Webshield alert!! Toontastic is a danger to your computer.

[spongebob toonpants 3954]

Well I cant open it at work again till its fixed - good job Ive got the durrr challenge to keep me occupied

[Craig 6682]

Yeah the only reason I suggested starting afresh is because someone mentioned that the upgrade was complicated.

 

Pretty important that it gets sorted out though imo.

 

Agree but I've already done more than I can afford (time-wise) to do. Things are being done behind the scenes to try and rectify it but there's only so much work evasion I can do.

 

We need to upgrade which we've got problems with. We need to change passwords to the back-end stuff which I've asked Pud to do - I don't have the know-how on that one.

[Craig 6682]

okay beyond a joke now - clicked on the toontastic google link at work this afternoon and the antivirus went beserk a page with "http://stirist.com/dl/un/index.php"file os something very close to it opened but no toontastic page, my computer locked up(well ie outlook and my work client) and I had a call from the it dept - not good not good at all

 

nothing happened when I just opened ttt at home now

 

tbf, you (and everyone else who uses this site including me) browse it from work at your own risk.

 

The site has been hacked and trying to sort it out is like finding a needle in a haystack. The response may seem lax but that's because we know just about as much as you do. I'm spending as much time as I can reading into what's possibly gone on by reading through support forums.

 

We don't yet know if it's the site, the software, the server, or whatever else that's infected so simply starting again may not provide the solution.

 

Sorry I can't be of more help.

[MrBass 2649]

At the very least, I'd be inclined to remove the version number from the footer template.

[Fop 1]

It's the boards software because your version is out of date

you'll be in more grief if someone decides they don't like the board and hits google to pick up one of the easily available ./scripts to grab an admin account.

 

it was a worm that no doubt searches the web for signs like "Powered By IP.Board 2.3.1 or less"

has used a sql injection to place crap into the board, if it was anything more sinister etc they would be doing a little more or less than putting spamware that doesn't even work correctly into the footer of a forum..

 

go through the admin accounts obsv deleting anything that shouldn't be one (if there even is any)

and follow your standard upgrade procedure for putting up the new version and it needs to be greater than version2.3.5...

even if there was an account or something thats timed to try the same exploit on the new board.. it's been fixed and won't work so fck it.

 

Otherwise it'll be like Halloween Part XXXIV.

[Craig 6682]

Peeps.

 

We're aware that there's an issue when trying to view new posts and it just shows you a blank page.

 

Teething issues with the cleansing of this site I'm afraid - please bear with us and we'll hopefully get sorted ASAP.

[maggiespaws 0]

*Wanders in to hold his hands up*

 

Sorted. Random blank line got added during some file changes. I blame my code editor..... obviously

 

No one mention anything to do with workmen, their abilities, liability and their tools

[maggiespaws 0]

As an update for everyone - work is going on with this issue. Ultimately, the board will be upgraded (there is an issue around that which is being resolved) but before this is done, we're trying to eradicate the problem.

 

Basically, upgrading should remove the vulnerability we've been exploited by, but I want to be sure (as much as I can) that anything that has been added, to allow the bastards access; has been removed. It's pointless upgrading to stop them getting in, if they already have a back door - well, apart from the fact it stops new people trying the same trick; but you get where I'm coming from.

 

We're also doing some other stuff which should harden the board against future attacks.

[maggiespaws 0]

As an update for everyone - work is going on with this issue. Ultimately, the board will be upgraded (there is an issue around that which is being resolved) but before this is done, we're trying to eradicate the problem.

 

Basically, upgrading should remove the vulnerability we've been exploited by, but I want to be sure (as much as I can) that anything that has been added, to allow the bastards access; has been removed. It's pointless upgrading to stop them getting in, if they already have a back door - well, apart from the fact it stops new people trying the same trick; but you get where I'm coming from.

 

We're also doing some other stuff which should harden the board against future attacks.

 

i'm pretty sure no "bastards" were involved and it's simply just a worm

who goes to the bother/expertise to exploit something, install backdoors and rootkits etc... then installs adware that doesn't even point to a live host.

 

you'd need to be the worst hacker in the world =D

 

In fairness Ant, there was the bastards who wrote the worm in the first place and those who initiated this particular instance - which is who I was referring to . I know the worm crawls around the web looking for vulnerable installs of the software, but it's doing it for a purpose and on behalf of a real person. The adware etc is just one aspect of the attack. The secondary function of such an attack is usually to compromise the server and use it to propagate further attacks on other servers / installs.

 

Granted, the chances of someone ever actually logging on are somewhat remote, but leaving the code floating around, somewhere in the system, particularly when it may (and was) attached to an aspect of the software unlikely to to be overwritten by the upgrade is just foolish.

 

In one of your earlier posts, you (quite rightly) suggested removing the version number. We can't (and I tried anyway) as it is part of the licence agreement and the software actually prevents you from removing it. I had hoped to replace it with something similar - just without the version. The only way we can remove it is by buying the permission to do so at a cost of $275.

 

Besides, just because it was pointing to a blank page doesn't mean it wasn't doing anything. The blank page is a nice way of remaining undetected (that is, before the AV's catch on and report it) whilst feeding data back to the remote host.

[peasepud 59]

Hey lads lets just agree its a cunt eh?

 

 

 

 

[maggiespaws 0]

Ant,

 

Ok, I referred to the blank page because that was what it was currently doing before I removed it. I take your point about the dead hosts etc.

 

As for picking me up on the secondary feature, how do you know this exploit wasn't designed to do anything more than insert some links into the footer? Is there something you're not telling us...

 

Basically, the code I removed was doing more than just inserting the links and it wasn't part of the core installation either, so I'm not convinced an upgrade would have picked it up. The upgrade will prevent the same attack being successful as it should close that hole, but I was worried the exploit itself may have remained post-upgrade.

 

Perhaps I was a little vague when I referred to the server. I didn't mean taking over the whole server (the access permissions only limit us to our space and you are quite right, that can't be escalated to anything outside of that). However, the information being returned to the remote host could have been used for other purposes.

 

Anyway, thanks for the heads up on where to find the footer code. You're right, the chances of actually getting pulled up for removing it are slim, but for now I'll just change it so that it's not how it currently is.