Pages: [1] 2
|
|
|
Author
|
Topic: Star-control.com discussion board compromised (Read 10648 times)
|
|
Dabir
*Smell* controller
Offline
Posts: 291
|
Well damn I just visited it. I visit it first. I didn't see any iframes, but the fonts were bugged up and php.bb was issuing debug notices complaining about headers having already been sent at the top. I'd go back and check, but right now I must scan my computer.
|
|
|
Logged
|
|
|
|
|
Draxas
Enlightened
Offline
Gender:
Posts: 1044
|
Was wondering what was going on when I got all those broken script notices earlier. I also found that all the links to subforums were dead, and also kicking back broken script messages. I had no idea this had something to do with an attack site.
Well, it's my PC at work, so there's nothing I can do for it. If the virus and spyware protection here can't catch it, I'm pretty much stuck.
Let us know when this gets resolved.
|
|
|
Logged
|
|
|
|
|
oldlaptop
*Smell* controller
Offline
Posts: 337
|
The SCDB front page looks clean to me now (some innocuous looking javascript probably generated by the forum software, no references to locumresouces.com anywhere), but the boards are still down. All links other than 'Board Index' and the board logo bring up an error that './cache is not writable', so I'd guess that databases have been taken down for checking.
|
|
|
Logged
|
|
|
|
|
oldlaptop
*Smell* controller
Offline
Posts: 337
|
SCDB is back up.
|
|
|
Logged
|
|
|
|
|
Megagun
Enlightened
Offline
Gender:
Posts: 580
Moo
|
It's gone now, yes. I checked with Firefox and NoScript enabled. The bit that inserts the iframe is gone now.
However, it could be that whoever inserted that iframe has removed it himself, perhaps because he has succeeded in his goal (steal an Admin account so that he now has access to the database/php scripts?). Unless some SCDB Admin comes forward and tells us that he's removed the offending bit of javascript, I wouldn't trust the SCDB.
|
|
|
Logged
|
|
|
|
Draxas
Enlightened
Offline
Gender:
Posts: 1044
|
I'm guessing Luki would be the most likely to show up here. Until he (or Chad, or whoever) shows up, I guess I'll keep away for a while.
|
|
|
Logged
|
|
|
|
|
meep-eep
Forum Admin
Enlightened
Offline
Posts: 2847
|
My observations and conclusions:
- Judging by the error messages, code was inserted in the PHP page source.
- That means that someone had system access on the server.
- Because the page was broken, and the contents which was included, it's likely that this was an automated attack.
- This may make it less likely that any specific data has been stolen.
- Change your password regardless.
- From what I could find on possible candidates for this malware, compromised websites actually try to exploit the visitors' systems through various vulnerabilities in their software (mostly browser plugins).
My advise:
- Keep your software up-to-date with respect to security updates! In particularly your operating system (Windows), Browser, and browser plugins (Java, Flash Player, PDF reader). Install Secunia PSI to help you with this. (It's free.)
- (Windows) Have a virus scanner active.
- Change your password for star-control.com, and on any place where you use the same password.
- (Don't use the same passwords on important sites, and use a strong password.)
- Avoid mainstream software, which is what is targeted through automated exploits. Use alternative PDF readers rather than Adone Reader. (Foxit Reader, PDF-XChange Viewer, ...), other browsers than Internet Explorer and Firefox, perhaps even your operating system (Linux or MacOS instead of Windows).
- Don't have software installed which you don't use, in particular anything which acts as a server or plugs into your browser.
- Make regular back-ups.
Also, the spam on the UQM forum is just that, spam. Annoying, but relatively harmless. This happens quite frequently and is usually removed quickly enough.
Disclaimer: While IT security is what I do professionally; I have not thoroughly investigated this attack. YMMV.
|
|
« Last Edit: August 02, 2011, 07:14:30 pm by meep-eep »
|
Logged
|
“When Juffo-Wup is complete when at last there is no Void, no Non when the Creators return then we can finally rest.”
|
|
|
|
|
Pages: [1] 2
|
|
|
|
|