

btw - those php errors being seen, were a result of the hackers changing the header in one of the phpbb files when they inserted their own script

[Quasimoto]

>> Can you name the website...

Yes I can
- I still even have a copy of part of the code which was injected into the forum index page using javascript.

However I dont think its wise putting the url up, in case anyone goes clicking or looking at the site...   other than to say it starts with gold.

------

btw - those php errors being seen, were a result of the hackers changing the header in one of the phpbb files when they inserted their own script

Go like  w w w dot msn dot co dot uk so it's not click-able with a big warning not to type it in their address bar. Or a partial part of the address bar, thingymajig busted site dot net. One would have to be a right moron to even enter it into their address bar.

Oh and by the way will spy bot search and destroy pick this up? I barely ever have the pc on dslzone since my main machine is OS X.

Saying that I do wonder if this is related... any users here remember a while back from dslzone how I got a nasty going on with Windows7 way back? remember my black screen incident at login? long long welcome screen cycling and DHCP/event logging failing to start and the network adapters was busted etc etc

I did find a trojan in the system restore. Maybe it wasn't related, or maybe it was a fluke I don't know to be honest. I never done anything dodgy or browsing any dodgy sites either so I have no idea how I got that.

It was sorted from way back though. It was evil though! I was dreading a reformat with that.

[CurlyWhirly]

any users here remember a while back from dslzone how I got a nasty going on with Windows7 way back? remember my black screen incident at login? long long welcome screen cycling and DHCP/event logging failing to start and the network adapters was busted etc etc

I did find a trojan in the system restore. Maybe it wasn't related, or maybe it was a fluke I don't know to be honest. I never done anything dodgy or browsing any dodgy sites either so I have no idea how I got that.

Yes I remember.

I am wary of going on to DSL Zone now in case I get an infection as the security of the site is being put at risk by the lack of security updates and lack of general housekeeping.

Like you, my PC was playing up a few days ago and I don't think it is a coincidence that this happened after visiting DSL Zone!

[UncleUB]

I am wary of going on to DSL Zone now in case I get an infection as the security of the site is being put at risk by the lack of security updates and lack of general housekeeping.

The site imo has been poorly run and very rarely updated for a long long time now.I also shall not be returning in the near future.Quite a few members had difficulties actually getting on to the site over the last few weeks,I wonder if that was connected to the attack.

[CurlyWhirly]

I am wary of going on to DSL Zone now in case I get an infection as the security of the site is being put at risk by the lack of security updates and lack of general housekeeping.

The site imo has been poorly run and very rarely updated for a long long time now.I also shall not be returning in the near future.

Same here and I'm not happy that my e-mail address may have been harvested by spammers 

Mind you it didn't help that I had used my O2 e-mail address and not a disposable e-mail address like Yahoo for example 

Quite a few members had difficulties actually getting on to the site over the last few weeks,I wonder if that was connected to the attack.

I was wondering about this too as I also had trouble getting on to the site recently.

[thar]

Will be sorry to see you guys go... :cry2:

Regards,

thar

[the doctor]

Ill be back when my suit comes back from the cleaners....