Jump to content

<OT> Strange Spyware alerts off this site...


RocKeR

Recommended Posts

Could any of our IT savvy colleagues on this forum please check their anti-spyware logs to see if they concur with my findings? Each page I access on LR4x4.com results in my package (WebRoot Spy Sweeper) blocking access to either traffweb.biz, or 2-extreme.biz.

Not sure if it's just me on this hotel LAN in Sydney... It's only happening on LR4x4 though... If you haven't got an anti spyware package, have a close look at the lower left corner of your web page where it says: "Opening page http://......." I can see it flash to traffweb.biz before it finishes loading the required page. If you haven't got anti SW, you may be seeing other behavior, or getting popups....

Trev, checked the server lately? :ph34r:

Link to comment
Share on other sites

Yep, sorry guys n gals. Some bright spark decided to take a pop at us and compromised one of the skins.

This has now been cleaned and the breach is being repaired as I type this.

Link to comment
Share on other sites

Yup. I smelled a rat when I saw that Wax was in the admin group.

Chris

I'd say more like the trowl had got out from under the bridge and was dancing about rather than just smelling a rat :)

Good work on the swift fix

Link to comment
Share on other sites

I'm impressed its sorted so quick! :D I had the sweats on at work when the spyware stuff kicked in but seemed to get away with it.. Then came home, couldn't resist a peek and its all sorted. :)

Well done that man! :D

Link to comment
Share on other sites

Nice one Trevor. I'm intrigued though to know how long people had been noticing the problem before I flagged it this afternoon. It's a testament to how many people have a decent anti-virus or anti-spyware package these days, especially for those who probably didn't notice the problem.

Also, how did someone manage to compromise the skin in the first place? Has the original vunerability been closed as well as fixing the attacked skin?

Link to comment
Share on other sites

Nice one Trevor. I'm intrigued though to know how long people had been noticing the problem before I flagged it this afternoon. It's a testament to how many people have a decent anti-virus or anti-spyware package these days, especially for those who probably didn't notice the problem.

Also, how did someone manage to compromise the skin in the first place? Has the original vunerability been closed as well as fixing the attacked skin?

This is second hand, since it was Trevor that dealt with it, but I know he's gone home for a well earned rest.

It appears that a vulnerability in the Invision Powerboard software which we use was exploited to run the attackers own code within the site. This technique would have allowed them to do pretty much anything with the database but due to the server permissions probably not much with the actual files. Fortunately it appears that the only thing they did before Trevor managed to deal with the problem was to embed a piece of code in the site skin that attempted to install something on user's machines. It sounds like most of you were smart enough to be running decent anti-virus/anti-spyware software which detected it. However;

If you were using the site today, and you use Internet Explorer on Windows, and you didn't see any warnings, I suggest you make sure your anti-virus software is up to date and run a full scan of your system, to be on the safe side.

Invision have produced patches for the vulnerability, which was only discovered recently, and Trevor has applied them to the site, so we shouldn't see any more of this. It's just unfortunate that the hackers beat us to the draw by a few hours :(

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We use cookies to ensure you get the best experience. By using our website you agree to our Cookie Policy