Page Index Toggle Pages: [1] 2 
Topic Tools
Hot Topic (More than 10 Replies) Admin Center A/V warning (Read 3,878 times)
westwegoman
Ex Member
**




YaBB 2.5.2
Admin Center A/V warning
Dec 28th, 2012 at 2:56am
Post Tools
I visited my admin center just now and to my surprise, I got a pop-up from my AV. (see attached)

Is it possible that something is still lurking around from last nights problems?

Also, I have a link that I can PM if needed. I don't want to post it in here.

Edited:
forgot to post the attachment Cheesy
« Last Edit: Dec 28th, 2012 at 2:58am by WestwegoMan »  

YabbAVAttack.bmp ( 542 KB | 48 Downloads )
YabbAVAttack.bmp
Back to top
 
IP Logged
 
forumguy99
Junior Member
**
Offline



Posts: 96
Re: Admin Center A/V warning
Reply #1 - Dec 28th, 2012 at 4:10am
Post Tools
WestwegoMan wrote on Dec 28th, 2012 at 2:56am:
I visited my admin center just now and to my surprise, I got a pop-up from my AV. (see attached)

Is it possible that something is still lurking around from last nights problems?

Also, I have a link that I can PM if needed. I don't want to post it in here.

Edited:
forgot to post the attachment Cheesy


That's part of the problem yabb had. They fixed it.
  
Back to top
 
IP Logged
 
westwegoman
Ex Member
**




YaBB 2.5.2
Re: Admin Center A/V warning
Reply #2 - Dec 28th, 2012 at 4:26am
Post Tools
Either something was missed or I'm being attacked now.

Friggin retards!! (the attackers, that is)
  
Back to top
 
IP Logged
 
depablo
YaBB Moderators
YaBB Next Team
Beta Testers
***
Offline



Posts: 577
Location: UK

None
Re: Admin Center A/V warning
Reply #3 - Dec 28th, 2012 at 5:12am
Post Tools
Clear your cache, temp Internet files etc and try again Smiley
  

Taking a peek behind the mask Wink
Back to top
 
IP Logged
 
westwegoman
Ex Member
**




YaBB 2.5.2
Re: Admin Center A/V warning
Reply #4 - Dec 28th, 2012 at 5:25am
Post Tools
I did that. Still getting pop-ups from my AV program and IE still shows its waiting for global conference management group website when its loading. This cant be normal eh?

This is happening on all my YaBB forums.
  

gcmg.bmp ( 183 KB | 51 Downloads )
gcmg.bmp
Back to top
 
IP Logged
 
depablo
YaBB Moderators
YaBB Next Team
Beta Testers
***
Offline



Posts: 577
Location: UK

None
Re: Admin Center A/V warning
Reply #5 - Dec 28th, 2012 at 6:29am
Post Tools
Did you follow the link to the malware site at any time? Maybe you should do a full scan of your system with AV and Malwarebytes etc
Plus ccleaner
« Last Edit: Dec 28th, 2012 at 6:31am by depablo »  

Taking a peek behind the mask Wink
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,932
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Admin Center A/V warning
Reply #6 - Dec 28th, 2012 at 8:56am
Post Tools
Your servers and workstations were never in danger

That admin panel 'insert' is an linline frame that 'peers' into Yabbforum.com. Our host was attacked last night, and our .htaccess files were screwed for a short period of time as a result. It (the webkit exploit) is a server attack, not a workstation attack - and it was not on your server. It places bogus .htaccess and javascript into a server, and works almost exactly like a 'virus'.  Its purpose is to infect servers and spread itself. Its actually a 'packaging' system, not the 'payload'.

Norton (or AVG) was seeing that through the inline frame. Everything actually transpired on our host's system.  As it is in the Admin Center, the only person(s) who ever saw the code are administrators who opened the panel before I fixed 'update'.  Just scary looking, not an issue.  Someone took the offending distribution servers offline earlier, that's why it is showing a 404 on ngnix

I have resolved the problem some time ago, all you need do is refresh the page or clear your cache.  If you are still 'seeing' an error or getting warnings in your Admin Center, then you did not clear your cache correctly - as that code no longer exists.

I should also point out it was never possible to 'spread that' to your users either.

On order to ensure I was correct, I went into yabbforum.com and checked the fixes I made. My correct code is in place and the bad code no longer exists on the server.  As the code is no longer there to be read - the only place it can be is in your cache.

OTAY?

Smiley
« Last Edit: Dec 28th, 2012 at 10:45am by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,932
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Admin Center A/V warning
Reply #7 - Dec 28th, 2012 at 10:48am
Post Tools
One other thing -

If you want to send screenshots etc, please make them .png or .jpg files.  Bitmap files are huge, eat bandwidth, and make for sloooow refreshes.

Thanks very much
Wink
« Last Edit: Dec 28th, 2012 at 11:25am by JonB »  

plz_no_BMP.png ( 13 KB | 53 Downloads )
plz_no_BMP.png

I find your lack of faith disturbing.
Back to top
IP Logged
 
Elrick.
Forum Moderator
Beta Testers
*****
Offline



Posts: 163
Location: Edge of the Abyss

YaBB 2.6.1
Re: Admin Center A/V warning
Reply #8 - Dec 28th, 2012 at 12:39pm
Post Tools
JohnB Quote:
That admin panel 'insert' is an linline frame that 'peers' into Yabbforum.com.

(what’s new at YaBB?). – Updates?.


As this ‘insert’ is integral with the Admin panel, whenever an admin access the Admin panel a link is established to YaBB.com and if YaBB is down (as recently) the the Admin Panel hangs there waiting for connection.

A while ago I disabled (removed) (with a little help from my friends here at YaBB) these ‘insert’ so there is no link to YaBB updates. Wink

Could these updates ‘insert’ links be made optional to admins on the new 2.5.2 and 3 versions? (or a new patch) to allow admins to chose to disable updates links? – Just a thought! Roll Eyes
  

<div class=
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,932
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Admin Center A/V warning
Reply #9 - Dec 28th, 2012 at 2:08pm
Post Tools
Elrick -

That is a valid point and it was already my intention to ask Dandello to put that on the list.

Thanks
Smiley
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Elrick.
Forum Moderator
Beta Testers
*****
Offline



Posts: 163
Location: Edge of the Abyss

YaBB 2.6.1
Re: Admin Center A/V warning
Reply #10 - Dec 28th, 2012 at 2:36pm
Post Tools
JonB wrote on Dec 28th, 2012 at 2:08pm:
Elrick - That is a valid point and it was already my intention to ask Dandello to put that on the list. Thanks:)


Excellent initiative John!

It would be great to have a button available to admin, something like…


  

<div class=
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,932
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Admin Center A/V warning
Reply #11 - Dec 28th, 2012 at 2:50pm
Post Tools
In our internal Roadmaps, we are looking at ways to do automated updating (it goes with a new installer and Admin Center), but that is several (one or two) major versions away.

When we release the next version, I will post the next level of Roadmaps.  LOL One step at a time...

Smiley





  

I find your lack of faith disturbing.
Back to top
IP Logged
 
westwegoman
Ex Member
**




YaBB 2.5.2
Re: Admin Center A/V warning
Reply #12 - Dec 28th, 2012 at 3:51pm
Post Tools
JonB wrote on Dec 28th, 2012 at 8:56am:
I have resolved the problem some time ago, all you need do is refresh the page or clear your cache.  If you are still 'seeing' an error or getting warnings in your Admin Center, then you did not clear your cache correctly - as that code no longer exists.

OTAY.

I was only wondering since the attacks, or apparent attacks, on my end didn't start until last night and I was under the impression that all had been resolved on Yabbforum.com. At that time, I assumed that it may have still been lurking around since I only got a warning when visiting the admin ctrs. My thoughts was it was from the links within the admin ctr.

It was happening in all admin ctrs,(2.5AE and 2.5.2) and including my test forums, I have probably 10 forums set up. (YaBB OCD) Grin

Elrick. wrote on Dec 28th, 2012 at 12:39pm:
A while ago I disabled (removed) (with a little help from my friends here at YaBB) these ‘insert’ so there is no link to YaBB updates.

I think that will be on my list to do. I visit Yabbforum enough to know when there are updates.

JonB wrote on Dec 28th, 2012 at 10:48am:
One other thing -

If you want to send screenshots etc, please make them .png or .jpg files.  Bitmap files are huge, eat bandwidth, and make for sloooow refreshes.

Thanks very much
Wink

Noted Cheesy

At this time, all appears to be fine Smiley Thanks for your time.
  
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,932
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: YaBBforum.com .htaccess issue.
Reply #13 - Dec 28th, 2012 at 11:13am
Post Tools
Yesterday, I fixed the primary problem; the 'public' .htaccess files that were affecting the Admin Center.

This morning I went through the server with a fine-tooth comb. There were other files affected, but none would likely harm visitors. As far as I can tell, its a server 'infection' system, not the actual payloads. It puts redirectors on servers. I also think I know how the attack worked now. I think its a generalized purely scripted attack, not a specific vectored attack. For .htaccess, it places new files where it has mapped them in previous visits. For .js, it appends a 'document.write' where they were mapped.  For index.php, it appends an inline frame. JonB's guess is they are using SEO site mappings to locate the targets. I say that because they 'missed' some opportunities. These attacks are usually aimed at server farms.

Heh - I will say that our creation of a 'mirrored test server' for yabbforum.com has just paid a very, very large dividend.

Cool

Edited:
I have used a variety of active site scanning tools and we are 'publicly clean', as is our reputation  Wink
« Last Edit: Dec 28th, 2012 at 4:26pm by JonB »  

norton_safe_web.JPG ( 54 KB | 54 Downloads )
norton_safe_web.JPG

I find your lack of faith disturbing.
Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,932
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Admin Center A/V warning
Reply #14 - Dec 28th, 2012 at 4:17pm
Post Tools
The last 1 Posts were moved here from Support  & Moderation Concerns [move by] JonB.
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Page Index Toggle Pages: [1] 2 
Topic Tools
 
  « Board Index ‹ Board  ^Top