Forum hacked

[Wilbert]

There was a thread in the subsection indicating that the forum is hacked (script stealing passwords and things like that). The thread is gone for some reason. So better not to log in and wait for an announcement of the administators on this matter.

In any case if you logged in yesterday, you should change your password.

[sneaker_ger]

Do you have contacts to the admin(s)? More specifically, are they aware there is a problem?

[wonkey_monkey]

Well that's just even more extremely suspicious, and suggestive of continuing abuse of a mod's login.

The announcement posted by tebasuna51's account, which appears to be an attempt at injecting a password-stealing script (and which breaks forum indexes), and which prompted the now-deleted thread, has recently been edited to say "maintenance" instead of "test". It still contains the attempt at injecting the malicious script, although this is likely to fail in most, if not all, reasonably modern browsers. The text of the announement now reads "We are working on the indexing issues now and doing basic maintenance".

Seems pretty clear that tebasuna51's account has been compromised. He did still post normally once, earlier tonight, after the announcement was first posted, suggesting his password hasn't been changed and that he wasn't aware of anything at that time.

I've PM'd him along with a few other mods (including Doom9 and Swede).

I take it you can't take the forum offline, Wilbert? Or post an announcement to push the dodgy one off?

---------

It's also possible that more basic access has been gained by someone, in order to subvert the code and inject the script attempt into the announcements, which are then genuine. But if that was the case I would hope that tebasuna51, or whoever is doing the announced "basic maintenance", would have taken the forum offline.

[Wilbert]

Quote:

Do you have contacts to the admin(s)? More specifically, are they aware there is a problem?

No, and i don't know.

Quote:

I take it you can't take the forum offline, Wilbert? Or post an announcement to push the dodgy one off?

No i can't. I made a new announcement and deleted the other one.

[wonkey_monkey]

Cool, that has fixed the forum index problem for now and removes the immediate threat (which as I say, is unlikely to hurt anyone unless they're using a very old browser). Unfortunately it may reoccur until we know that tebasuna51's account is secure.

[lvqcl]

"New Posts" link still shows that announcement and nothing else.

[Wilbert]

Quote:

Originally Posted by lvqcl

"New Posts" link still shows that announcement and nothing else.

I can't remove this one.

I sent tebasuna51 a mail asking whether he has access to his account and to change his password. If he doesn't respond i guess i should ban him or something.

[wonkey_monkey]

In "New Posts" I see Wilbert's announcement followed by the dodgy one. Everywhere else I just see Wilbert's.

[sneaker_ger]

Ban him before he bans you?

[Wilbert]

Quote:

Originally Posted by sneaker_ger

Ban him before he bans you?

Damn, i'm not authorized to ban him because he is not a normal user ;(

edit: I striked him a few times. Now his account is suspended. Apologies tebasuna51!!

[BetA13]

so, should i change my password? is it save to change it NOW?

greetings..

(hopes everything goes well here on the Doom9)

[sneaker_ger]

First thing you should do if you have the same password on other sites is to go to those other websites and change the passwords there (one unique password per site). This is especially true for important stuff like e-mail accounts (gateway to almost all other websites because of the "password forgotten" feature), banking, paypal, ebay etc.

Since this isn't the first doom9 incident I would treat doom9 as kinda "open", i.e. assume everything you type here (passwords, e-mail-address, private messages) is open to others. Don't re-use the same password for multiple websites.

[BetA13]

no prob, i have a diff. for everyone..

but thanks fo rthe calrification...

[FranceBB]

I noticed that the Indexing wasn't working, so I started using the manual search and I even replied to a topic.
I thought it was some sort of maintenance until I saw this.
Anyway, it's sad to see that there are people who are willing to hack this community to get a few quids from PayPal or God knows what.
I consider Doom9 as the "StackOverflow" of the encoding and it's really sad to see a programmer damaging a forum that helps programmers...

Quote:

(which as I say, is unlikely to hurt anyone unless they're using a very old browser).

Very old? Like IE8? Or just like Chrome 54? Or maybe even just Firefox 52.9.1ESR?
I'm just wondering, 'cause I did browse the forum while it was infected, but I was using Chrome 72, however I'm pretty sure that there are people using older browsers.

[foxyshadis]

Quote:

Originally Posted by FranceBB

I noticed that the Indexing wasn't working, so I started using the manual search and I even replied to a topic.
I thought it was some sort of maintenance until I saw this.
Anyway, it's sad to see that there are people who are willing to hack this community to get a few quids from PayPal or God knows what.
I consider Doom9 as the "StackOverflow" of the encoding and it's really sad to see a programmer damaging a forum that helps programmers...



Very old? Like IE8? Or just like Chrome 54? Or maybe even just Firefox 52.9.1ESR?
I'm just wondering, 'cause I did browse the forum while it was infected, but I was using Chrome 72, however I'm pretty sure that there are people using older browsers.

Think IE6. Even IE8 won't let you put a script element in an a element.

I saw things earlier, and I didn't even want to log in. Now I see it's a very specific, very broken script kiddie hack, I shouldn't have worried.

[sneaker_ger]

Was the script even running in any browser? It looked like the <script> tag wasn't closed correctly or something like that. I guess the forum's HTML filter worked almost correctly and he didn't find any way to make it work (it shouldn't break the list of threads so there seems to still be some error). And it seemed that at least from my PC the external .js wasn't even reachable. So I agree that this time probably nothing really happened, no passwords stolen etc.

I hope the admins can kinda limit mod rights to not let this happen again so easily, e.g. no global announcements. And revoke mod rights of mods no longer active.

[wonkey_monkey]

Quote:

Originally Posted by sneaker_ger

Was the script even running in any browser? It looked like the <script> tag wasn't closed correctly or something like that. I guess the forum's HTML filter worked almost correctly and he didn't find any way to make it work (it shouldn't break the list of threads so there seems to still be some error). And it seemed that at least from my PC the external .js wasn't even reachable. So I agree that this time probably nothing really happened, no passwords stolen etc.

I think the <script> tag was deliberately left unclosed in order to circumvent filters (whether or not that works I have no idea, and I'm not about to start experimenting!).

It should be relatively trivial to add code to VBulletin to look for <(whitepsace)script and refuse to post anything containing it.

Ideally all < and > should be converted to &lt; and &gt; but that might cause issues with code blocks, depending on how they are implemented (they should be implemented white white-spacere; and a monospace font rather than the <pre> tag).

[foxyshadis]

Quote:

Originally Posted by wonkey_monkey

I think the <script> tag was deliberately left unclosed in order to circumvent filters (whether or not that works I have no idea, and I'm not about to start experimenting!).

It should be relatively trivial to add code to VBulletin to look for <(whitepsace)script and refuse to post anything containing it.

Ideally all < and > should be converted to &lt; and &gt; but that might cause issues with code blocks, depending on how they are implemented (they should be implemented white white-spacere; and a monospace font rather than the <pre> tag).

vBB does actually have a filter that converts <script ...> to <script ..., which is why it wasn't closed. There are ways around it, but our new friend wasn't up to the job.

You'd have to be browsing the internet with something like IE6, or a modern browser in IE6-compatible mode, for it to work; in that case you probably get hacked left and right every day.

[Wilbert]

Bummer. Somehow he changed the announcement after i suspended him ?????? That's not good. I removed his again. I don't even understand how this is possible.

[sneaker_ger]

He's in the "currently active users" list so maybe the suspending didn't really work (because of mod status)?