Page Index Toggle Pages: [1] 2 
Topic Tools
Hot Topic (More than 10 Replies) Google says yabbforum.com is an attacking website (Read 5,093 times)
Vikash Kumar munda
YaBB Newcomer
*
Offline



Posts: 16
Re: Google says yabbforum.com is an attacking website
Reply #21 - Oct 14th, 2013 at 7:05am
Post Tools
Homer J. S. wrote on Feb 14th, 2013 at 4:47pm:
Today when I visited yabbforum.com I got a big red warning saying that this site is listed as an attacking one. This happened never before here. Perhaps the code should be checked?


This kind of message generally displayed when a website is compromised by hackers when the problem will be resolved message will automatically disappear.
  
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,785
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Google says yabbforum.com is an attacking website
Reply #20 - Feb 23rd, 2013 at 1:35pm
Post Tools
Just now (~ 1300 GMT) I reloaded all clean code, and changed all the users/PW's (including the server 'admin').  I hesitated to do that, as temporarily at least I have become the 'sole gaurdian'.  However, I spoke with Dandello last nite and we agreed there was not much else we could do.

After I made the changes I as able to get yabbforum.com running again and I am able to run the server's "control panel" and use FTP.

Let's all hope this will bring this plague to and end (in part because I have no more cards to play)

Thanks
Smiley.
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,785
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Google says yabbforum.com is an attacking website
Reply #19 - Feb 21st, 2013 at 6:42am
Post Tools
Quote:
Maybe send someone from Mossad


those folks do a great job, LOL  Smiley

I think they are out of our budget range however. (still my idea of a good solution)

Smiley
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Derek Bullock
Ex Member


Re: Google says yabbforum.com is an attacking website
Reply #18 - Feb 21st, 2013 at 1:56am
Post Tools
Maybe send someone from Mossad.  (Take no prisoners)  Grin Grin Grin Grin
  
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,785
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Google says yabbforum.com is an attacking website
Reply #17 - Feb 20th, 2013 at 7:14pm
Post Tools
OK, we seem to have weathered the crisis.

A. I made as many changes as I can to reduce the possibility of 're-infection' (although that is not really a correct term).  But for the average user it is close enough. It may be the changes I have made are adequate, but as I don't know how everything was provisioned, and whom has/had access, that is very difficult to say '100% for sure'.

I should emphasize what really happened - some PHP pages and script URL's were altered.  The altered files 'pointed to' sites that harbored malware.  There was never a single malware item on YaBB's servers or on any YaBB admin's server install - only pointers.  What AV's and website safety checks were 'hollering about' was the URL patterns of the pointers (they were associated with malware). SO, if you put one of those addresses into a browser, you should run a malware scan.

B. I'm going to discuss some changes with Corey that I think might make us generally less vulnerable. These are structural, not technical.

Thanks to everyone for your continued support of YaBB

Smiley  

Edited:
I stand - somewhat - corrected: this is there is still a hole.
However I have cleansed the site YET AGAIN.

from Google Webmaster tools:
Status of the latest badware review for this site: A review for this site has finished. The site was found clean. The badware warnings from web search are being removed. Please note that it can take some time for this change to propagate.
Sample of URLs with malware

I have preserved the evidence intact this time. Let teh chips fall where they may.


« Last Edit: Feb 21st, 2013 at 12:18am by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,785
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Google says yabbforum.com is an attacking website
Reply #16 - Feb 16th, 2013 at 4:44am
Post Tools
It is only too bad I do not live in London. The problem would be resolved.

Wink
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Derek Bullock
Ex Member


Re: Google says yabbforum.com is an attacking website
Reply #15 - Feb 16th, 2013 at 4:16am
Post Tools
A  web query through http://urlquery.net is also detecting some abnormalities

http://urlquery.net/report.php?id=1013857

« Last Edit: Feb 16th, 2013 at 4:23am by »  
Back to top
 
IP Logged
 
freediver
Senior Member
****
Offline



Posts: 517
Re: Google says yabbforum.com is an attacking website
Reply #14 - Feb 16th, 2013 at 3:36am
Post Tools
Sophos is detecting "Troj/Iframe-JG" when I visit this site.
  

Founding member of . I recently upgraded from YaBB 2.2.1 to 2.5 AE to 2.5.2.
Back to top
WWW  
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,785
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Google says yabbforum.com is an attacking website
Reply #13 - Feb 16th, 2013 at 2:50am
Post Tools
touchdown -



Wink
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,557
Location: Los Angeles

YaBB 2.4
Re: Google says yabbforum.com is an attacking website
Reply #12 - Feb 15th, 2013 at 5:53pm
Post Tools
Way to go!
Smiley
  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,785
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Google says yabbforum.com is an attacking website
Reply #11 - Feb 15th, 2013 at 5:16pm
Post Tools
I now understand the exploit fully now and can identify its precursor and how the payload works - flat out dead-on. .  I ACTUALLY SAW it work last night.  It was bizarre, like being in the room with an invisible stranger.  "Hey you! crappity smack off & die - leave my home alone!"   I have done everything that is within my limited powers to plug any inadvertent vulnerabilities.  

Corey and I are watching closely, thinking things through and seeing if we can create some temporary counter-measures in the event JonB has not been able to caulk every leak in the Ship of YaBB.

Wink

Edited:
All we are dealing with is the 'leaky d-i-k-e issue'.  I AM the little Dutch Boy. Smiley

The little Dutch Boy has set us up Google Webmaster tools and requested a review as I have the site clean right now.
Roll Eyes
« Last Edit: Feb 15th, 2013 at 5:44pm by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,125
Location: Earth

YaBB 2.6.0
Re: Google says yabbforum.com is an attacking website
Reply #10 - Feb 14th, 2013 at 9:14pm
Post Tools
Some of the Boards just don't have attachment turned on. It's not a member/user level issue.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,557
Location: Los Angeles

YaBB 2.4
Re: Google says yabbforum.com is an attacking website
Reply #9 - Feb 14th, 2013 at 7:37pm
Post Tools
JonB wrote on Feb 14th, 2013 at 6:02pm:
B: the host farm itself has an exploit that is undiscovered and active (JonB thinks 'mebbe itsa this one').

It seems you're right about this, and it seems Dandello has the same opinion. From what I've been able to see ... forwarding to other sites of the same host ... this is not a problem with YaBB, but a problem with the host. Hopefully it'll be resolved soon once and for all. I feel the pain!

I don't seem to have an attachment option while posting, so I've uploaded the Google report about this onto my own site as you can see below:


The photo above is clickable to a larger size for easier reading.


  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,785
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Google says yabbforum.com is an attacking website
Reply #8 - Feb 14th, 2013 at 6:02pm
Post Tools
I can say this - I know exactly 'what' is happening (and what files get injections).  Its the same problem, each time - and a reload of the same files is done. "How' it happens is a problem I do not have the tools for, only the host can deal with these issues.  The permissions and ownership of files is correct.  

I have also used a commercial vulnerability analysis of our server (virtual host) - It shows no critical vulnerabilities, and only two medium alerts, one being that we allow clear-text SMTP authentication, and the other is that phpinfo() is allowed.  We got a score of 81 out of 100, where 100 indicates no vulnerabilities whatever.  Almost all the 'low' items are unapplied updates/patches.  That is actually typical of hosting companies - they don't like to update server software, as they often break the hosted sites in doing so.

Thus two possibilities -

A: one of the pw's on an account assigned to our virtual host is compromised - I'm going to request a complete PW reset.

B: the host farm itself has an exploit that is undiscovered and active (JonB thinks 'mebbe itsa this one').

I am going to do as much polite bitching as I can.

Edited:
Those files were literally re-infected about an hour after my last effort.

I actually DL and save all the bad files.  The current crop contains a different URL - so I know its new.

I am just flatly done with this.  I am going to take action irrespective of the potential flack.

Angry

My anger is inexpressible at this point.  Smiley

« Last Edit: Feb 14th, 2013 at 6:27pm by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,125
Location: Earth

YaBB 2.6.0
Re: Google says yabbforum.com is an attacking website
Reply #7 - Feb 14th, 2013 at 5:53pm
Post Tools
It's crap being loaded from a javascript - I've dropped a note for JonB on it. (You can see the code if you turn have FireFox and FireBug turned on.) It's also raising malformed code flags in MSIE8.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Page Index Toggle Pages: [1] 2 
Topic Tools
Bookmarks: del.icio.us Digg Facebook Google Google+ Linked in reddit StumbleUpon Twitter Yahoo
 
  « Board Index ‹ Board  ^Top