Security Issues...........

Discussion in 'Computer Corner' started by tubafran, Mar 27, 2011.

  1. Pauli Walnuts

    Pauli Walnuts Moderator Staff Member

    I'm with accidental - I have stopped visiting the site at work and only visit from home on Chrome as this doesn't seem to pick up the virus. So I have no idea if its fixed or not but am not going to try it in IE to find out!
  2. nook1938

    nook1938 Supporting Member

    I have just started back using tmp after quite a while, reading through this thread is not happy reading.
    I have always come onto tmp through the "forums" that is " - powered by vbulletin", never use the home page, nor do I click on any "banners/ adds or use facebook/ twitter or any of the other sites that need your personal details, saying that I did go onto twitter until it asked for information so it could join me with other users, it is now off the computer.

    My thoughts are a process of elimination, remove adds say about "twitter", work your way through the adds/banners until you are clear and no more trouble. When the trouble started and what was on the site at the time is an idea to think about.

    Hope you find the problem John :tup

    Last edited: Jul 14, 2011
  3. phildriscoll

    phildriscoll Moderator Staff Member

    The odds are that the problem is due to a malicious SQL injection rather than any deliberate action on the part of the site owners. The fix most likely involve examination of the site's database content, removal of the hostile javascript which has been embedded in one or more records, and fixing of the vulnerabilty in the vbulletin or system software which allowed the injection in the first place.
  4. Janet Watkins

    Janet Watkins Member

    Same here! I have not been anywhere near tMP on my Windows PC since I had to spend many hours cleaning it up after an infection.
  5. Thirteen Ball

    Thirteen Ball Active Member

    On the plus side, whatever it is, it isn't particularly sophisticated. Kaspersky's not only cleared it off my system but kept it clean ever since. And I'm accessing regularly from home/work using both IE8 and Firefox.
  6. Pauli Walnuts

    Pauli Walnuts Moderator Staff Member

    Whilst Kapersky may well prevent it for Andi, it is not such a simple issue - it appears to be a "drive by" type of infection that you get without ever clicking on anything on the page other than an internal tMp link. I for one will not be touching this site from work ever again - I spent hours having to sort out my work PC to avoid getting IT involved. I also only use it on Chrome at home as that appears to be less vunerable to the attack.
    If, as PhilDriscoll says, it is some kind of sql injection, then John does indeed need to take some action to both identify where it is and to plug the gap that allowed it in. And that is not just running a virus scan on the box by the hosting outfit. Of course, there is a cost involved in that though.

    I have to have external penetration tests on the systems I deploy at work and invariably, sql injection is one of the issues that comes back. The software vendor has to resolve that, not the hosting company nor the end users anti virus package..
  7. TheMusicMan

    TheMusicMan tMP Founder Staff Member

    Errrm... have I understood you correctly...??? I hope you're not referring to me there...
  8. phildriscoll

    phildriscoll Moderator Staff Member

    I was referring to you, but not in the sense that you had deliberately nobbled the site - apologies if that was the impression given!

    I was replying to nook1939 who had suggested that:
    ...and I was trying to say that the problem won't have inadvertently arrived on the site while you were deliberately updating it with banners or a twitter feed.

    I think that there is sufficient evidence in this thread that a malicious attacker has injected some nasty javascript into one or more records in your database. If they've done this via the website it will most likely be either by exploiting an SQL injection vulnerability in vbulletin or by taking advantage of some situation where vbulletin does not correctly sanitise its user supplied input, and thereby causing it to output some active javascript. Alternatively they may have broken into the server via some other route (e.g. weak passwords for ftp or ssh) and modified the database directly (or modified the vbulletin software). No user interaction is required to cause a visiting machine to be trashed other than visiting this site, so we can rule out problems due to users clicking on banner links to advertisers sites.

    If you need any help tracking the problem down, please PM me. I've been a PHP developer for over 15 years, and spend much of my time making sure that servers are secure and that applications are immune from these kind of attacks.
  9. phildriscoll

    phildriscoll Moderator Staff Member

    According to the reports and the AVG warning screenshot in this thread, we are looking at an infection of the site by the Blackhole Toolkit, which according to the info here:
    embeds an iframe, and the remote page referenced in the iframe is what actually contains the exploit code. Note that the Blackhole Toolkit may have evolved to use other methods since the article above was written, but it should provide a good starting point.

    I'm not familiar with the vbulletin software, but hopefully there may be some configuration option to disable iframes in html and bbcode comments. It would be worth searching your raw database data for iframe - that may point up one or more infected records, and also it would be worth searching your vbulletin code and templates for iframe in case someone has broken into the server and modified any of them. Note that the vbulletin code will probably contain legitimate instances of the word iframe as well. Your best bet is to use a text comparison tool such as diff to check that the code running on your site is exactly the same as the copy you originally installed, barring any differences due to configuration and styling tweaks that you know were made by you.
  10. battybarit

    battybarit Member

    Everytime I open up the Mouthpiece I get a message from Microsoft Security Essentials telling me that my computer is at severe risk of being attacked by a piece of software known as 'Exploit:JS/Blacole.A'

    Anyone else get this? So far MSE has removed this every time... but it is worrying nonetheless.....................
  11. Ianroberts

    Ianroberts Well-Known Member

    got a new lappy at home and have put norton on it, every time i log in the site, a window pops up saying norton just blocked an attack !
  12. Jan H

    Jan H Moderator Staff Member

    Can you provide the exact wording of the message, or a logfile from Norton? Does it actually say that an attack was blocked, or was it more of a warning, like some other people seem to get?
    What browser do you use?
    A lot of people do not get this kind of messages, even while using the same security software. (so what is the difference?)
  13. Ianroberts

    Ianroberts Well-Known Member

    New laptop with windows 7 home edition, as for the browser, i dunno, its the one that came with it !

    The wording was that Norton blocked an attack
  14. nook1938

    nook1938 Supporting Member

    I have had non of the troubles that seem to be happening to other users, what I am running is: Windows 7 professional
    Internet Exployer 9
    Avast Internet Security -with the usual Firewall/Virus safety built in.
    Nothing else, no other conflicting software all cacelling each other out.

    I have done tests and nothing is showing anywhere, must be lucky or have the right protection.

  15. Jan H

    Jan H Moderator Staff Member

    I don't get any messages (or problems) either, on differnt laptops/PCs.
    So I'm still having trouble understanding why some people seem to be affected by this, and a lot of others aren't.
  16. MoominDave

    MoominDave Well-Known Member

    It sounds like phildriscoll is pretty clued up on this stuff - sounds like it would be worth taking him up on his offer to help sort it out. Or maybe it's all already in hand? Apologies if I'm poking my nose in.
  17. Ianroberts

    Ianroberts Well-Known Member

    This any help ? its what I get now (as soon as I log in), a screen shot if its any help ?

  18. Jan H

    Jan H Moderator Staff Member

    Thanks for posting the screen shot, put unfotunately for me the resolution is too low to be able to read the warning message.

    The main difference I see with my screen, is that I don't have the add banner on top of the page, because I'm using the Addblock-Plus for Firefox. I don't know if something similar exists for your browser, IE
  19. Ianroberts

    Ianroberts Well-Known Member

    I clicked details and got this, any help ?
  20. Ianroberts

    Ianroberts Well-Known Member

    wont let me post it !

Share This Page