Hypography under attack

[CraigD]

For the past few days, we’ve been experiencing problems that appear to be due to an intruder (hacker) adding and/or altering files on our server.

 

Some members may have had display or access problems, or had access blocked by your browser’s security features. Some, but not all pages of our site were infected

 

Although at present, we’re reading clean via such advisory services as Google Safe Browsing, there’s a strong possibility that the infecting files attempted to install malware on your computer. If you have a common antivirus program (eg: McAfee, Norton) installed, it should have prevented this, but you may want to check to see that you have antivirus software, that it’s working, and scan all your files for trouble.

 

Our and our hosting service’s dev & support staff are investigating, but at present, the precise means of the intrusion haven’t been identified, so we can’t rule out the possibility of more trouble.

[Cedars]

Do you have info on what malware/virus was found?

 

I came up with PolicePro crap using my malware scan, but I cannot say it was from here or elsewhere where it was installed from.

[CraigD]

Do you have info on what malware/virus was found?

I’ve not many details. Google Safe Browsing describes the infecting site as “includes 8 trojan(s), 6 exploit(s)”, the only actual antivirus log entry I got was for a port access attempt from a Chinese host. I found some forums discussing the hosts involved that mention TrojWare.Java.TrojanDownloader.Agent.*, for which I found little detailed information, other than it.

 

If you mistrust your antivirus, I recommend searching your files for *TrojWare* or *TrojanDownloader*, and, if your comfortable doing such things, your registry for TrojWare or TrojanDownloader.

 

When more details are available, we’ll post them here.

[Mercedes Benzene]

Yikes. Thanks for letting us know Craig!

[LaurieAG]

Early last week I got a request to load up Java when I entered the site, it looked legit so I did.

 

Then on entering hypography later I got a request from Microsoft© Register server on my pc to do something. I declined, because the advert area had an error message, but before I did I noticed that it was trying to connect to (http colon //rebellion dot servh#p dot com/404.php, replace the dots with '.' and the colon with ':' but don't go there).

 

If you've got an extra icon on your taskbar that says Java and you downloaded an addon in the past week then uninstall Java 5(?) now. If you click on the icon you get the Microsoft © Register server again trying to access (nofear dot serv dot http) with the message

 

Website wants to open web content using this program Windows Host Process (rundll32)

Java 2 Platform

 

Don't click this link either.

 

The 'ads by Google' server may have been poisoned with a bad ad that gave hypography users bad malware.

 

And interestingly enough MS issued unscheduled patches to their server 2008/2003 client side x64 software on friday. I've got 32 bit Vista (dual Pentium huh).

 

Just re-read the first post and clicked on the link, if you were asked by an ad (on the hypography website) to load Java in the past week or so, uninstall it and rescan your pc now.

[Tormod]

Thanks Laurie.

 

We will be upgrading our server as well as our forum software this evening and hopefully that will sort the issues for us.

 

I apologize to everyone who have been infected with virus or malware - this has apparently been a blanket attack on many vbulletin sites, and it is very difficult to stop these things when they first happen.

[Tormod]

The attempt to update the forums failed. Large portions of our database was corrupt.

 

After 8 hours I managed to salvage a backup from our storage. So we have only lost a few hours of posts! Wehave also worked hard to secure the forums as best we can.

 

We will repeat the upgrade attempt at a later date. For now I'm just happy to see everything back.

[Tormod]

We have been blacklisted by sites which aim to stop badware. It will probably take time before this is solved.

[Turtle]

i am still getting reports from the defenses on this machine of attacks coming from here. obviously the defense is blocking them. :naughty: i can give information from the reports if that would be helpful. i'm tellin'! :eek: :hihi:

 

let me know what you want & how you want it. Hypography Good; hackers Bad!

[Donk]

I had the Firefox alert a day or so before Craig started this thread. Obediently, I stayed away until Firefox stopped blocking the site.

 

When it came back, I kept getting messages about updating java and an acrobat plugin error, which I ignored.

 

All three of my machines seemed to be running a little slowly, so to be on the safe side I uninstalled Java and then reinstalled from the Sun microsystems website. Everything seems ok now.

 

The Firefox message came back again today but I overrode it and cautiously tiptoed on to the site. It's gone again now, but google "hypography" and you get the message "This site may harm your computer" (confusingly, with a green "ok" tick from AVG).

 

I suspect it's a cunning ploy by the admin to make me sign up again for sponsorship status: no adverts, no malware :naughty: Honest, guys, I was going to do it this week... it just slipped my mind!

 

edit: Firefox malware message came back while I was making this post.

[Turtle]

here's a couple things that keep coming up:

Hacktool.Unreal.A

Tracking Cookie

 

i read that a tracking cookie can be a single pixel. :eek: :hihi:

 

this is what was blocked just 10 minutes ago:

 

Date: Wednesday, March 10, 2010 1:17 PM (PST)

Actor: program filesgoogleupdategoogleupdate.exe

Actor: PID 2512

Target: Defense files

Action: Open Process Token

 

:naughty:

[Turtle]

Double D posted this earlier in the thread on nothing, but it may have gone unnoticed as nothing. :naughty:

 

Safe Browsing

Diagnostic page for hypography.com/forums

 

What is the current listing status for hypography.com/forums?

 

Site is listed as suspicious - visiting this web site may harm your computer.

 

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

 

What happened when Google visited this site?

 

Of the 135 pages we tested on the site over the past 90 days, 10 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-02-27, and the last time suspicious content was found on this site was on 2010-02-27.

 

Malicious software includes 8 trojan(s), 6 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

 

Malicious software is hosted on 1 domain(s), including rebellion.servehttp.com/.

 

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including nofear.servehttp.com/.

 

This site was hosted on 1 network(s) including AS13438 (VIVIO).

 

Has this site acted as an intermediary resulting in further distribution of malware?

 

Over the past 90 days, hypography.com/forums did not appear to function as an intermediary for the infection of any sites.

 

Has this site hosted malware?

 

No, this site has not hosted malicious software over the past 90 days.

 

How did this happen?

 

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

 

Next steps:

 

* Return to the previous page.

* If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

 

Updated 23 hours ago

 

Nothin to worry about:hihi:

[Tormod]

Thanks, Turtle.

 

Hackers should be shot on sight.

[Turtle]

Thanks, Turtle.

 

my pleasure. :hihi:

 

Hackers should be shot on sight.

 

:naughty: or on site; wherever ya find 'em is good.

[Cedars]

I got pretty sick of having to scan my 'puter when I visited.

 

Something was shutting down my firewall.

I updated java

Same problems.

I un-installed java

 

Did a bunch of rescans / reboots to clear the system.

 

During the worst of it (firewall shutdown) I was also getting Acrobat errors even though that program was not running. Went through my java temp files and found 3 files with the servehttp or httpserve name. I deleted those thinking there might be something going on with them. Still had issues. After taking out the java AND a rescan, the firewall hasnt shut down and the acrobat errors stopped. I do need a more current version of acrobat, but the last time I updated, I hated the changes and so I went back to an older version.

 

A few times visiting in the last day or so, I was seeing the httpserve or servehttp name coming up in the status bar as I loaded hypo. Scans afterwords did not fine issues. I still do not have Java installed.

[Tormod]

Thanks. Please keep posting issues and problems, particularly if there are reasons to think that we haven't stopped it yet or if something new may have been installed on our server.

 

Right now it seems as if we have managed to patch the box up for a while. We have done a throrough scan of the system and updated everything to the latest patches etc. And Google has removed our blacklisting. :naughty:

[coldcreation]

I don't know if this has anything to do with the hack but when I run a search (on this site, above right hand corner of screen) I get an error message: "MDB2 Error: connect failed".

 

CC