Forum issue
10-12-2011, 10:37 PM,
#1
Forum issue
I've noticed that loading the homepage has been slow today. Just now, I attempted to log in, and it would begin the loading process then would stop. It did this several times, then AVG blocked some kind of "forum" threat it said.

Anyone else experiencing similar problems with this site only? Everything else is fine and a scan says I have no viruses.
Find all posts by this user
Like Post Quote this message in a reply
10-12-2011, 10:43 PM,
#2
RE: Forum issue
As soon as I opened this thread, my antivirus blocked some sort of malware.

Is the forum infected?
_____________________________
The only frontier that has ever existed is the self.
Find all posts by this user
Like Post Quote this message in a reply
10-12-2011, 10:46 PM, (This post was last modified: 10-12-2011, 10:46 PM by Icaro.)
#3
RE: Forum issue
(10-12-2011, 10:43 PM)abridgetoofar Wrote:  Is the forum infected?
Sounds like it.

I PM'd Gary and Steve.
Find all posts by this user
Like Post Quote this message in a reply
The following 1 user Likes Icaro's post:
Bring4th_Austin
10-12-2011, 10:49 PM,
#4
RE: Forum issue
Yes, I've had the same problems late last night and all day today.
Heart Ruth
Find all posts by this user
Like Post Quote this message in a reply
10-12-2011, 11:04 PM,
#5
RE: Forum issue
Firefox froze up several times today and yesterday, and I never have those issues. So perhaps it worked its way into my browser also.
Find all posts by this user
Like Post Quote this message in a reply
10-12-2011, 11:08 PM,
#6
RE: Forum issue
Ran a test on it. Took 12.5 seconds to even respond to root page request. Then there are numerous odd embedded search-engine link related errors. A bunch from "buffpuma".
Find all posts by this user
Like Post Quote this message in a reply
10-12-2011, 11:10 PM,
#7
RE: Forum issue
I'll look into this. I've never heard of a forum virus. So this is something totally new to me that I'll need to understand better. Perhaps someone uploaded a picture that is malicious, not sure...

Thank you for the heads up everyone!
Steve
Find all posts by this user
Like Post Quote this message in a reply
10-12-2011, 11:19 PM,
#8
RE: Forum issue
There have been a few spam bots posting..could be related.
Find all posts by this user
Like Post Quote this message in a reply
10-13-2011, 01:20 AM,
#9
RE: Forum issue
My personal site was hacked by a bot which simply added a few lines of malicious code to each page. Could be a similar situation.
_____________________________
The only frontier that has ever existed is the self.
Find all posts by this user
Like Post Quote this message in a reply
10-13-2011, 07:36 AM,
#10
RE: Forum issue
Yeah this use to be one of the fastest web sites. Sounds like you have something in the system.Another site I visit had a advertisement that was slowing down the site -had to remove it.
Find all posts by this user
Like Post Quote this message in a reply
10-13-2011, 08:41 AM,
#11
RE: Forum issue
Yesterday whilst visiting this site Google Chrome booted me off the site with a warning that the site contained some content that was known to them to be malicious code.
Find all posts by this user
Like Post Quote this message in a reply
10-13-2011, 09:15 AM,
#12
RE: Forum issue
(10-13-2011, 08:41 AM)Jim Kent + Wrote:  Yesterday whilst visiting this site Google Chrome booted me off the site with a warning that the site contained some content that was known to them to be malicious code.
I've browsed bring4th some time with Chrome and nothing happened, but computers + networking + Google is more than a simple addition... My usual browser is Firefox and have never had any problems here.
Find all posts by this user
Like Post Quote this message in a reply
10-13-2011, 09:32 AM,
#13
RE: Forum issue
It's a valid idea, but since we delete all spam on the forum, there's no way a spammer could leave behind a pic or file that is malicious.

Steve

(10-12-2011, 11:19 PM)Icaro Wrote:  There have been a few spam bots posting..could be related.

Find all posts by this user
Like Post Quote this message in a reply
10-13-2011, 10:26 AM, (This post was last modified: 10-13-2011, 10:38 AM by Odinn.)
#14
RE: Forum issue
(10-12-2011, 11:10 PM)Bring4th_Steve Wrote:  I'll look into this. I've never heard of a forum virus. So this is something totally new to me that I'll need to understand better. Perhaps someone uploaded a picture that is malicious, not sure...

Thank you for the heads up everyone!
Steve
Maybe not the picture in itself, but because of being hotlinked... I do that at times, trying to save the traffic costs for bring4th, but I'm just realizing that maybe hasn't been a good idea. If I recall correctly all of them (meaning 3 or 4) are in Treehuggers'. If other users do that, it could be a problem. I'll check ASAP my own posts and change the embedding.

Another tip for protecting against spambotting - if the code of your forum app includes ID lines (like for example "ForumWonder v.3.05"), delete them if possible.

Another idea: the online youTube etc video embedding. Is it possible that it causes the pages in the forum to upload slower?
Find all posts by this user
Like Post Quote this message in a reply
10-13-2011, 11:44 AM, (This post was last modified: 10-13-2011, 11:45 AM by Bring4th_Steve.)
#15
RE: Forum issue
These are all great ideas, but I am coming up empty when researching each one. I even did multiple site scans on Bring4th.org, to which each scan gives a clean bill of health:

URL Analysis results for Bring4th.org:

Avira - Clean site
BitDefender - Clean site
Dr.Web - Clean site
G-Data - Clean site
Malc0de Database - Clean site
MalwareDomainList - Clean site
Opera - Clean site
ParetoLogic - Clean site
Phishtank - Clean site
TrendMicro - Unrated site
Websense ThreatSeeker - Unrated site
Wepawet - Unrated site

URL info:
Normalized URL: http://bring4th.org/
URL MD5: cd19987e95d367be99b6f21fe7110481

So I'm not sure how to proceed here. I did like the idea about whether this may be related to the hotlinking of outside images. That would definitely cause a problem if there is malicious code embedded in one of the images.

But from what I understand, some of you are getting error messages at the very beginning of the forum, before any member pictures are even loaded. Is that a correct assumption?

It would be really helpful if more information can be given when an alert or error pops up. Like, provide the URL that is in your browser bar when the alert pops up. This would greatly help me zero in where the suspicious areas are.

As far as the site speed goes, please remember that this is a shared host. We do not yet have the kind of traffic where L/L Research can justify spending bigger bucks for a standalone host (separate, physical server). Until that day comes, we will continue to share web space with a number of other web sites, all of whom may or may not generate their own large bursts of traffic, which would then make our site appear slower. It's a give and take situation, and the web host has been really good to us with how it manages load balance (i.e., shared traffic between all sites on the server).

Thanks for the continued advice and ideas, all!
Steve
Find all posts by this user
Like Post Quote this message in a reply
The following 1 user Likes Bring4th_Steve's post:
Aaron
10-13-2011, 12:12 PM,
#16
RE: Forum issue
I noticed that it takes very very long to open http://www.bring4th.org since yesterday, but when I go and open http://www.bring4th.org/forums right away then it is a lot faster.
I have Firefox.
Quote this message in a reply
10-13-2011, 12:15 PM,
#17
RE: Forum issue
Google Chrome's anti-malware feature kicked in while I was visiting the site yesterday too. It was on the front page, and not in a thread.


1 thing was a popup asking me if I wanted to close the "flash" that was hung, and the other was a malware security feature in chrome saying that there was something malicious about [somefilename].pl.

I took a screen shot when it happened, but got side tracked, and forgot to paste it as an image file.. :/

Quote this message in a reply
10-13-2011, 01:00 PM, (This post was last modified: 10-13-2011, 01:02 PM by Odinn.)
#18
RE: Forum issue
Steve, I've just cleaned the hotlinking in "my" images, but can't do so in the copies included in others users replies (example: http://www.bring4th.org/forums/showthread.php?tid=2830&pid=57303#pid57303), as they're not embedded as instances of the one original.

Plus, this is for WordPress, but maybe it can give some hints:
- http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/
Find all posts by this user
Like Post Quote this message in a reply
10-13-2011, 01:49 PM, (This post was last modified: 10-13-2011, 01:50 PM by Focus123.)
#19
RE: Forum issue
Try this:

http://www.emsisoft.com/en/software/antimalware/

Federal Trojan

http://www.emsisoft.com/en/kb/articles/tec111011/



click free download- than just scanner.
Find all posts by this user
Like Post Quote this message in a reply
10-13-2011, 01:52 PM,
#20
RE: Forum issue
it was slow earlier.
Find all posts by this user
Like Post Quote this message in a reply
10-13-2011, 03:22 PM,
#21
RE: Forum issue
Much better.
Find all posts by this user
Like Post Quote this message in a reply
10-13-2011, 04:14 PM,
#22
RE: Forum issue
Well, everyone... You may notice the site speed back to normal and the virus warnings gone from your browser.

Why?

We were hacked!

Yes, something got into our server and wrote malicious code across every index.php file on the entire server. The code was trying to redirect everyone away from Bring4th and to a foreign web site. The problem was that web site went down, so many of you were experiencing page load delays as the foreign site was sitting there trying to load into our Bring4th pages.

The damage was extensive, and I have spent a good part of the day cleaning code, changing passwords, and changing permissions so that our index.php can't be written to by outside sources. I still have no idea how or where they got in! The web host has blacklisted the IP address of the bot, so as long as it doesn't come around again, we should be ok.

We do have backups, but this problem entered our site at the exact time our backups were being performed. So basically we were backing up an infected site. Once I finish clearing the code injections from the remainder of the site, I believe we will be 100% back to normal, and I plan to extend the backup count a little further out so that we have a better chance of having the latest "safe" copy on hand.

Interestingly, none of the online scanners can detect this type of attack!

Thanks again, everyone...
Steve
Find all posts by this user
Like Post Quote this message in a reply
The following 1 user Likes Bring4th_Steve's post:
Aaron
10-13-2011, 04:29 PM,
#23
RE: Forum issue
Good Job.
Find all posts by this user
Like Post Quote this message in a reply
10-13-2011, 04:42 PM,
#24
RE: Forum issue
Wow, thank you, Steve! Good job!

Love & light!
Heart Ruth
Find all posts by this user
Like Post Quote this message in a reply
The following 1 user Likes Ruth's post:
Odinn
10-13-2011, 07:36 PM,
#25
RE: Forum issue
(10-13-2011, 04:14 PM)Bring4th_Steve Wrote:  Well, everyone... You may notice the site speed back to normal and the virus warnings gone from your browser.

Why?

We were hacked!

Yes, something got into our server and wrote malicious code across every index.php file on the entire server. The code was trying to redirect everyone away from Bring4th and to a foreign web site. The problem was that web site went down, so many of you were experiencing page load delays as the foreign site was sitting there trying to load into our Bring4th pages.

The damage was extensive, and I have spent a good part of the day cleaning code, changing passwords, and changing permissions so that our index.php can't be written to by outside sources. I still have no idea how or where they got in! The web host has blacklisted the IP address of the bot, so as long as it doesn't come around again, we should be ok.
Called it!

Same exact thing happened to me a while ago. Had to go and manually delete code from every single page on my site.
_____________________________
The only frontier that has ever existed is the self.
Find all posts by this user
Like Post Quote this message in a reply
10-13-2011, 11:19 PM,
#26
RE: Forum issue
Glad to hear!
Find all posts by this user
Like Post Quote this message in a reply
10-14-2011, 12:16 AM,
#27
RE: Forum issue
Thank you Steve. We're lucky you are here.
Lee as
kycahi
Find all posts by this user
Like Post Quote this message in a reply
The following 1 user Likes kycahi's post:
Odinn
10-14-2011, 01:51 AM,
#28
RE: Forum issue
Do they have the user database?
Find all posts by this user
Like Post Quote this message in a reply
10-14-2011, 07:59 AM,
#29
RE: Forum issue
"they" know everything about us, don't they? Wink
Quote this message in a reply
10-14-2011, 08:11 AM,
#30
RE: Forum issue
(10-14-2011, 01:51 AM)zenmaster Wrote:  Do they have the user database?
Haha - "they"? Gotcha! Big GrinBig GrinBig Grin
Find all posts by this user
Like Post Quote this message in a reply




Users browsing this thread: 1 Guest(s)