<OT> Strange Spyware alerts off this site...

[RocKeR]

Could any of our IT savvy colleagues on this forum please check their anti-spyware logs to see if they concur with my findings? Each page I access on LR4x4.com results in my package (WebRoot Spy Sweeper) blocking access to either traffweb.biz, or 2-extreme.biz.

Not sure if it's just me on this hotel LAN in Sydney... It's only happening on LR4x4 though... If you haven't got an anti spyware package, have a close look at the lower left corner of your web page where it says: "Opening page http://......." I can see it flash to traffweb.biz before it finishes loading the required page. If you haven't got anti SW, you may be seeing other behavior, or getting popups....

Trev, checked the server lately?

[Fatboy]

Rocker,

Same with me so its not just you!!

[minivin]

loads too quickly at work to notice, will look at home to see if I notice anything on mine and see if there's any standard in system et cetera that may pin it down

[LR90]

Yep, sorry guys n gals. Some bright spark decided to take a pop at us and compromised one of the skins.

This has now been cleaned and the breach is being repaired as I type this.

[GBMUD]

Had some virus alerts from Norton. Seems the forum was hacked.

Chris

[Top90]

Had some virus alerts from Norton. Seems the forum was hacked.

Chris

After looking at the post by new member 'wax' McAfee Tracked 3 trojans on my comp.

Richard

[GBMUD]

After looking at the post by new member 'wax' McAfee Tracked 3 trojans on my comp.

Richard

Yup. I smelled a rat when I saw that Wax was in the admin group.

Chris

[Top90]

I forgot to add:

WELL DONE ADMIN for getting the site sorted nice and fast.

Richard

[will_warne]

I forgot to add:

WELL DONE ADMIN for getting the site sorted nice and fast.

Richard

Yeah, well done. That was dealt with very quickly!

[Happyoldgit]

Yeah, well done. That was dealt with very quickly!

Thirded

[Les Henson]

Fourthded!

I think Trev (LR90) gets all the credit. If I had anything to do with it you would all be looking at a blank screen most likely.

Les.

[minivin]

Yup. I smelled a rat when I saw that Wax was in the admin group.

Chris

I'd say more like the trowl had got out from under the bridge and was dancing about rather than just smelling a rat

Good work on the swift fix

[Mark]

why was there a trowel under the bridge?

[minivin]

why was there a trowel under the bridge?

troll, toll, towel, oh I know I nearly flunked English

[Paul Humphreys]

I got it as well, but I did not have an email address to let anyone know.

Paul

[Hillbilly Raider]

Thank God for Tonk and the new softwear he put on me pooter!

it got a bit scary for a mo here!

still kept me off the forum for a while though didnt it?

[Fatboy]

I'm impressed its sorted so quick! I had the sweats on at work when the spyware stuff kicked in but seemed to get away with it.. Then came home, couldn't resist a peek and its all sorted.

Well done that man!

[RocKeR]

Nice one Trevor. I'm intrigued though to know how long people had been noticing the problem before I flagged it this afternoon. It's a testament to how many people have a decent anti-virus or anti-spyware package these days, especially for those who probably didn't notice the problem.

Also, how did someone manage to compromise the skin in the first place? Has the original vunerability been closed as well as fixing the attacked skin?

[geoffbeaumont]

Nice one Trevor. I'm intrigued though to know how long people had been noticing the problem before I flagged it this afternoon. It's a testament to how many people have a decent anti-virus or anti-spyware package these days, especially for those who probably didn't notice the problem.

Also, how did someone manage to compromise the skin in the first place? Has the original vunerability been closed as well as fixing the attacked skin?

This is second hand, since it was Trevor that dealt with it, but I know he's gone home for a well earned rest.

It appears that a vulnerability in the Invision Powerboard software which we use was exploited to run the attackers own code within the site. This technique would have allowed them to do pretty much anything with the database but due to the server permissions probably not much with the actual files. Fortunately it appears that the only thing they did before Trevor managed to deal with the problem was to embed a piece of code in the site skin that attempted to install something on user's machines. It sounds like most of you were smart enough to be running decent anti-virus/anti-spyware software which detected it. However;

If you were using the site today, and you use Internet Explorer on Windows, and you didn't see any warnings, I suggest you make sure your anti-virus software is up to date and run a full scan of your system, to be on the safe side.

Invision have produced patches for the vulnerability, which was only discovered recently, and Trevor has applied them to the site, so we shouldn't see any more of this. It's just unfortunate that the hackers beat us to the draw by a few hours

[BogMonster]

I would have been using Firefox when there was that odd problem this morning (just getting a white screen) so hopefully OK

[Les Henson]

Scanned my machine last night and two bugs in it. Norton got them.

Les.

[BogMonster]

No bugs in mine (did the same) but will do the work one later as I was on that early yesterday....

[Les Henson]

No bugs in mine

Yes, but you're on dial-up, so they probably died of old age on the way to your PC.

Les.