Mal ware at sciforums for two days?

Discussion in 'Site Feedback' started by Billy T, Jul 28, 2014.

  1. Billy T Use Sugar Cane Alcohol car Fuel Valued Senior Member

    Messages:
    23,198
    My virus protection (avast, free version) warned me immediately when I opened site for two past days, but I don't see any discussion of this. Was it just me or Brazil users?
     
  2. Guest Guest Advertisement



    to hide all adverts.
  3. joepistole Deacon Blues Valued Senior Member

    Messages:
    22,910
    The site is not fully functional. The new tab doesn't work. Edits don't work. Reply with quotes don't work.
     
  4. Guest Guest Advertisement



    to hide all adverts.
  5. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    Sometimes if multiple domains are accessed from the same IP, a "malware warning" can be triggered by one domain and effect the other. That *might* be what happened in your case Billy. The problem has been dealt, however the site/software has been upgraded and might have a few kinks that need ironing out.
     
  6. Guest Guest Advertisement



    to hide all adverts.
  7. scheherazade Northern Horse Whisperer Valued Senior Member

    Messages:
    3,798
    I have been experiencing all of the complaints that others have raised. Will just wait until it all gets sorted out...
     
  8. youreyes amorphous ocean Valued Senior Member

    Messages:
    2,830
    the sins are catching up, it seems.
     
  9. tashja Registered Senior Member

    Messages:
    715
    LMAO, youreyes.

    When I do a latest thread search I get the following:

     
  10. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
  11. Plazma Inferno! Ding Ding Ding Ding Administrator

    Messages:
    4,610
    testing
     
  12. Enmos Valued Senior Member

    Messages:
    43,184
    Everything looks alright now. Thanks!
     
  13. Plazma Inferno! Ding Ding Ding Ding Administrator

    Messages:
    4,610
    You're welcome.

    Folks, if you notice any other issues, please let me know.
     
  14. rpenner Fully Wired Valued Senior Member

    Messages:
    4,833
    I notified Plazma Inferno Via PM:
    I get error messages:

    Warning: Declaration of vBForum_Item_SocialGroupMessage::getLoadQuery() should be compatible with that of vB_Model::getLoadQuery() in ..../packages/vbforum/item/socialgroupmessage.php on line 261

    Warning: Declaration of vBForum_Item_SocialGroupDiscussion::getLoadQuery() should be compatible with that of vB_Model::getLoadQuery() in ..../packages/vbforum/item/socialgroupdiscussion.php on line 337

    At http://www.sciforums.com/search.php and http://www.sciforums.com/search.php?search_type=1
     
  15. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    I see the same messages, I've sent a message to Plazma with a possible fix for this.
     
  16. Plazma Inferno! Ding Ding Ding Ding Administrator

    Messages:
    4,610
    We fixed this one too, thanks to Stryder!
     
  17. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    Okay I thought I would inform you all know since I've done a little bit of digging and wanted to be absolutely sure before I freaked everyone out.

    The current problems we have on sciforum's currently is due to an attempted Injection attack which replaces elements of the Javascript. The injection technique at present I don't know (But I will get to the bottom of it)

    The person (or botnet) that attempted the injection didn't complete the full payload, it apparently was cut short* leaving both it's own attached code and the code we usually use to have all our functionality broken.
    The attempted exploit would have cloned all Cookies that were set during login and sent them to a different URL along with user agent information. This would allow someone to attempt a session hijack to either get greater privileges of the user accounts or even potentially the server.

    *There is a small chance that this attack did actually work the other weekend and that the code that is left is after the someone has attempted to erase their tracks, for that reason I suggest that everyone after the problems been fix replace their passwords again.

    I've already suggested to Plazma to test the current software files against a full install zip/tarball to see if there are any other altered files. (This should allow any compromised scripts to be "factory reset")
     
  18. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    Messages:
    13,938
    Oh, that sounds like a barrel of fun 0o'
     
  19. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    It's always a bit of fun however there is only ever so much data forensics you can do when you don't actually have access to any real data (all completely speculative, well other than the actual injected code which is now fixed.)

    The main problem is that throughout working it out, I flooded Plazma with updates :xctd: <--- way too much caffeine
     

Share This Page