Page Index Toggle Pages: [1] 2 
Topic Tools
Hot Topic (More than 10 Replies) Google says yabbforum.com is an attacking website (Read 5,903 times)
Homer J. S.
God Member
*****
Offline



Posts: 1,949
Location: Germany

None
Google says yabbforum.com is an attacking website
Feb 14th, 2013 at 4:47pm
Post Tools
Today when I visited yabbforum.com I got a big red warning saying that this site is listed as an attacking one. This happened never before here. Perhaps the code should be checked?
  

My Homer is not a communist. He may be a liar, a pig, an idiot, a communist, but he is not a porn star.
www.silenthill-forum.de (YaBB 1.3.1 with 150+ mods)
www.retrogamerwelt.de (YaBB 2.5.2)
Back to top
WWWICQ  
IP Logged
 
Derek Bullock
Ex Member


Re: Google says yabbforum.com is an attacking website
Reply #1 - Feb 14th, 2013 at 4:54pm
Post Tools
More information here - http://www.yabbforum.com/community/YaBB.pl?num=1359579478

It is currently getting fixed Smiley
  
Back to top
 
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Online



Posts: 2,373
Location: Earth

YaBB 2.6.1
Re: Google says yabbforum.com is an attacking website
Reply #2 - Feb 14th, 2013 at 4:55pm
Post Tools
YaBBForum.com has been attacked by hackers - again - (this is due - as near as I know - to a (probable) security issue with the hosting service). The Problem is not with YaBB's code, it's with crud being added through through the security breach. JonB is working on it as we speak.

This does not affect your forum as it's on a different server - although you're likely to get some scary warnings when you go to your Admin Center.

This is NOT due to any weakness in YaBB software security.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Homer J. S.
God Member
*****
Offline



Posts: 1,949
Location: Germany

None
Re: Google says yabbforum.com is an attacking website
Reply #3 - Feb 14th, 2013 at 5:01pm
Post Tools
With "the code should be checked" I did not mean the source code but for example the html files of THIS forum. As I once also had the problem that someone included some scripts into one of my index files.
  

My Homer is not a communist. He may be a liar, a pig, an idiot, a communist, but he is not a porn star.
www.silenthill-forum.de (YaBB 1.3.1 with 150+ mods)
www.retrogamerwelt.de (YaBB 2.5.2)
Back to top
WWWICQ  
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Online



Posts: 2,373
Location: Earth

YaBB 2.6.1
Re: Google says yabbforum.com is an attacking website
Reply #4 - Feb 14th, 2013 at 5:16pm
Post Tools
From the looks of things, the problem is probably in a hacked javascript or some sort of 'insert', not in the html itself. And it is being looked at. This isn't the first time YaBBForum has been targeted. (And it seems to me it's gotten more frequent as things gotten busier with good things.)
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Homer J. S.
God Member
*****
Offline



Posts: 1,949
Location: Germany

None
Re: Google says yabbforum.com is an attacking website
Reply #5 - Feb 14th, 2013 at 5:26pm
Post Tools
With Firefox I have some points appearing on the top left corner of the forum. Do you also have that? While the site is loading the points increase, like some kind of progress bar. Just mention it 'cause it might help to find the problem.
  

My Homer is not a communist. He may be a liar, a pig, an idiot, a communist, but he is not a porn star.
www.silenthill-forum.de (YaBB 1.3.1 with 150+ mods)
www.retrogamerwelt.de (YaBB 2.5.2)
Back to top
WWWICQ  
IP Logged
 
Derek Bullock
Ex Member


Re: Google says yabbforum.com is an attacking website
Reply #6 - Feb 14th, 2013 at 5:45pm
Post Tools
Homer J. S. wrote on Feb 14th, 2013 at 5:26pm:
With Firefox I have some points appearing on the top left corner of the forum. Do you also have that? While the site is loading the points increase, like some kind of progress bar. Just mention it 'cause it might help to find the problem.


Have you got a screen shot??
  
Back to top
 
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Online



Posts: 2,373
Location: Earth

YaBB 2.6.1
Re: Google says yabbforum.com is an attacking website
Reply #7 - Feb 14th, 2013 at 5:53pm
Post Tools
It's crap being loaded from a javascript - I've dropped a note for JonB on it. (You can see the code if you turn have FireFox and FireBug turned on.) It's also raising malformed code flags in MSIE8.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,907
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Google says yabbforum.com is an attacking website
Reply #8 - Feb 14th, 2013 at 6:02pm
Post Tools
I can say this - I know exactly 'what' is happening (and what files get injections).  Its the same problem, each time - and a reload of the same files is done. "How' it happens is a problem I do not have the tools for, only the host can deal with these issues.  The permissions and ownership of files is correct.  

I have also used a commercial vulnerability analysis of our server (virtual host) - It shows no critical vulnerabilities, and only two medium alerts, one being that we allow clear-text SMTP authentication, and the other is that phpinfo() is allowed.  We got a score of 81 out of 100, where 100 indicates no vulnerabilities whatever.  Almost all the 'low' items are unapplied updates/patches.  That is actually typical of hosting companies - they don't like to update server software, as they often break the hosted sites in doing so.

Thus two possibilities -

A: one of the pw's on an account assigned to our virtual host is compromised - I'm going to request a complete PW reset.

B: the host farm itself has an exploit that is undiscovered and active (JonB thinks 'mebbe itsa this one').

I am going to do as much polite bitching as I can.

Edited:
Those files were literally re-infected about an hour after my last effort.

I actually DL and save all the bad files.  The current crop contains a different URL - so I know its new.

I am just flatly done with this.  I am going to take action irrespective of the potential flack.

Angry

My anger is inexpressible at this point.  Smiley

« Last Edit: Feb 14th, 2013 at 6:27pm by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Online



Posts: 1,676
Location: Los Angeles

YaBB 2.5
Re: Google says yabbforum.com is an attacking website
Reply #9 - Feb 14th, 2013 at 7:37pm
Post Tools
JonB wrote on Feb 14th, 2013 at 6:02pm:
B: the host farm itself has an exploit that is undiscovered and active (JonB thinks 'mebbe itsa this one').

It seems you're right about this, and it seems Dandello has the same opinion. From what I've been able to see ... forwarding to other sites of the same host ... this is not a problem with YaBB, but a problem with the host. Hopefully it'll be resolved soon once and for all. I feel the pain!

I don't seem to have an attachment option while posting, so I've uploaded the Google report about this onto my own site as you can see below:


The photo above is clickable to a larger size for easier reading.


  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Online



Posts: 2,373
Location: Earth

YaBB 2.6.1
Re: Google says yabbforum.com is an attacking website
Reply #10 - Feb 14th, 2013 at 9:14pm
Post Tools
Some of the Boards just don't have attachment turned on. It's not a member/user level issue.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,907
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Google says yabbforum.com is an attacking website
Reply #11 - Feb 15th, 2013 at 5:16pm
Post Tools
I now understand the exploit fully now and can identify its precursor and how the payload works - flat out dead-on. .  I ACTUALLY SAW it work last night.  It was bizarre, like being in the room with an invisible stranger.  "Hey you! crappity smack off & die - leave my home alone!"   I have done everything that is within my limited powers to plug any inadvertent vulnerabilities.  

Corey and I are watching closely, thinking things through and seeing if we can create some temporary counter-measures in the event JonB has not been able to caulk every leak in the Ship of YaBB.

Wink

Edited:
All we are dealing with is the 'leaky d-i-k-e issue'.  I AM the little Dutch Boy. Smiley

The little Dutch Boy has set us up Google Webmaster tools and requested a review as I have the site clean right now.
Roll Eyes
« Last Edit: Feb 15th, 2013 at 5:44pm by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Online



Posts: 1,676
Location: Los Angeles

YaBB 2.5
Re: Google says yabbforum.com is an attacking website
Reply #12 - Feb 15th, 2013 at 5:53pm
Post Tools
Way to go!
Smiley
  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,907
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Google says yabbforum.com is an attacking website
Reply #13 - Feb 16th, 2013 at 2:50am
Post Tools
touchdown -



Wink
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
freediver
Senior Member
****
Offline



Posts: 518
Re: Google says yabbforum.com is an attacking website
Reply #14 - Feb 16th, 2013 at 3:36am
Post Tools
Sophos is detecting "Troj/Iframe-JG" when I visit this site.
  

Founding member of . I recently upgraded from YaBB 2.2.1 to 2.5 AE to 2.5.2.
Back to top
WWW  
IP Logged
 
Page Index Toggle Pages: [1] 2 
Topic Tools
Bookmarks: del.icio.us Digg Facebook Google Google+ Linked in reddit StumbleUpon Twitter Yahoo
 
  « Board Index ‹ Board  ^Top