Jump to content
unclecameron

What just happened?

Recommended Posts

Okay, so some of you noticed that the sdar site started having problems with malware, here's a summary of what happened, who was affected, where we are at now, and what happens to keep things like this from happening again:

Summary: the server had problems and now it doesn't (but we're still watching it carefully in case nastiness resurfaces)

Deeper dive:

1. Due to a vulnerability in the forum software (from a commercial vendor), hackers were able to find an exploit that was used to attack lots of that vendor's software. The vendor subsequently released a patch, which we installed.

2. In the meantime (get your geek hat on) here's what happened. The attackers uploaded a shell into a directory on the forum that then allowed them access to other areas of the site, but not the server itself, so the attack was localized, which is good.

3. Once the shell was active, they inserted bits of code to the top of all the index pages (there are many in the subdirectories of the forum software) that were encrypted so you couldn't read them, but certain browsers could and did, specifically Internet Explorer versions.

4. When we learned there may be problems, we did a virus scan on the server, and it caught the malicious shell and removed it, but upon further investigation we learned that it had dropped the bits of code into the index pages, which weren't detected because they really aren't malware, just things that tried to direct people to where there was some.

5. If people had Internet Explorer and the malware detected that (and they didn't have a javascript blocker of some kind), the malicious code tried to drop a malicious payload that was really residing on a remote server, most of which were located in China, which tried to install a piece of malware called Blackhole, a not very nice piece of turd-tasticness that is generally to be avoided.

6. We wrote a piece of code that went in and removed the malicious code from all the files where we found problems. After a couple hit-and-miss runs, it looks like we got most if not all of the nasty code among the thousands of files we had to rummage through, so it appears we succeeded, at least for the moment, but these things are nasty, so we'll still to keep working on it.

7. We're still monitoring the site quite closely and reports from folks, so keep them coming.

8. If you use Internet Explorer and have another option for a browser, it might be a good idea to use an alternative until we have some more time to test, this will keep you much safer in this particular instance.

9. If you need to keep using Internet Explorer, consider disabling javascript, there are tutorials on how to do that easily, google is your friend here :)

10. This whole thing sucked, but then again scammers are always looking for chinks in the armor of popular software, so I guess that means we're popular :)

11. If any of you are having issues in case the nastiness actually got onto your computer and your anti-malware software didn't catch it (you do have anti-malware software - don't you?) then drop me a line and I'll put up some specific steps you can take to make things better, but hopefully you shouldn't have any problems, as most modern anti-malware software would detect and block this.

12. We've stepped up security on the server itself and will continue to monitor its health over the next few days.

13. Go ride already, it's always a good day (or night) for that :)

Share this post


Link to post
Share on other sites

Thanks for your hard work and the information. Unfortunately, I let my security expire just a day or two before my PC got hit. It's still at the computer hospital, where it has been since last Thursday. You can bet that the next time a security program says it will expire in 3 days, I won't hesitate one more second to make sure that I renew it. I'm sure that the cost of getting my computer debugged will cost me way more than the cost of security renewal. (I'm also aware that i could have gotten some free programs as well.)

Share this post


Link to post
Share on other sites

Cameron, thanks a lot for getting this resolved....sounds like a lot of work was done. We all appreciate it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information