Jump to content

We're Back: July 13-14 Outage, Forums Upgrade


Scot

Recommended Posts

We're back in operation!We had trouble last night during the upgrade of the forums software to version 2.1.7 that caused us to revert to a recent backup of our database files. As a result, we lost most of yesterday's posts. The backup was from the wee hours of the morning (U.S. Eastern Time) on July 13. I believe this is the second time SNF has lost a small bit of data. It happens sometimes. We strive to avoid it at all costs.This was not caused by any sort of hack attack, by the way. We took a very early version of IPB 2.1.7 that installed differently than expected.We're still on guard for a possible repeat of the recent IFRAME injection that we experienced two days ago. In the private IPSBeyond forums, for IPB owners, many, many other forum owners are having the same problem.This 2.1.7 version of the software add an "antivirus" feature in the AdminCP that should help us track down problems like that. It rapidly shows changes to the software that runs the site, and keeps a close tabs on any "users" who have had elevated privileges.I'd like to thank all the forum admins, especiall LilBambi and Corrine, for their diligence in vigilance.I would also like to enlist the help and support of all SNF members. Please report anything suspicious as fast as possible. We don't mind potential false alarms. Better to be safe than sorry.-- Scot

Link to comment
Share on other sites

Just wondering if anybody has seen anything like this (edit: disregard, I found the other posts)...screen1.gifI guess this would have been during the early period of the outage (7/12, 6:40PM EDT). It would hang the browser for a minute and I could close the Script Prompt only by closing the browser. I was able to replicate the behavior 2 or 3 times, including on a different user account.I realize it's only an exploit for a long since patched vulnerability of IE, so it's not a big deal in and of itself. I'm just curious if it might be tied in with the forum issues.Kevin

Edited by kkehoe
Link to comment
Share on other sites

Kevin, were they ever. The forums went offline on the 12 to fix the trojan. The outage with the database issue was the result of a failed upgrade to most recent build of the forum software IPB 2.1.7. Luckily, we managed to lose only half-a-day's postings.

Link to comment
Share on other sites

Exactly, we pulled the forums down on the evening of the 12th because of the IFRAME injection. Basically, a hacker gained access to our forum software and inserted a line of code at the bottom of all our pages -- including the Forum Is Closed page -- that spewed virsues and trojans and the like to any browser that loaded any of the forums' pages. (On my machine, IE was much more vulnerable than Firefox.) That outage was relatively brief, an hour or two. It was easy to find and delete the malignant line of code.The next day, yesterday, we had a totally separate problem that arose when we rushed to install a newly released security patch for the forum software. Since the evening of the 12th, we've had no trouble with viruses and the like -- but we remain vigilant.Hope that helps explain.-- Scot

Link to comment
Share on other sites

Wow I did my upgrade about the same time you did and mine went smoothly thank goodness. I saw a few were having problems tho, I guess this can be expected.I really hope the attackes against the IPB software slow down cause the last couple months have been terrible.Let's keep our fingers crossed

Link to comment
Share on other sites

I had a miserable time with this invasion and I used Firefox !!I contracted 8 viruses, which were picked up by ZoneAlarm but which they couldn't repair. I got the frustrating message that all of them were high level intrusions but that they weren't repairable. They didn't even have a remedy on their website !! I also got the "download this file" intrusion which spawned the viruses.Windows Defender picked up one and repaired it.I use ZoneAlarm Internet Security Suite, AdAware, Spybot Search and Destroy , Ewido and Windows Defender. Only Windows Defender did anything about the viruses.I am SO glad I backed up my hard drive with Acronis True Image. It returned my hard drive to it's former glory with NO problems.Needless to say, I'm in the market for a different security suite. Any recommendations, anyone ???Many thanks to all who worked so hard to get the site back up B)

Edited by ozgeek
Link to comment
Share on other sites

2.1.6 to 2.1.7new methods come out all the time, IPB has been releasing updates it seems like every 3 weeks to keep up
Sounds amazingly similar to an operating system we all know :D Maybe it's time to consider another, more hardened platform that isn't asintrinsically vulnerable as witness to the number of security updates.
Link to comment
Share on other sites

I would like to thank Highlander alphaomega for first bringing the exploit to our attention. Had they not posted their concern in such a timely manner, many more of us might have been infected before we'd discovered the cause.Three cheers for alphaomega! :D

Link to comment
Share on other sites

Gee, anyone else use Mozilla 1.7b? I do and avoided all the infections .However, :icon8: I now have the problem that my last login is stuck at "Welcome back; your last visit was: Jul 12 2006, 02:50 PM"

Edited by crp
Link to comment
Share on other sites

Guest LilBambi

:thumbsup:Thanks alphaomega and Pete!:thumbsup:Thanks to all who posted and/or emailed about the problems they were experiencing and related what they were using that helped to keep them safer during such an attack. :icon8:

Edited by LilBambi
Link to comment
Share on other sites

I encountered a SQL error and couldn't enter the forums, this was in Firefox in Windows, while trying to check something.It lasted for about ten minutes, in the meantime I checked with Opera which didn't gave any problems. After those ten minutes all was well again and using FF I could enter the forums, albeit it seems to be slower than the previous last one and a half day.Here's ascreenshot of the error:http://img518.imageshack.us/img518/6572/errores5.gif

Link to comment
Share on other sites

P.S. I just wanted to post and add to the current conversation...in case it may help isolate when exactly the forum got attacked.I noticed the problem shortly after doing the updates for Windows:Between 3:45am-4:00am 7/12/06 CDT and I posted a query to the forum sometime that morning.Luckily I did not get infected...eTrust EZ Firewall - privacy settings filtered it out.With the filter off...eTrust EZ Antivirus - detected the attempted infectious stuffin the temporary internet files and cleaned it.With the antivirus off...It still got no further than the temp files...since I already had the appropriate microsoft update applied.Anyway...hopefully no one got infected...and this will all just be history soon...Cheers

Edited by alphaomega
Link to comment
Share on other sites

Thanks, Alphaomega. I have been wanting to know from people about the earliest they saw the problem. I can't believe we had this problem for about 14 hours before we shut the forums down. This isn't anyone's fault -- at all. It's just surprising, is all.I want to do anything I can to cut down on the exposure if this ever happens again.An update for people here: I localized some of the malware code over the weekend. We know a good deal more now about the specific exploit, and we've also eliminated at least some of the code that started the problem. What we don't konw, precisely, is how it got there. Still working on that. But we think we've removed the smoking gun. Hopefully some measures we've implemented and the latest security patches from IPS will help prevent further attacks. -- Scot

Link to comment
Share on other sites

  • 2 weeks later...

Site is very very slow and I saw a popup get blocked when I open the forum. I also got runtime errors on lines 1943 and 2033 "Object Expected."

Link to comment
Share on other sites

Last time I could see it in the page source. I just went through it and did not see anything. It also showed up in my adblock. Neither is the case this time. This was the only site open? Was it on the first page or a page with posts?

Link to comment
Share on other sites

No other sites open. Main window showing who's online. I just noticed Google blocking the pop-up.Site is faster now than it was before. Every page was taking 2 minutes plus to load.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...