Scot Posted July 14, 2006 Share Posted July 14, 2006 We're back in operation!We had trouble last night during the upgrade of the forums software to version 2.1.7 that caused us to revert to a recent backup of our database files. As a result, we lost most of yesterday's posts. The backup was from the wee hours of the morning (U.S. Eastern Time) on July 13. I believe this is the second time SNF has lost a small bit of data. It happens sometimes. We strive to avoid it at all costs.This was not caused by any sort of hack attack, by the way. We took a very early version of IPB 2.1.7 that installed differently than expected.We're still on guard for a possible repeat of the recent IFRAME injection that we experienced two days ago. In the private IPSBeyond forums, for IPB owners, many, many other forum owners are having the same problem.This 2.1.7 version of the software add an "antivirus" feature in the AdminCP that should help us track down problems like that. It rapidly shows changes to the software that runs the site, and keeps a close tabs on any "users" who have had elevated privileges.I'd like to thank all the forum admins, especiall LilBambi and Corrine, for their diligence in vigilance.I would also like to enlist the help and support of all SNF members. Please report anything suspicious as fast as possible. We don't mind potential false alarms. Better to be safe than sorry.-- Scot Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted July 14, 2006 Share Posted July 14, 2006 Great job! All back up and running beautifully at the moment! Quote Link to comment Share on other sites More sharing options...
Corrine Posted July 14, 2006 Share Posted July 14, 2006 Great work, Scot! Thank you. Quote Link to comment Share on other sites More sharing options...
striker Posted July 14, 2006 Share Posted July 14, 2006 Thanks Scot! And it's fast now too. Quote Link to comment Share on other sites More sharing options...
kkehoe Posted July 14, 2006 Share Posted July 14, 2006 (edited) Just wondering if anybody has seen anything like this (edit: disregard, I found the other posts)...I guess this would have been during the early period of the outage (7/12, 6:40PM EDT). It would hang the browser for a minute and I could close the Script Prompt only by closing the browser. I was able to replicate the behavior 2 or 3 times, including on a different user account.I realize it's only an exploit for a long since patched vulnerability of IE, so it's not a big deal in and of itself. I'm just curious if it might be tied in with the forum issues.Kevin Edited July 14, 2006 by kkehoe Quote Link to comment Share on other sites More sharing options...
Peachy Posted July 14, 2006 Share Posted July 14, 2006 Kevin, were they ever. The forums went offline on the 12 to fix the trojan. The outage with the database issue was the result of a failed upgrade to most recent build of the forum software IPB 2.1.7. Luckily, we managed to lose only half-a-day's postings. Quote Link to comment Share on other sites More sharing options...
Scot Posted July 14, 2006 Author Share Posted July 14, 2006 Exactly, we pulled the forums down on the evening of the 12th because of the IFRAME injection. Basically, a hacker gained access to our forum software and inserted a line of code at the bottom of all our pages -- including the Forum Is Closed page -- that spewed virsues and trojans and the like to any browser that loaded any of the forums' pages. (On my machine, IE was much more vulnerable than Firefox.) That outage was relatively brief, an hour or two. It was easy to find and delete the malignant line of code.The next day, yesterday, we had a totally separate problem that arose when we rushed to install a newly released security patch for the forum software. Since the evening of the 12th, we've had no trouble with viruses and the like -- but we remain vigilant.Hope that helps explain.-- Scot Quote Link to comment Share on other sites More sharing options...
havnblast Posted July 14, 2006 Share Posted July 14, 2006 Wow I did my upgrade about the same time you did and mine went smoothly thank goodness. I saw a few were having problems tho, I guess this can be expected.I really hope the attackes against the IPB software slow down cause the last couple months have been terrible.Let's keep our fingers crossed Quote Link to comment Share on other sites More sharing options...
ozgeek Posted July 14, 2006 Share Posted July 14, 2006 (edited) I had a miserable time with this invasion and I used Firefox !!I contracted 8 viruses, which were picked up by ZoneAlarm but which they couldn't repair. I got the frustrating message that all of them were high level intrusions but that they weren't repairable. They didn't even have a remedy on their website !! I also got the "download this file" intrusion which spawned the viruses.Windows Defender picked up one and repaired it.I use ZoneAlarm Internet Security Suite, AdAware, Spybot Search and Destroy , Ewido and Windows Defender. Only Windows Defender did anything about the viruses.I am SO glad I backed up my hard drive with Acronis True Image. It returned my hard drive to it's former glory with NO problems.Needless to say, I'm in the market for a different security suite. Any recommendations, anyone ???Many thanks to all who worked so hard to get the site back up Edited July 14, 2006 by ozgeek Quote Link to comment Share on other sites More sharing options...
teacher Posted July 14, 2006 Share Posted July 14, 2006 JanYou might want to look here: http://forums.scotsnewsletter.com/index.ph...mp;#entry192829 Quote Link to comment Share on other sites More sharing options...
havnblast Posted July 15, 2006 Share Posted July 15, 2006 for windows Nod32 puts everything to rest Quote Link to comment Share on other sites More sharing options...
ozgeek Posted July 15, 2006 Share Posted July 15, 2006 JanYou might want to look here: http://forums.scotsnewsletter.com/index.ph...mp;#entry192829 Thanks, Julia for windows Nod32 puts everything to restThanks, Kelly,I've heard some very positive reports about Nod32. Quote Link to comment Share on other sites More sharing options...
arcturus Posted July 15, 2006 Share Posted July 15, 2006 What version of IPB were you upgrading from?According to this article:http://www.nessus.org/plugins/index.php?vi...le&id=17609vulnerability to IFrame injections were resolved with IPB version 2.0.2 going backto October of 2005. Of course that site also gives a risk assessment of 'low'. Quote Link to comment Share on other sites More sharing options...
havnblast Posted July 15, 2006 Share Posted July 15, 2006 2.1.6 to 2.1.7new methods come out all the time, IPB has been releasing updates it seems like every 3 weeks to keep up Quote Link to comment Share on other sites More sharing options...
arcturus Posted July 15, 2006 Share Posted July 15, 2006 2.1.6 to 2.1.7new methods come out all the time, IPB has been releasing updates it seems like every 3 weeks to keep upSounds amazingly similar to an operating system we all know Maybe it's time to consider another, more hardened platform that isn't asintrinsically vulnerable as witness to the number of security updates. Quote Link to comment Share on other sites More sharing options...
Jeber Posted July 15, 2006 Share Posted July 15, 2006 I would like to thank Highlander alphaomega for first bringing the exploit to our attention. Had they not posted their concern in such a timely manner, many more of us might have been infected before we'd discovered the cause.Three cheers for alphaomega! Quote Link to comment Share on other sites More sharing options...
striker Posted July 15, 2006 Share Posted July 15, 2006 yep ! Thanks alphaomega! Quote Link to comment Share on other sites More sharing options...
Corrine Posted July 15, 2006 Share Posted July 15, 2006 And to Pete! for alerting me over at Freedomlist!!! Quote Link to comment Share on other sites More sharing options...
Bruno Posted July 15, 2006 Share Posted July 15, 2006 Three cheers for alphaomega! And to Pete! for alerting me over at Freedomlist!!! Bruno Quote Link to comment Share on other sites More sharing options...
crp Posted July 17, 2006 Share Posted July 17, 2006 (edited) Gee, anyone else use Mozilla 1.7b? I do and avoided all the infections .However, I now have the problem that my last login is stuck at "Welcome back; your last visit was: Jul 12 2006, 02:50 PM" Edited July 17, 2006 by crp Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted July 17, 2006 Share Posted July 17, 2006 (edited) :thumbsup:Thanks alphaomega and Pete!:thumbsup:Thanks to all who posted and/or emailed about the problems they were experiencing and related what they were using that helped to keep them safer during such an attack. Edited July 18, 2006 by LilBambi Quote Link to comment Share on other sites More sharing options...
striker Posted July 17, 2006 Share Posted July 17, 2006 I encountered a SQL error and couldn't enter the forums, this was in Firefox in Windows, while trying to check something.It lasted for about ten minutes, in the meantime I checked with Opera which didn't gave any problems. After those ten minutes all was well again and using FF I could enter the forums, albeit it seems to be slower than the previous last one and a half day.Here's ascreenshot of the error:http://img518.imageshack.us/img518/6572/errores5.gif Quote Link to comment Share on other sites More sharing options...
alphaomega Posted July 17, 2006 Share Posted July 17, 2006 (edited) P.S. I just wanted to post and add to the current conversation...in case it may help isolate when exactly the forum got attacked.I noticed the problem shortly after doing the updates for Windows:Between 3:45am-4:00am 7/12/06 CDT and I posted a query to the forum sometime that morning.Luckily I did not get infected...eTrust EZ Firewall - privacy settings filtered it out.With the filter off...eTrust EZ Antivirus - detected the attempted infectious stuffin the temporary internet files and cleaned it.With the antivirus off...It still got no further than the temp files...since I already had the appropriate microsoft update applied.Anyway...hopefully no one got infected...and this will all just be history soon...Cheers Edited July 18, 2006 by alphaomega Quote Link to comment Share on other sites More sharing options...
Scot Posted July 17, 2006 Author Share Posted July 17, 2006 Thanks, Alphaomega. I have been wanting to know from people about the earliest they saw the problem. I can't believe we had this problem for about 14 hours before we shut the forums down. This isn't anyone's fault -- at all. It's just surprising, is all.I want to do anything I can to cut down on the exposure if this ever happens again.An update for people here: I localized some of the malware code over the weekend. We know a good deal more now about the specific exploit, and we've also eliminated at least some of the code that started the problem. What we don't konw, precisely, is how it got there. Still working on that. But we think we've removed the smoking gun. Hopefully some measures we've implemented and the latest security patches from IPS will help prevent further attacks. -- Scot Quote Link to comment Share on other sites More sharing options...
Marsden11 Posted July 27, 2006 Share Posted July 27, 2006 Site is very very slow and I saw a popup get blocked when I open the forum. I also got runtime errors on lines 1943 and 2033 "Object Expected." Quote Link to comment Share on other sites More sharing options...
havnblast Posted July 27, 2006 Share Posted July 27, 2006 hmmmm I just loaded IE with no popup blocker enabled and nothing happened on this end. Quote Link to comment Share on other sites More sharing options...
teacher Posted July 27, 2006 Share Posted July 27, 2006 Last time I could see it in the page source. I just went through it and did not see anything. It also showed up in my adblock. Neither is the case this time. This was the only site open? Was it on the first page or a page with posts? Quote Link to comment Share on other sites More sharing options...
Marsden11 Posted July 27, 2006 Share Posted July 27, 2006 No other sites open. Main window showing who's online. I just noticed Google blocking the pop-up.Site is faster now than it was before. Every page was taking 2 minutes plus to load. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.