something in the forums is accessing this url:
do a packet sniff.

http://online-multiplayer.com/doom9/l.js

anyone contact the admins?

It could be related to the recent spike in spam that we have been trying to keep in check. I will notify Swede. Thanks for pointing this out.

If you are not logged in but do autocomplete the username + password field it steals both data.
If you are logged in it steals your private messages.

Ohwell, what can you expect from a forum that no one seems to maintan

Announcement removed. Involved users password changed. Forum maintained.

I never opened the announcement. Was it some kind of trojan and if so, how did it work? Is my password possibly compromised if I never opened the announcement?

It was javascript embedded in the title of the announcement, which then got executed (script tag). Surprising the forum application let you do that, even if you are a 'moderator'. I would also check the integrity of the file system if possible, as while it looks like a single moderator account was compromised, it could be bigger.

Also, how was the data checked on how many users were affected? From what was discussed on IRC yesterday, there were no visible lists of users whose data was gotten? Of course, if there was a visible list of affected users, then that more or less could be used as a base for further check-ups.

If this was only limited to a single moderator account and that account did nothing else but add that announcement, then only people who viewed any of the subforums and had javascript enabled would be affected. Since the script tag was in the title of the announcement, you didn't have to actually open the announcement. Unfortunately, it isn't always limited to such, and thus I recommend a proper check-up on the integrity of this site is done, as well as possibly a forum-wide announcement on the fact that such an incident has happened.

I dropped by #doom9 at EFNet but it was dead-ish ... prolly because it was after midnight CEST xD
Even thou my user:pass was sent already, i'm glad it's removed.

(would be nice if vB could be upgraded to latest one available (v5) that has a lot of security improvements over current installed one which is 3.8.5)

So, since I have JS enabled, I should just assume that my password was compromised? What was the script actually doing?

What was the script actually doing?
http://forum.doom9.org/showthread.php?p=1646848#post1646848

It seems like it was (this is in no way a complete list):

trying to get your username/password from autocompletion, and sending it off to a third party
getting your private messages if you were logged in
if you were an admin, it would try to do various things, and even implant something on the server it seems


If anyone wants to take a further look at the script, it is viewable here (http://pastebin.com/LdTBWHRT).

Forgive me for my ignorance but what is autocompletion?

When I go to Doom9 I am logged in without having to do anything. Is that autocompletion?

Forgive me for my ignorance but what is autocompletion?
Autocompletion is the option to fill user name and password in the login form. Of course this works only if you let your browser to remember you password.

When I go to Doom9 I am logged in without having to do anything. Is that autocompletion?
Those are cookies :)

So, since I have JS enabled, I should just assume that my password was compromised?
If you were logged all the time most likely only all your PM are stolen. But of course for safe matters everyone should change their password.

It was javascript embedded in the title of the announcement, which then got executed (script tag). Surprising the forum application let you do that, even if you are a 'moderator'. I would also check the integrity of the file system if possible, as while it looks like a single moderator account was compromised, it could be bigger.
Let's hope that this XSS was possible to make only in the announcement title. I hope that regular threads title are safe.

Thank you!

After trying to understand the almost 3500 lined javascript, it's seems that attack was almost targeted?

I'm guessing my noscript couldn't avoid me being compromised since I some time ago added doom9 to the whitelist?
Or was the script hosted and linked from another domain?

@mastrboy: Script was hasted here http://online-multiplayer.com/doom9/l.js so noscript should block it. It did for me.

> After trying to understand the almost 3500 lined javascript, it's seems that attack was almost targeted?
Interesting part has only 105 lines, rest is jquery... And to be honest it's pretty lame script. Can be applied for any vBulletin forum. Not sure about version >= 4, but it's so simple script that can be adjusted. Password stealing can be adjusted for every site with login box ;p

How vulnerable we are blindly accepting any executable code onto our computers. We have been socially engineered to this point by all those must have sites that do not work without java scripting enabled. Of the sites I now regularly visit only 2 do not require java script at all and only a small handful provide a useful if restricted experience without any java script. Fortunately a good proportion of the current sites still function adequately with pretty severe restrictions imposed through NoScript and related tools. Unfortunately that proportion is reducing daily. A new insidious factor is the sites that do not work with some browsers, am I paranoid in thinking these seem to be mostly browsers that support good java script hygiene.

This exploit should be taken as a wake up call. If the script source had been attached to the forum (moderators can attach and approve any content as well as do news) instead of being on an external site, NoScript would not have alerted and protected us and the exploit would still be active.

So, shouldn't there be some kind of public announcement asking users to reset their passwords (or force that for everyone)?

So, shouldn't there be some kind of public announcement asking users to reset their passwords (or force that for everyone)?

Just to let you know, I have opened a thread about this issue in the moderators forum.

Ten days have passed.

Ten days have passed.

I will let you know, as soon as any news regarding the issue are available.

If you don't know all the details yet you should've already reset all passwords.

Even if I had the required access rights, which I do not have, I couldn't decide such drastic things on my own. I don't even know if that's technically possible with the current forum software (with reasonable effort).

And, as I said before, I have opened a thread about this issue in the moderators forum. There is not much more I can do at this point. So please be patient...

(this isn't directed at anyone in particular)

Have to say I'm a little dissapointed.

At the very least, everyone should have been notified by e-mail, etc that the forum was compromised, and they should reset their password just to be safe. Or OTOH at least reassure those who weren't affected that while something did happen, they will be fine unless they receive further private instructions.

It's not the kind of ball I would expect a place like Doom9 to drop.