Hacked today

When I tried opening the forum site yesterday, Symantec instantly jumped on 4 different trojans and removed them. They were some sort of java -components, probably and very likely hazardous. So please run a virus check on your system if you have accepted any scripts on this site during the downtime.
 
Could be, but I doubt it. I think it was just a script kiddie who found an install of vbulletin that he could hack and went to town.

Mike
 
strmanglr scott said:
any chance of this being connected to people or reasons pool.bz got hacked?
Click to expand...

Doubt it. I think this was just an instance in a long stream of forum sites getting hacked, due to the type of software they run (e.g. vBulletin on Microsoft IIS).

A lot of these low-level hackers (called "script kiddies" in my line of work) use "scanning kits" to go out and detect these types of sites they're interesting in attacking. There are even scripted "attack and own (take control)" kits that completely automate this process.

So it's quite common to see one site get attacked/owned (taken over), and then another related site, and then another, in rapid fashion.

-Sean
 
If you guys Google vBulletin hacking, there are 100 sites (and forums) with huge communities of people trying to hack sites like AZB. I'm sure they figure out excellent techniques, share it, everyone gets hacked, and the vBulletin comes out with a patch update, etc... (and the cycle continues indefinitely).
 
SpiderWebComm said:
If you guys Google vBulletin hacking, there are 100 sites (and forums) with huge communities of people trying to hack sites like AZB. I'm sure they figure out excellent techniques, share it, everyone gets hacked, and the vBulletin comes out with a patch update, etc... (and the cycle continues indefinitely).
Click to expand...

Yup, and not just for vBulletin, either. Trust me, you should see the lists for other software infrastructures as well, like SAP, Cold Fusion, PeopleSoft, etc.

Just like you say, it's a never-ending cycle, a dog chasing its tail. That's why I'm a believer in products like FireEye -- that run inbound/outbound traffic through impromptu virtual machines (instantiated on the fly), and then check the after effects of what those packets did by taking those VMs apart and inspecting them. E.g. "why did that mouse click on that link cause the Flash player to install 50 things in the Windows Registry, with entries in the AutoRun key?" (and the same parallels for Linux/UNIX/Mac). Or, "why did that 'POST' value suddenly insert leafs in the Microsoft IIS website hierarchy?" Truly an answer for this kind of zero-day exploit stuff!

-Sean
 
AzHousePro said:
Woke up to the phone ringing from the east coast at 5:30 this morning. Then saw text messages about us being hacked.

I think I have cleaned up everything that was hacked, but please let me know if anyone experiences anything strange today. I can be emailed at housepro@azbilliards.com

If you get a pop up asking for permission to run a java plugin, please do not allow it and email me to let me know about it.

Sorry about the problems today.
Click to expand...

Glad you fixed this however all virus checkers wont allow me to access the site... I use ESET in particular and it is still recognizing this site as a threat and is denying all access to it... any chance you can send a confirmation to them or the powers that be to allow this again because it really sux?? Thank You.
 
I sent a note to eset asking them to rescan and make the site safe again.

Thanks for the heads up.

Mike
 
Eset

I cannot log into the forum from my computer at home as eset has my access denyed. I see 6 or 7 possible threats listed to the forums on az. Do you know what I have to do to correct this.
Thanks,
Powerpool
 
I contacted eset yesterday informing them that the hack had been cleaned up. Received a note from them this morning verifying that they show the site as clean. They said the block will be removed shortly.

Mike
 
Mike,

You did a great job as always on this!

I have one problem that is so small, its probably not worth mentioning. When I used to go to advanced search and type in 3 or 4 letters of a users name, such as pete for me, immediately I would get a list of users with those initial letters. Now it takes about a minute for that list to show up--at first I thought this was disabled. I use this a lot when I'm not sure of the exact spelling of a user whose posts I'm looking for. I don't mind waiting but it seems strange that it has changed.

Ken
 
Hi Mike, don't know if this is related to the hacking incident, but I now need to log in on a daily basis (I check "remember my password" each time). I use Mozilla, and my security settings are the same and seem to be correct.

Thanks, Jim
 
jimmyg said:
Hi Mike, don't know if this is related to the hacking incident, but I now need to log in on a daily basis (I check "remember my password" each time). I use Mozilla, and my security settings are the same and seem to be correct.

Thanks, Jim
Click to expand...

Jim, go through and delete all cookies associated with AZB, then log in and click "remember me" again. That should fix it.
 
the420trooper said:
Jim, go through and delete all cookies associated with AZB, then log in and click "remember me" again. That should fix it.
Click to expand...

Somehow some of my cookie settings were erased, I just reentered the sites that require passwords and shazam...the world is in balance again.

Thanks Michael.

J
 
eset block 7/6/12

As of today eset has me locked out of az again. Is there a cure. Listing from my cumputer at work.
Thanks,
Powerpool
 
I spoke with eset this morning and they are looking into the problem now.

It doesn't appear that we were hacked again.

Mike
 
eset 7/7/12

Still denied access to the forums. I am writing this from at work. Anything I can do.
 
You must log in or register to reply here.
Back
Top