Did you get the trojan?

[JerryM]

I tried to access the forum while it was down, but never got any warning from KAV or Ewido. I guess the trojan was not active at those times.I am not sure what happened. Can a trojan simply attack a site like this, and when you sign in attack you? Or does it attack every thread or when you click on a thread?You can see my ignorance, but I would like to know what did happen if possible.Thanks,Jerry

[Jeber]

While I'm sure you can understand we don't want to go into too fine a detail lest someone else get the cute idea of trying this, I think we can say that someone was able to take advantage of an exploit that the IPB software allowed which let them add code to our site that tried to download a trojan. Thank goodness the code was discovered quickly, removed and the exploit patched. We still can't be sure that all the holes are plugged, thus our asking you good folks to let us know the moment you detect something weird, anything not right in the forum.Better safe than sorry.

[muckshifter]

We still can't be sure that all the holes are plugged, thus our asking you good folks to let us know the moment you detect something weird, anything not right in the forum.

I think Bruno is behaving erratically, he keeps bumping ... better take him offline and give him the once over. I was here!

[Jeber]

Hey muck...I think he's just practicing his Stevie Wonder impersonation for the talent show next month.He may have beak jaundice, though. A bit too yellow, if you know what I mean.

[Grasshopper]

I did not get the critter on my machine, although I don't think I accessed the forum while it was infected and when I finally did try to get on, the site was taken down.I'm clean!

[JerryM]

Hi Jeber,Thanks for the reply.Jerry

[hkspike]

Wow, this seems this a thread hanging in space, without a start. Since I'm sort of mid-process in my switch from Norton, is there any place I should be looking to see if I got hit and ZoneAlarm, WinDef or AVG missed it? I did browse the forum both when the normal "we're down" message was posted and later when the simple text message was up.I missed you guys!

[James M. Fisher]

NOD32 would have nailed it... Saw a post yesterday from someone (can't remember who) who runs it and mentioned NOD32 caught it immediately.

NOD32 caught it before SuperAntiSpyware here. I performed a full virus and spyware scan immediately afterward and all returned clean results.

[MarkWM]

Off topic, but for those of you who use Poco, are you relying on Poco's antispam? What antispam software are you using?-- Scot

Hi Scot,Lest this tidbit get passed over, it is an interesting sideline. I'm relying on PocoMail's spam filter to shuffle my spam into the Junk folder and it's doing a fairly good job - at least as good as Norton IS was. I may yet switch to something else, but Poco has surprised me with its efficiency so far. Training it is as simple as hitting Cntrl+Shft+- when an untagged bit of spam appears in my Inbox.I'm "only" getting perhaps 30 spam emails a day, many of those are coming from a site where I'm webmaster and the filters on the site label them as SPAM before Poco pulls them, so they're immediately shuffled off into Junk.Mark

[Corrine]

Julia,DON'T find them, but instead avoid them. Regards,Jerry

As the cliche goes, Jerry, "Truer words were never spoken!" Its better to keep 'em out in the first place than to have to remove them in the second.

[Scot]

Wow, this seems this a thread hanging in space, without a start. Since I'm sort of mid-process in my switch from Norton, is there any place I should be looking to see if I got hit and ZoneAlarm, WinDef or AVG missed it? I did browse the forum both when the normal "we're down" message was posted and later when the simple text message was up.

hkspike,There are several threads around that treat this. There was really only a short period of time on July 12 when the forums could have given you a bad day as the result of a malware/harcker attack on the forums. Several other IPB forums also experienced this.I'm not sure of the exact amount of time we were exposed, but I'm guessing no more than 6 - 7 hours during the late afternoon and evening (Eastern Time) on July 12. The first message I received about it was a PM at 4PM. Unfortunately, I didn't see that PM for two days. I did get email from several people around 6PM, but I had an evening with my family, and didn't see the problem until a little after 10PM. At around 6:15PM(?), Corrine and Bruno smartly decided to bring the forums down. Around 10:20, I started working on the problem, and it took only 15 minutes or so to find and delete the offending code. The way IPB is set up, the line of bad code only had to be added in one place to make it appear on every page of the forums. So it was easy to figure out and delete.Unfortunately, even with the forums down, the malware code could still infect people who visited the Forums Closed page. That page was also affected by the hack. Next time around (hopefully there isn't a next time), we have a solution for that.Others chime in if your experiences differed, but in my case the appearance of visible bad stuff on my screen running out of IE was so immediately that I sort of doubt you would have missed it. OTOH, you should fully scan your computer with antivirus and antispyware checking software if you visited the forums on July 12. Empty your browser temp files, and if you use Windows, delete the stuff in your Windows Temp folder too. Run scans from several security programs to be sure. Very often even the best program will miss something that another finds.Hope this helps.-- Scot

[Pete!]

.......I'm not sure of the exact amount of time we were exposed, but I'm guessing no more than 6 - 7 hours during the late afternoon and evening (Eastern Time) on July 12. .....

I first noticed it at about 6:40 AM (Eastern) on the 12th. At the time, I didn't know which of several sites that I was browsing had caused it. I had to go to work, so I didn't have time to test.When I got back from work (after 3:30 PM), I went to the sites one at a time until it started to happen again. I didn't spend any time reading posts, but was VERY surprised that people appeared to be happily posting away. (Was I the only one using IE ???).I quickly closed my browser and inquired about it at FreedomList at 5:12 PM.http://www.freedomlist.com/forum/viewtopic.php?t=27476As far as I know Corrine shut down the forum sometime after I posted at FL. (according to her post @FL around 6:00 PM EDT)...Over 11 hours. Probably more ..... it was already in place at 6:40 AM. Edited July 16, 2006 by Pete!

[Keegan]

did this only affect IE users?

[Corrine]

It seems that way, Keegan. However, it could also be coincidence as it appears Kerio & SpyBlocker were the initial gates that protected my system.

[Scot]

I first noticed it at about 6:40 AM (Eastern) on the 12th ... As far as I know Corrine shut down the forum sometime after I posted at FL. (according to her post @FL around 6:00 PM EDT)...Over 11 hours. Probably more ..... it was already in place at 6:40 AM.

Wow, that's a lot earlier than I've heard from anyone else. Not good. You can't just figure the time when Corrine closed the board, because people were still able to get it from the "forum closed" page until i deleted the offending line at about 10:30 PM. So now we have a window of time that's at least 16 hours, and it could well have been in the middle of the night or even late on the 11th.I was working on the forums in Firefox for 20 minutes with zero problems. It wasn't until I switched to IE for about 15 seconds that I saw the inundation of nasties. F-Secure shot down at least four or five different bugs all at once.I have a feeling that if you were using Opera, Firefox, Safari, whatever, that you were relatively immune. Because we got no complaints until about 4PM. Many, many people on SNF use Firefox. I believe almost all of the mods and admins do. Including yours truly. People may not have realized where it was coming from either. I dunno, but we didn't get much notification from members.Please if you see anything like this again, email me at webmaster@scotsnewsletter.com.-- ScotP.S. Pete, I just read the thread you started on FreedomList. In many ways, your post -- though it took awhile -- was the instigating factor in waking us up to the problem. (Oh, and, we took down the ads you referred to at the beginning of this month. The only ads we have currently are Google AdSense.)

[James M. Fisher]

Many, many people on SNF use Firefox. I believe almost all of the mods and admins do. Including yours truly. -- Scot

After this incident, I have switched to FF as my default browser, although NOD32 saved the day here.

[Scot]

James, it's funny, as I was making that post, I was thinking to myself ... James is the only one I can think of who might be using IE. I know Marsden11 does too. I'm sure at least 50% of our members use IE, and then there's the Guests who don't post -- many of those folks may be using IE, I don't know.I should look at the server logs and see what percentage use what. Never bothered to do that.It is strange to me how long it took for people to say they were having a problem. I think putting my email address out there is going to be another step I have to make. Because if you're having an issue when you load the forums in your browser, you're not going to post about it.-- Scot

[James M. Fisher]

I actually sent an email to Bambi on Wednesday @ 4:51pm EST, Scot (with screen caps of NOD32). The forums went offline shortly thereafter.

[teacher]

It took a lot of teamwork to get hte forum down. Bruno and Corrine pulled it down about 6:19 while I was chatting with Fran's Jimmy verifying that she was unavailable and out working and emailing back and forth with Bruno trying to locate folks. What a great team of Admins. You folks rock! PS. What a day I picked to go into Windows and run my updates. If I had not checked for updates in XP and Vista I probably would have avoided it. However, Vista just didn't do a thing with CA. When we figured out what was going on I took the precaution in firefox of blocking the element on the page using adblock.

[Scot]

I actually sent an email to Bambi on Wednesday @ 4:51pm EST, Scot (with screen caps of NOD32).

Yup, there was critical mass at that point. And I'm sure your email was a huge part of that. Corrine and Fran got a bunch of less specific email at around the same time. But the way I heard it, Corrine's first clue to the problem was Pete's post.-- Scot Edited July 17, 2006 by Scot

[Marsden11]

I should point this out...I'm running IE7 beta 3 on top of XP x64. I'm more secure than those running plain XP (32-bit). My XP x64 code is based on Win Server 2003 SP1. I'm running hardware and software DEP on my Athlon64 3700. In addition to the above, my copy of Windows Defender is also 64-bit.I was only running WD to test it's usefulness as a stand alone product. I had pop-ups turned off. WD worked perfectly all by itself!With the site closed, the first pop-up was the *.swf file download. That was followed by the instant WD warning window. I cleared it and refreshed the page where again the WD warning window popped up. I cleared it again and closed IE7. It was the only IE7 window open at the time.I knew instantly the forum was under attack.This brings up what happened several months earlier here where I reported a pop-up script error. That post had me denounced by several of the admins here and questioning whether or not I was pulling some sort of prank.http://forums.scotsnewsletter.com/index.php?showtopic=15222 May 24th, 2006I think the trouble with IPB software was starting to rear it's ugly head at that time...

[Scot]

Marsden,I don't think what you saw several months ago was any sort of malware running on the forums. However, you never know. And as I said then, I always want to keep an open mind. No one objected to what you were saying, just how you said it.I'm really interested in your results with Vista (64-bit or not). If I could have pointed an IE7/Vista machine at the forums that day, I would have just see what would happen. (Hey, it's easy to do in a virtual machine.) Unfortunately, I was a little busy trying to save the forumss -- or really its members -- from disaster. So it's really interesting to hear what happened on your box. Thanks for the details.I think Microsoft has significantly raised the level of security in Vista. I highly doubt it will be the Swiss cheese of security that earlier Windows versions have been.It's still got the biggest target painted on its back, though. So the bad buys will find ways. But Microsoft is finally cranked up (and is maybe even overzealous) about security. I think they will surprise a lot of people with how good Vista is.-- Scot

[redmaledeer]

did this only affect IE users?

My experience agrees with this. I earlier (Post No. 28) said how puzzled I was not to have been infected, even tho I was on the Forum a lot during the attack. I was using Opera or K-Meleon, and that could be the answer. I've long heard about the insecurity of IE, but something like this really drives it home.

[Pete!]

.......P.S. Pete, I just read the thread you started on FreedomList. In many ways, your post -- though it took awhile -- was the instigating factor in waking us up to the problem. (Oh, and, we took down the ads you referred to at the beginning of this month. The only ads we have currently are Google AdSense.)

Sorry it took so long but @ 6:40 AM:

• I had several forums, and one commercial website, open in different windows, and wasn't sure where the nasty was coming from. Frankly, the relative savvy of the people here, put Scot's pretty low on the list of suspects.I had to leave for work shortly. No time to fool around.I hadn't assessed the damage (if any), and didn't want to prolong the exposure.I don't have internet access at work.

After work, I concentrated on the forums where I have some staff responsibility first, then the ones with less sophiscated webmasters (eg trout fishing and flyfishing forums). I came here last.

[Scot]

Pete!Sorry, you don't need to apologize. I was not complaining at all! It's no one's but the forums owner's, admins' and mods' responsibility to protect the forums and communicate about security issues. We are hoping to enlist everyone's help and awareness. You and Alphaomega (see Forum Feedback thread) were the two people we're aware of who saw the problem early. I was honestly thanking you. Even though your post was elsewhere, it did help a lot. Check Corrine's comments in the thread I linked to.-- Scot

[Guest LilBambi]

I would like to second what Scot said.I wish to express my gratitude to those who reported this problem since I did not experience it at all. I think all admins and mods here feel the same way!Thank you and all who aided us by reporting the problems you were experiencing!