Intrusion/Hacking attempts?

Discussion in 'General Discussion / News / Information' started by feejer, Feb 11, 2012.

  1. Champasak

    Champasak Ol'Timer

    Joined:
    Jan 12, 2003
    Messages:
    258
    Likes Received:
    0
    Trophy Points:
    0
    Ratings:
    +0 / 0 / -0
    rob771 - regarding your question "Has the site been compromised?" - aside from the Kaspersky / Avast warnings on individual PC's, there is no discernable indication that it has been compromised. NONE of the Anti-Virus software providers that have an online website checking service find any issues... Therefore its a mystery why those warnings are appearing in the past few days. That coincides with the upgrade on our vBulletin forum software - no response from vBulletin Tech Support as yet.

    We are very concerned about all of this, and have been working hard to determine exactly what is ocurring, and why. During the past year there have been repeated and prolonged attempts by 'a group of known miscreants' intent on hacking the server, website, admin account and individual user accounts. Police and Ministry of Information & Communications Technology (MICT) are aware of these activities and the investigation is ongoing...

     
  2. rob7711

    rob7711 Ol'Timer

    Joined:
    Oct 30, 2010
    Messages:
    203
    Likes Received:
    5
    Trophy Points:
    0
    Ratings:
    +5 / 0 / -0
    These are screen grabs off my laptop of the issue. I am no techie but perhaps they may provide some useful info for admin to work on. Cheers!

    Capture1.

    Capture2.

    Capture3.
     
  3. Champasak

    Champasak Ol'Timer

    Joined:
    Jan 12, 2003
    Messages:
    258
    Likes Received:
    0
    Trophy Points:
    0
    Ratings:
    +0 / 0 / -0
    Hi Rob7711

    Thanks for taking the time to provide those screen shots - the wierd thing is, those files don't actually exist on the GT-Rider server... :crazy:
    - examining the directory contents via Smart FTP, those files are not there
    - if you try and open the URL for the image link, all you get is a 404 Page Not Found Error

    Tech Support at vBulletin say they don't understand why this is ocurring either...
     
  4. LivinLOS

    LivinLOS Ol'Timer

    Joined:
    Mar 11, 2008
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    0
    Ratings:
    +0 / 0 / -0
  5. Ian Bungy

    Ian Bungy Ol'Timer

    Joined:
    Sep 19, 2006
    Messages:
    2,197
    Likes Received:
    156
    Trophy Points:
    63
    Ratings:
    +156 / 0 / -0
    I just tried Your Link LivinLos and got the 404 Page Not Found Error as Admin said? Obviously there is some disparity between computers used I guess? At No time have I had any Warnings? Weird, sorry for those of You who are!
     
  6. rob7711

    rob7711 Ol'Timer

    Joined:
    Oct 30, 2010
    Messages:
    203
    Likes Received:
    5
    Trophy Points:
    0
    Ratings:
    +5 / 0 / -0
    You are welcome admin.

    Hmmmmmm .... the plot thickens ..
     
  7. mudboots

    mudboots Ol'Timer

    Joined:
    Feb 1, 2012
    Messages:
    184
    Likes Received:
    1
    Trophy Points:
    18
    Ratings:
    +1 / 0 / -0
    Good morning here from OZ, Having my morning coffee and read of what is new on GTR before leaving for work ... After reading about Intrusion/Hacking attempts on here over the last week and having none of of the talked about things happen to me i thought all good.
    But this morning i get a worning..

    THREAT WAS BLOCKED

    FILE NAME: www.gt-rider.com/thailand-motorcycle=forum/images/editor/smilie.gif

    THREAT NAME: Exploit Blackhole Exploit Kit (Type 2115)
     
  8. KenYam

    KenYam Ol'Timer

    Joined:
    Nov 2, 2007
    Messages:
    353
    Likes Received:
    1
    Trophy Points:
    0
    Ratings:
    +1 / 0 / -0
    G'day Ben - my story is same as Mudboots as above but happened last night.

    Cheers Ken F
     
  9. mudboots

    mudboots Ol'Timer

    Joined:
    Feb 1, 2012
    Messages:
    184
    Likes Received:
    1
    Trophy Points:
    18
    Ratings:
    +1 / 0 / -0
    Just happend again twice in one day.
     
  10. Champasak

    Champasak Ol'Timer

    Joined:
    Jan 12, 2003
    Messages:
    258
    Likes Received:
    0
    Trophy Points:
    0
    Ratings:
    +0 / 0 / -0
    Hi guys

    Thanks to those who have expressed their concern and/or prodided screenshots etc.

    An update on the odd issue thats been going on over the past few days;

    • Checks today show that AVG now reports an unidentified "potential threat" issue occurred on 4 unidentified pages on 15th Feb - which is not too helpful... Previously, AVG reported the site as clean.
    • All other AV sites with URL checkers previously listed show no issues
    • In addition, checks on TrendMicro how no issues
     
  11. feejer

    feejer Ol'Timer

    Joined:
    Feb 16, 2007
    Messages:
    443
    Likes Received:
    1
    Trophy Points:
    18
    Ratings:
    +1 / 0 / -0
    I thought things had settled down as nothing was detected by my firewall for several days. But just got this one a few minutes ago through a completely different ISP in another state and on my desktop at home vs. the laptop. This "attack" is different than the first ones in that it now shows GT-Rider as the actual attacking site. The ones prior were a remote attack from a totally different Russian IP as if GT-Rider was acting as a forwarding server to the IP attempting the intrusion. I have a friend who is a former IT manager and co-owner of a local ISP. If you want, I can bounce this off of him tonight over some beers to see if he has ever encountered/resolved anything like this during his travels.

    I just ran this http://security.symantec.com/nbrt/npe.aspx?lcid=1033 to be sure my desktop has not been compromised and it is clean.

    Webattack4.
     
  12. mudboots

    mudboots Ol'Timer

    Joined:
    Feb 1, 2012
    Messages:
    184
    Likes Received:
    1
    Trophy Points:
    18
    Ratings:
    +1 / 0 / -0
    I am getting a threat every time i enter GTR now so have been doing some looking myself i hate shit popping up on my lapy found this about.
    THREAT NAME: Exploit Blackhole Exploit Kit (Type 2115) on a AGV forum.

    [TABLE=class: normalBorder, width: 930]
    [TR]
    [TH=class: bottomBorder]17.2.2012 15:56[/TH]
    [TD=class: bottomBorder] Re: Blackhole Exploit Kit Removal #190919[/TD]
    [/TR]
    [TR]
    [TD][/TD]
    [TD]Reply with Quote | Quick Reply | Top

    I am not a super brain when it comes to working bloody computers out but what i can figger out i think is ( Master boot record or system driver is infected ) if this has happend to the GTR forum web site has it now been passed on to all of us now ? I do not get this worning from any of the other sites i am a menber of and i am the same as most of you have checked my pc and nothing so it says.
    I will keep looking and if i find anything that may help will post.

    cheers Brad.

    [/TD]
    [/TR]
    [TR]
    [TD=class: bottomBorder vtop a_left pleft textNormal]nemethste

    3120878

    Manager
    Join Date: 1.11.2011
    Posts: 785
    [/TD]
    [TD=class: vtop bottomBorder leftBorder] Hello Esinem,

    If you have some resilient infection that keeps coming back, it may mean that your Master boot record or system driver is infected by some rootkit.

    Please restore master boot record and then scan your computer with updated AVG Rescue CD.

    You might also want to consider installing AVG which should be able to stop the infection.

    Thank you

    ___________________AVG TeamHow-To articles | FAQ | Free SupportWe Protect Us

    [/TD]
    [/TR]
    [/TABLE]
     
  13. mudboots

    mudboots Ol'Timer

    Joined:
    Feb 1, 2012
    Messages:
    184
    Likes Received:
    1
    Trophy Points:
    18
    Ratings:
    +1 / 0 / -0
    Hummm seems this is going on all over the place E-Bay so on found this all so..

    [TABLE=class: tborder, align: center]
    [TR]
    [TD=class: alt2, width: 145]Gabethebabe
    Malware Jedi

    avatar99253_13.gif

    Join Date: Oct 2007
    Location: In front of my monitor
    Posts: 8,063

    [/TD]
    [TD=class: alt1]Re: Blackhole Exploit Kit (type 1889)??

    Note that an exploit kit is a piece of software that is designed to exploit (hence the name exploit kit) a collection of known security holes present in common software. E.g. security holes in outdated java versions, outdated browsers, outdated PDF readers, etc. If a security leak is found by the exploit kit, a mechanism is activated to abuse this security leak and install some piece of malware.

    If you are using Chrome there is a very decent possibility that you are invulnerable to this exploit kit, because Chrome´s built-in sandbox has proven in hackers conventions that it is practically inpenetratable.
    Also Internet Explorer 8 requires some brilliant script to crack and still it takes 1-2 minutes. Means if you hit a poisoned webpage and get out in 30 seconds, you are safe.

    The weakest link imo in the browser category is Mozilla Firefox, without NoScript. Running that is asking for problems (older IE is definitely worse though)
    [/TD]
    [/TR]
    [/TABLE]
     
  14. mudboots

    mudboots Ol'Timer

    Joined:
    Feb 1, 2012
    Messages:
    184
    Likes Received:
    1
    Trophy Points:
    18
    Ratings:
    +1 / 0 / -0
    I have had a good look and this seems to be the only answer i have found but am unsure if its my coputer or the GTR forum server.
    I have also read that its happening on face book, hotmail, so on.

    faq_folder.gif AVG Forums » Other topics » How-Tos » How To Restore The Master Boot Record

    [TABLE=class: normalBorder, width: 930]
    [TR]
    [TH=class: bottomBorder]3.2.2011 11:57[/TH]
    [TD=class: bottomBorder] How To Restore The Master Boot Record #147645[/TD]
    [/TR]
    [TR]
    [TD][/TD]
    [TD]Top[/TD]
    [/TR]
    [TR]
    [TD=class: bottomBorder vtop a_left pleft textNormal]jirka82

    46975

    Manager
    Join Date: 19.6.2009
    Posts: 3587
    [/TD]
    [TD=class: vtop bottomBorder leftBorder]How to restore the Master Boot Record:

    Sometimes, viruses will copy (a part of) their payload to the Master Boot Record. This portion of the hard drive is not checked and it is difficult to remove the infection from there. When there is a confirmed infection, you can rebuild your Master Boot Record by using a specialized utility:

    MbrFix utility

    1. Download the MbrFix utility.
    2. Extract the downloaded archive to C:temp.
    3. Run the command line.
    4. Go to the folder with extracted MbrFix utility by typing this command:

    cd

    - Where is a full path to the respective folder (e.g. "C:temp")

    5. Run the MbrFix utility using a command in this syntax:

    MbrFix /drive fixmbr {/vista|/win7}

    Where:
    refers to hard drive number - should be 0 in almost all cases
    {/vista|/win7} are optional parameters for Windows Vista or 7

    Examples:

    To restore MBR code on Windows 2000 or Windows XP systems:

    MbrFix /drive 0 fixmbr

    To restore MBR code on Windows Vista systems:

    MbrFix /drive 0 fixmbr /vista

    To restore MBR code on Windows 7 systems:

    MbrFix /drive 0 fixmbr /win7

    Incorrect usage of the MbrFix utility may render your system unbootable. We recommend using this utility only when asked to do so by a forum moderator.


    Offline mode

    In some cases, the master boot sector needs to be restored in offline mode (to avoid an active infection manipulating with system calls used for rewriting). The Windows operating system offers own maintenance tools to do so.

    Windows XP

    1. Follow this MS knowledge base article. We recommend using the Option 2: Starting the Windows Recovery Console from the Windows XP CD-ROM.
    2. When the recovery console is started, type the fixmbr command and press Enter (this command is described below on the page).
    3. Confirm overwriting of the MBR sector (type Y and press Enter).
    4. After the command is performed, please restart your system by pressing Ctrl + Alt + Del.

    Windows Vista/7

    1. Follow this MS knowledge base article.
    2. Instead of using plain Bootrec.exe command as described in step 7 of the above linked MS article, type this:

    bootrec.exe /fixmbr

    3. Press Enter.
    4. Restart the computer.

    [/TD]
    [/TR]
    [/TABLE]

    Go toSelectAVG Forums General Information Information AVG Free AVG 2012 Free Edition AVG E-mail Protection AVG Network Protection AVG Update AVG Installation/Uninstallation AVG 2011 Free Edition AVG E-mail Protection AVG Network Protection AVG Update AVG Installation/Uninstallation AVG 9/8.5 Free Editions AVG Standalone LinkScanner Free Edition AVG for Linux AVG Home AVG 2012 AVG E-mail Protection AVG Network Protection AVG Update AVG Installation/Uninstallation AVG 2011 AVG E-mail Protection AVG Network Protection AVG Update AVG Installation/Uninstallation AVG 9/8.5 PC Tuneup Family Safety AVG SMB AVG Client AVG Admin AVG for servers AVG for Linux Other AVG products LiveKive AVG Mobilation MultiMi AVG RescueCD AVG Quick ThreatScan AVG trusted Apps & Services AVG TechBuddy BillGuard - Anti-Virus for Credit Cards Speedtest Other topics Virus Removal, Tools for Removing Registration and License issues How-Tos Archive Archive Ideas and Suggestions AVG LinkScanner for Mac AVG Standalone LinkScanner 8.5 Free Edition AVG Standalone LinkScanner 9.0 Free Edition AVG Standalone LinkScanner 2011 Free Edition AVG 8.5 Free Edition AVG E-mail Protection AVG Network Protection AVG Update AVG Installation/Uninstallation AVG 9.0 Free Edition AVG E-mail Protection AVG Network Protection AVG Update AVG Installation/Uninstallation [OBSOLETE] Sales Information [OBSOLETE] Information and Alerts AVG 8.0 Free Edition AVG Update AVG Installation/Uninstallation AVG 7.5 Free Edition AVG Update AVG Installation/Uninstallation
    mnu3_arrow_left.jpgPrevious thread | mnu3_arrow_up.jpgUp to parent | Next threadmnu3_arrow.gif


    Free Antivirus | Internet Security | Business Security | PC Tuneup | Free Online Backup
    Antivirus for Android | Site Safety Reports | Forum Index | Privacy Policy | About Us
    © 2012 AVG Technologies
     
  15. monsterman

    monsterman Ol'Timer

    Joined:
    Oct 17, 2006
    Messages:
    1,813
    Likes Received:
    18
    Trophy Points:
    38
    Ratings:
    +18 / 0 / -0
    I use AVG and it has been blocking this site for 8 days , I have a warning about a Trojan tracj=king software on GT Rider site ??????
     
  16. Champasak

    Champasak Ol'Timer

    Joined:
    Jan 12, 2003
    Messages:
    258
    Likes Received:
    0
    Trophy Points:
    0
    Ratings:
    +0 / 0 / -0
    Update:
    It seems the Blackhole exploit kit was what I found and removed several days ago. That was embedded in an unused WordPress Calendar plugin. The unsolved mystery is why https://www.gt-rider.com/thailand-motorcycle-forum/images/editor/smilie.gif and 2 other files were flagged as infected, as these don't exist on the forum and are not part of the vB4 system - but they may have been part of the previous version removed/replaced over a week ago.

    Feejer: the Norton warning is odd because http://safeweb.norton.com/report/show?url=www.gt-rider.com reports no issues

    Personal Computers
    Keeping your PC clean is a troublesome issue, as no one program detects every form of virus, malware, phishing and/or Trojan ... I run Macafee AV on my own computer. I‘ve experimented overnight with online anti-virus checking for my PC, using;

    Macafee has never reported any issues, Housecall and BitDefender scans showed nothing. However, the ESET service found and quarantined;
    - some suspicious code in Users/BJK/AppData/Local/Temp in 3 temporary directories
    - Trojan-infected code in a backup copy of a client’s site that has been stored on my PC for approx 3 years.

    That’s the underlying problem – it seems no one program is good enough to deal with all threats.
     
  17. LivinLOS

    LivinLOS Ol'Timer

    Joined:
    Mar 11, 2008
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    0
    Ratings:
    +0 / 0 / -0
    Without wanting to sound attacking..

    Your saying you DID find, and remove the blackhole exploit kit from the server a few days ago ??

    I was under the impression that up to now it was all a mystery why the AV warnings were happening and nothing on the site was compromised ??
     
  18. Champasak

    Champasak Ol'Timer

    Joined:
    Jan 12, 2003
    Messages:
    258
    Likes Received:
    0
    Trophy Points:
    0
    Ratings:
    +0 / 0 / -0
    As per 14th Feb - SUCURI.NET - its possible that the JavaScript code in the WordPress plugin was a Blackhole exploit. From what we've learned this week, poorly written WordPress plugins and design themes using JavaScript are a prime target of the Blackhole exploit kit.

    Given that it triggerered a warning on Sucuri.net, we were not going to waste time proving it really was a Blackhole exploit kit before deleting it...

    For your own peace of mind, you could run any/all of the online PC scanning applications previously mentioned;

     
  19. LivinLOS

    LivinLOS Ol'Timer

    Joined:
    Mar 11, 2008
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    0
    Ratings:
    +0 / 0 / -0
    Hmm ok.. Well the 'javascript issue' you mentioned on the 14th may well have been it.

    I read the "aside from the Kaspersky / Avast warnings on individual PC's, there is no discernable indication that it has been compromised. NONE of the Anti-Virus software providers that have an online website checking service find any issues... Therefore its a mystery why those warnings are appearing in the past few days" above on the 15th.

    However if the wordpress plug in was removed back then, why are we still getting warnings from this site if its now clean ?? That doesnt add up to me.

    BTW I am far more likely to get warnings when browsing the forum index than browsing via new posts and threads. In case that helps.
     
  20. Champasak

    Champasak Ol'Timer

    Joined:
    Jan 12, 2003
    Messages:
    258
    Likes Received:
    0
    Trophy Points:
    0
    Ratings:
    +0 / 0 / -0
    I guess the problem is that this JavaScript Blackhole exploit kit is an entirely new breed of website threat. Its clear that not all of the Anti-Virus systems are up to speed on it yet, which no doubt explains the inconsistencies we are experiencing.

    Whilst I routinely deal with cleaning up the aftermath of website hacking, the issue on client sites is usually a security breach. For example, incorrect file or directory permissions, insecure passwords that automated scripts can evenutally crack etc. These breaches allow an external agency to insert code into the site, edit the site's pages etc etc.

    In the case of Blackhole exploits, this is breaking into the JavaScript that a site runs as part of an internal program (WordPress / vBulletin etc), and enabling that code to something other than what it was designed to do.
     
  21. feejer

    feejer Ol'Timer

    Joined:
    Feb 16, 2007
    Messages:
    443
    Likes Received:
    1
    Trophy Points:
    18
    Ratings:
    +1 / 0 / -0
    I believe you are right on the money with this as it is exactly what my friend told me last night. Based on the limited info available, he believes the web hosting server had/has been compromised most likely through legitimately purchased adspace, not the GT-Rider website itself. At least initially. He said that malware exploits are now so profitable by getting personal user info to be later sold on the black market like a commodity, that an "external agency"/cybercriminals will actually purchase adspace and then run their malware infected apps on the server to distribute it to legit sites hosted on that server. So it is likely that GT-Rider was not actually directly targeted, but just got caught up in a messy security breach with the hosting service and got infected with the Blackhole kit later. That seems to explain why my A/V initially did not show GT-Rider listed as the source of the Javacode exploit, but a remote IP address in St. Petersburg.

    As a side note, he said that when his company offered web hosting, they actually blocked entire IP address ranges that originate in Russia due to the extent of the daily threat. After they did that, the spam, intrusion attempts and general headache immediately fell by 90%. He said the crimeware coming out of China is now getting almost as bad. Unfortunately, China is such a global power now, nobody that wants to stay in business could dream of blocking that country out. So expect this problem to get much worse before it gets better. Just have to stay vigilant and be armed with the best firewall/AV you can buy and know how to setup and use it. Still no guarantees, but it's the first line of defense we have and it usually is enough.
     
  22. LivinLOS

    LivinLOS Ol'Timer

    Joined:
    Mar 11, 2008
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    0
    Ratings:
    +0 / 0 / -0
  23. Champasak

    Champasak Ol'Timer

    Joined:
    Jan 12, 2003
    Messages:
    258
    Likes Received:
    0
    Trophy Points:
    0
    Ratings:
    +0 / 0 / -0
    LivinLOS - appearances can be deceptive - that was written in response to my questions on that site. The underlying problem being that the file/s in question do not exist, so we cannot determine what on earth that was all about... :-(
     
  24. Champasak

    Champasak Ol'Timer

    Joined:
    Jan 12, 2003
    Messages:
    258
    Likes Received:
    0
    Trophy Points:
    0
    Ratings:
    +0 / 0 / -0
    The problem over the last couple of days was unrelated to the previous issue. It was due to Data Centre shutting down the entire VPS running 20-odd websites. That was done in response to a phishing attack on a single "under construction" site. I was notified of this by FraudWatch Security on Saturday, 18 February 2012 2:36 a.m.

    I dealt with it immediately; Saturday, 18 February 2012 1:40 AM (my local time)
    - I eliminated the phishing issue on the one site
    - I forwarded the zipped file of inserted stuff as requested by the FraudWatch Security agency
    - I got a “thanks very much in return” at Sent: Saturday, 18 February 2012 3:55 a.m.
    That was 2 days ago, so shutting EVERY site down 24 hours after the problem was satisfactorily resolved was extremely harsh, I’d say… :cry:

    That it was a Sunday was bad timing, as no one from the Hosting Company was available to help...
    - all very stressful, as you can imagine
     
  25. LivinLOS

    LivinLOS Ol'Timer

    Joined:
    Mar 11, 2008
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    0
    Ratings:
    +0 / 0 / -0
    Well additional data for you..

    Opening the links that were listed as problematic, even tho the files were not there, used to make my virus protection ping..

    Now I open them, I get the GT-R 404 error.. which I wouldnt get to before as the virus checker halted the action.

    Thats testing now after the outage or update..

    EDIT post was written before above explanation of outage.
     
Loading...

Share This Page