Page Index Toggle Pages: [1] 2 
Topic Tools
 10 Admin Center A/V warning (Read 3,418 times)
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,551
Location: Los Angeles

YaBB 2.4
Now solved. Re: Admin Center A/V warning
Reply #20 - Dec 28th, 2012 at 6:09pm
Post Tools
JonB wrote on Dec 28th, 2012 at 5:08pm:
Depablo found another site scanner I did not know of:

http://sitecheck.sucuri.net/scanner/

Thanks to John of course, but thanks to you as well JonB. The link you provided is much appreciated.

Thankfully, I didn't have the malware problems that others have reported, but I ran scans on the websites on our server just in case, and all of the sites came up clean.

Thanks, also, for getting onto this in such a timely manner. Great job! Smiley

  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
depablo
YaBB Moderators
YaBB Next Team
Beta Testers
***
Offline



Posts: 577
Location: UK

None
Re: Admin Center A/V warning
Reply #19 - Dec 28th, 2012 at 5:28pm
Post Tools
It looks like you have to watch out for the web site status, now changed from a few minutes ago to this:
*Cached results from the last 24 hrs.

Gives you a lot of info on infection  Smiley
  

Taking a peek behind the mask Wink
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,768
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Admin Center A/V warning
Reply #18 - Dec 28th, 2012 at 5:08pm
Post Tools
Many thanks to all -

Depablo found another site scanner I did not know of:

http://sitecheck.sucuri.net/scanner/

Cool
« Last Edit: Dec 28th, 2012 at 5:09pm by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
 
westwegoman
Ex Member
**




None
Re: Admin Center A/V warning
Reply #17 - Dec 28th, 2012 at 4:26pm
Post Tools
Just finished running another scan of my system. I am clean Smiley

Although at one point I was concerned, I was quite confident that I was ok on my end. Just wanted to bring to your attention that something may still be lurking, hence my bringing this subject back up.

At this time, all seems fine. Smiley

Thanks for your time, JonB.

Edited:
iFrames removed from my admin ctr. Thanks for that idea, Elrick.
« Last Edit: Dec 28th, 2012 at 4:33pm by WestwegoMan »  
<div class=
Back to top
 
IP Logged
 
Elrick.
YaBB Moderators
Beta Testers
***
Offline



Posts: 158
Location: Edge of the Abyss

YaBB 2.6.0
Re: Admin Center A/V warning
Reply #16 - Dec 28th, 2012 at 4:25pm
Post Tools
WestwegoMan wrote on Dec 28th, 2012 at 3:51pm:
I think that will be on my list to do. I visit Yabbforum enough to know when there are updates.


That was precisely my rational to remove those 'inserts' (2 of them) as the Admin panel used to get hung in there waiting for other servers to repond just when I needed to act quickly on the Admin panel! Angry

No longer!!! Cheesy

  

~ Elrick ~
There is no direct experience of reality without interpretation; and all interpretation is corrupted by the cultural and personal prejudices or prejudgments of the interpreter.
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,768
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Admin Center A/V warning
Reply #15 - Dec 28th, 2012 at 4:18pm
Post Tools
There was yet another fragment of that code that found its way into a php file also in 'update'. However, although it was detectable in the source (so an AV progam could see the apparent link), because of the way it was appended, it was never actionable.

I have now gone through (visual inspection) all the .htaccess, PHP, and Javascript on Yabbforum.com, and tested the site with multiple threat scanners.

Earlier - Also From the Support & Moderators Board:

Quote:
I guess I need to again reassure everyone

- there was never any code on YOUR servers

- its a server re-direction virus, not the payloads

- there was NEVER any danger to your users or ours as the exploit:

A. On YaBBforum.com, it broke everything, so nothing was delivered, we are 100% reliant on a complicated piece of .htaccess in the web root; thus everything errored out. That is why this forum was broken (that was the first sign).

B. The second instance was put in 'update' which is ONLY linked to the Admin Center, its a private feed. It has no external links, so ONLY YaBB administrators going into the Admin Center ever saw the URL (and they saw it in their browsers).  Your SERVER never, ever saw that URL, because it had no part in delivering it.  That is what an inline frame does, it lets a browser deliver a URL embedded in another page. 

- What the AV programs were complaining about was a 'URL Pattern'. If you go look in the quarantine, I'm pretty sure you will find that what is there is not a complete HTML page, rather a URL link file. If I am wrong let me know.

I think in order to reassure yourselves you should scan your machines. Again - NOTHING was ever on your servers.


Good Luck
Wink
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,768
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Admin Center A/V warning
Reply #14 - Dec 28th, 2012 at 4:17pm
Post Tools
The last 1 Posts were moved here from Support  & Moderation Concerns [move by] JonB.
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,768
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: YaBBforum.com .htaccess issue.
Reply #13 - Dec 28th, 2012 at 11:13am
Post Tools
Yesterday, I fixed the primary problem; the 'public' .htaccess files that were affecting the Admin Center.

This morning I went through the server with a fine-tooth comb. There were other files affected, but none would likely harm visitors. As far as I can tell, its a server 'infection' system, not the actual payloads. It puts redirectors on servers. I also think I know how the attack worked now. I think its a generalized purely scripted attack, not a specific vectored attack. For .htaccess, it places new files where it has mapped them in previous visits. For .js, it appends a 'document.write' where they were mapped.  For index.php, it appends an inline frame. JonB's guess is they are using SEO site mappings to locate the targets. I say that because they 'missed' some opportunities. These attacks are usually aimed at server farms.

Heh - I will say that our creation of a 'mirrored test server' for yabbforum.com has just paid a very, very large dividend.

Cool

Edited:
I have used a variety of active site scanning tools and we are 'publicly clean', as is our reputation  Wink
« Last Edit: Dec 28th, 2012 at 4:26pm by JonB »  

norton_safe_web.JPG ( 54 KB | 52 Downloads )
norton_safe_web.JPG

I find your lack of faith disturbing.
Back to top
IP Logged
 
westwegoman
Ex Member
**




None
Re: Admin Center A/V warning
Reply #12 - Dec 28th, 2012 at 3:51pm
Post Tools
JonB wrote on Dec 28th, 2012 at 8:56am:
I have resolved the problem some time ago, all you need do is refresh the page or clear your cache.  If you are still 'seeing' an error or getting warnings in your Admin Center, then you did not clear your cache correctly - as that code no longer exists.

OTAY.

I was only wondering since the attacks, or apparent attacks, on my end didn't start until last night and I was under the impression that all had been resolved on Yabbforum.com. At that time, I assumed that it may have still been lurking around since I only got a warning when visiting the admin ctrs. My thoughts was it was from the links within the admin ctr.

It was happening in all admin ctrs,(2.5AE and 2.5.2) and including my test forums, I have probably 10 forums set up. (YaBB OCD) Grin

Elrick. wrote on Dec 28th, 2012 at 12:39pm:
A while ago I disabled (removed) (with a little help from my friends here at YaBB) these ‘insert’ so there is no link to YaBB updates.

I think that will be on my list to do. I visit Yabbforum enough to know when there are updates.

JonB wrote on Dec 28th, 2012 at 10:48am:
One other thing -

If you want to send screenshots etc, please make them .png or .jpg files.  Bitmap files are huge, eat bandwidth, and make for sloooow refreshes.

Thanks very much
Wink

Noted Cheesy

At this time, all appears to be fine Smiley Thanks for your time.
  
<div class=
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,768
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Admin Center A/V warning
Reply #11 - Dec 28th, 2012 at 2:50pm
Post Tools
In our internal Roadmaps, we are looking at ways to do automated updating (it goes with a new installer and Admin Center), but that is several (one or two) major versions away.

When we release the next version, I will post the next level of Roadmaps.  LOL One step at a time...

Smiley





  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Elrick.
YaBB Moderators
Beta Testers
***
Offline



Posts: 158
Location: Edge of the Abyss

YaBB 2.6.0
Re: Admin Center A/V warning
Reply #10 - Dec 28th, 2012 at 2:36pm
Post Tools
JonB wrote on Dec 28th, 2012 at 2:08pm:
Elrick - That is a valid point and it was already my intention to ask Dandello to put that on the list. Thanks:)


Excellent initiative John!

It would be great to have a button available to admin, something like…


  

~ Elrick ~
There is no direct experience of reality without interpretation; and all interpretation is corrupted by the cultural and personal prejudices or prejudgments of the interpreter.
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,768
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Admin Center A/V warning
Reply #9 - Dec 28th, 2012 at 2:08pm
Post Tools
Elrick -

That is a valid point and it was already my intention to ask Dandello to put that on the list.

Thanks
Smiley
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Elrick.
YaBB Moderators
Beta Testers
***
Offline



Posts: 158
Location: Edge of the Abyss

YaBB 2.6.0
Re: Admin Center A/V warning
Reply #8 - Dec 28th, 2012 at 12:39pm
Post Tools
JohnB Quote:
That admin panel 'insert' is an linline frame that 'peers' into Yabbforum.com.

(what’s new at YaBB?). – Updates?.


As this ‘insert’ is integral with the Admin panel, whenever an admin access the Admin panel a link is established to YaBB.com and if YaBB is down (as recently) the the Admin Panel hangs there waiting for connection.

A while ago I disabled (removed) (with a little help from my friends here at YaBB) these ‘insert’ so there is no link to YaBB updates. Wink

Could these updates ‘insert’ links be made optional to admins on the new 2.5.2 and 3 versions? (or a new patch) to allow admins to chose to disable updates links? – Just a thought! Roll Eyes
  

~ Elrick ~
There is no direct experience of reality without interpretation; and all interpretation is corrupted by the cultural and personal prejudices or prejudgments of the interpreter.
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,768
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Admin Center A/V warning
Reply #7 - Dec 28th, 2012 at 10:48am
Post Tools
One other thing -

If you want to send screenshots etc, please make them .png or .jpg files.  Bitmap files are huge, eat bandwidth, and make for sloooow refreshes.

Thanks very much
Wink
« Last Edit: Dec 28th, 2012 at 11:25am by JonB »  

plz_no_BMP.png ( 13 KB | 52 Downloads )
plz_no_BMP.png

I find your lack of faith disturbing.
Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,768
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Admin Center A/V warning
Reply #6 - Dec 28th, 2012 at 8:56am
Post Tools
Your servers and workstations were never in danger

That admin panel 'insert' is an linline frame that 'peers' into Yabbforum.com. Our host was attacked last night, and our .htaccess files were screwed for a short period of time as a result. It (the webkit exploit) is a server attack, not a workstation attack - and it was not on your server. It places bogus .htaccess and javascript into a server, and works almost exactly like a 'virus'.  Its purpose is to infect servers and spread itself. Its actually a 'packaging' system, not the 'payload'.

Norton (or AVG) was seeing that through the inline frame. Everything actually transpired on our host's system.  As it is in the Admin Center, the only person(s) who ever saw the code are administrators who opened the panel before I fixed 'update'.  Just scary looking, not an issue.  Someone took the offending distribution servers offline earlier, that's why it is showing a 404 on ngnix

I have resolved the problem some time ago, all you need do is refresh the page or clear your cache.  If you are still 'seeing' an error or getting warnings in your Admin Center, then you did not clear your cache correctly - as that code no longer exists.

I should also point out it was never possible to 'spread that' to your users either.

On order to ensure I was correct, I went into yabbforum.com and checked the fixes I made. My correct code is in place and the bad code no longer exists on the server.  As the code is no longer there to be read - the only place it can be is in your cache.

OTAY?

Smiley
« Last Edit: Dec 28th, 2012 at 10:45am by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Page Index Toggle Pages: [1] 2 
Topic Tools
 
  « Board Index ‹ Board  ^Top