RPF Hacked

[PHArchivist]

<div class='quotetop'>(Boba Debt @ Nov 20 2006, 01:08 AM) [snapback]1361514[/snapback]</div>

I got this from the AVG web site



If you have the virus called Java/ByteVerify, your AVG Anti-Virus cannot get rid of this alone so if you are having troubles finding a way to get rid of it, here is a step by step guide for removal.

-Go to your control panel
-(if in windows XP change over to the classic mode by clicking the link on the left just under your toolbars)
-Open Java Plug-in
-Click on the Cache tab
-Click clear

-To stop this from happening again uncheck the enable cache-ing

This should clear all of these viruses right off of your computer and stop this from happening again.
[/b]

That's the one I got... Thanks Dave...

<div class='quotetop'>(thatguyno1 @ Nov 20 2006, 01:09 AM) [snapback]1361515[/snapback]</div>

I kept getting a window when trying to sign onto RPf that asked if I wanted to open or save a file (something I didn't recognize). I tried cancelling it but it kept coming back every time I tried to get on RPF (after several tries I finally did get the sign-on screen). I could get on other sites without that window popping up so I figured something was going on with the RPF server. AVG found several files right after that - several Java files and the Exploit file. Hope I caught evcerything in time. I changed all my passwords afterwards.

Paul ô¿ô
[/b]

Ditto too...

 

[synasp]

<div class='quotetop'>(nash @ Nov 19 2006, 08:06 PM) [snapback]1361547[/snapback]</div>

what the hell? is there no better security measures to take? This sucks, if this is going to be a constant on going thing, i'm going to stop visiting this site. wow, just wow.
[/b]

Yes, this will happen constantly--every 6 minutes. Our password is 123456, but keep that to yourself. And we don't have any security because security is overrated.

Come on. It's not like we're inviting people to hack the site. Websites get hacked. I think this one happened a little before 5:00, was spotted at 5:07 (we're not on here 24/7) and fixed around 5:30 after assessing the damage (not much) with a hiccup around that time. There were some access problems after that, but it wasn't part of the hack (it was due to passwords changing, and the software not being able to access the SQL database).

I'm very sorry you have been so greatly inconvenienced to the point where you are at a loss for words. Were you even on the site during the hack? :rolleyes

 

[Crimsonnaire]

Oh, boy. The self-proclaimed Merovingians are at it again, huh?

 

[barbatus]

<div class='quotetop'>(synasp @ Nov 19 2006, 10:43 PM) [snapback]1361383[/snapback]</div>

What software are you using? Tom said Avast Home works well.

http://www.avast.com/eng/programs.html
[/b]

Can someone confirm this? If this doesn´t work, is there another free software that will help in this case? I have no clue if I was infected yesterday :confused

 

[androidandy]

<div class='quotetop'>(barbatus @ Nov 20 2006, 07:10 AM) [snapback]1361736[/snapback]</div>

<div class='quotetop'>(synasp @ Nov 19 2006, 10:43 PM) [snapback]1361383[/snapback]

What software are you using? Tom said Avast Home works well.

http://www.avast.com/eng/programs.html
[/b]

Can someone confirm this? If this doesn´t work, is there another free software that will help in this case? I have no clue if I was infected yesterday :confused
[/b][/quote]

I have AVG and it is free and it seems to have got all the Viruses listed above. It got one as soon as I logged on and then quarantined another untill I could erase it. No problems and a free download with free updates.

 

[Keith]

I had the same problem, connected to the net and as soon as i clicked on the rpf link i got hit with two viruses. I've got rid of them now though using antivirus program.

Keith.

 

[vaderdarth]

If you are seriously considering not coming to the RPF because of a virus or hack attempt............you'd better sell that damned PC while you're at it. Those things are notorious for getting viruses. Jeesh...

Just buy yourself a decent virus scanner and you'll sleep alot better. I have two different ones I use plus a spyware killer too. I run them on a set schedule and it has all but rid me of most of the problems.

The newest spyware killer I use is called Counterspy. It is extremely thorough.......and helped me get rid of a very very nasty virus which was replicating itself during startup...........and restarting unfortunately, was part of the process to get rid of the thing.

That virus was called: virtunonde

If you see that rascal on your PC, just set the thing on fire and save the stress.

Dave

 

[DemonSeed]

ill check my system too. thanks for the heads up.

 

[barbatus]

I ran a virus scan and got rid of 5 viruses (although I can´t say if I got all of them from the hack yesterday) :confused

 

[Too Much Garlic]

Have run avast twice and found nothing... can I expect my computer to have dodged the attack, or should I try using another virus scanner just to be sure?

 

[Darth Chetta]

I was hit hard....i had Norton antivirus and fire wall..and it blew past them...to the point were i had to unplug the computer from the net.. Today (not more than 15 minutes ago) i got a call from my cable internet company asking me why i sent 250 spam emails to their customers...i told them what happened and that i had to totally reformat my h ard drive etc.. they no longer see the activity on my computer.. but after 2 days straight of trying to fix this mess AND almost losing my internet service because of it... id like to get my hands around the necks of the hackers...
Josh

 

[Sluis Van Shipyards]

I'm scanning now, but haven't had any problems so far.

 

[Gytheran]

got infected as well...

 

[hydin]

as much as i am on here, i didnt get hit.

the people that did get nailed, are you using firefox or ie? maybe it will help narrow down whats going on.

personally, i use firefox 2.0, windows firewall, avg antivirus and firewall, as well as f-prot (yea, overkill, but im on the net a lot). mailwasher is my spam checking software, and adaware is my spyware finder.

after an fprot scan, an avg scan, and an adaware scan, i got squat popping up on here. i did have some tracking cookies but nothing harmful.

chris

 

[exoray]

Here is the scoop or at least my educated guess at what happened, based on what I saw and have been told... If this is the case it could have been much worse, and everyone should be happy it wasn't... The Invision forum software that this forum was running was outdated if memory serves me ( I believe 2.1.6 or earlier ?) and had a known SQL injection exploit that would allow you to gain access to any members account as if it was yours... The forum has been upgraded to v2.1.7 now so it's been patched against this exploit... Once access was gained to an Admins account and thus the Admin CP an iframe was inserted in the skin that took advantage of a .WMF exploit in Windows, this exploit was patched a LONG time ago so anyone current with Windows updates would not have been infected... Anyway if your Windows was not patched it executed some rouge code and this code used your Windows Address Book and sent itself to everyone you had in there...

This iframe exploit above the attack I saw, there might have been others or even more done if what I posted above did happen as the "hacker" would have had access to the Admin CP and could have easily rotated attacks or been doing other things while in there...

That is the short and dirty of it from what I have gathered from a few sources, a quick view of the server logs (which I suspect has or is being done) should or could identify the IP of the stolen Admin account and possibly cross reference it with the account used to gain access...

Anyway it was just a small chain of bad events that the "hacker" took advantage of...

As synasp suggested a good course of action would be to change your password(s) ASAP, if the "hacker" spent any time in the CP before launching the attack he/she could have dumped the database to attack locally for passwords or???

I saw this happen on a forum I was an Admin at and it came back to haunt us many times since the "hacker" stole the whole database and had all the PMs and the password database of every member to brute force at his/her leisure... And in the case of that forum they did just that, garnishing all sorts of private information from PMs and a continued string of attacks from hacked accounts...

Now I'm not saying this hacker here dumped the database, maybe the staff knows? If they did this might not be the end of it...

And to anyone that feels that this is a sign that this forum is not safe, well I can assure you then NONE are script kiddies are a dime a dozen and there are always holes that can be exploited...

 

[Jedirick]

Thanks for the explanation Exoray and thanks to you other guys for the support and additional resources for detecting and eliminating viruses.

I'd also like to recognize babbich and Synasp for their very fast response to this attack.

I think I may have mentioned this elsewhere but according to the lads at Invision the attackers IP traces to a dedicated server in Russia. WE were told the owner of the server may be totally unaware he is being used.

We will continue to seek as much info as we can. The significant coincidence this occurred just as we brought several hundred new members into our group has been suggested. We won't ignore that coincidence but, have no reason to suspect it as any more than a coincidence at this time.

 

[moffeaton]

Buy a Mac and use all the extra time in your day to make props. I know I do.

But seriously, sorry you fellas had to fret over what should be simple web surfing. Glad it didn't destroy the 'ol RPF.

 

[Paradox]

All brands of computers are vulnerable - including MACs. Sure, Windows PCs have more issues, but MACs are not immune.

-G

 

[exoray]

<div class='quotetop'>QUOTE(moffeaton @ Nov 21 2006, 08:39 AM) [snapback]1362666[/snapback]</div>

Buy a Mac and use all the extra time in your day to make props. I know I do.

But seriously, sorry you fellas had to fret over what should be simple web surfing. Glad it didn't destroy the 'ol RPF.
[/b]

Just to make it clear, if you had all the security updates to Windows this attack didn't effect you...

The most important thing is that the "hacker" had high level access to the forum/server to drop this exploit, that level of access could have caused much more damage to the forum/server itself, but instead they chose to simply drop a "virus" that effected Windows users browsing the forum with outdated updates... From what I read the WMF exploit used (or at least the one I saw when viewing the forum) was patched in January...

 

[Darth Kahnt]

I hope you can nail the jerks who did it.