Intrusion/Hacking attempts?

C

Champasak

0
Jan 12, 2003
258
1
0
rob771 - regarding your question "Has the site been compromised?" - aside from the Kaspersky / Avast warnings on individual PC's, there is no discernable indication that it has been compromised. NONE of the Anti-Virus software providers that have an online website checking service find any issues... Therefore its a mystery why those warnings are appearing in the past few days. That coincides with the upgrade on our vBulletin forum software - no response from vBulletin Tech Support as yet.

We are very concerned about all of this, and have been working hard to determine exactly what is ocurring, and why. During the past year there have been repeated and prolonged attempts by 'a group of known miscreants' intent on hacking the server, website, admin account and individual user accounts. Police and Ministry of Information & Communications Technology (MICT) are aware of these activities and the investigation is ongoing...

Admin001;276364 wrote: In addition to the previous blacklist checks, we've signed up for a couple of online malware scanning services;
QualsysGUARD: scanned 2000 pages on GT-Rider, no issues found
HackAlert: no issues found
Securi.net: reported a JavaScript issue with a WordPress plugin (outer portion of the site). Whilst it called code from another site, that appeared to be legitimate code from the author of the plugin. No other malware servcie reported this as an issue... Deleted the plugin as it was unused.
VirusTotal.com: squeaky-clean site on all their tests...
Norton SafeWeb: http://safeweb.norton.com/report/show?url=www.gt-rider.com - CLEAN
Macafee.com: http://www.siteadvisor.com/sites/www.gt-rider.com - CLEAN
AVG.com.au: http://www.avgthreatlabs.com/sitereports/domain/www.gt-rider.com/domain-search-widget/www.avg.com.au - CLEAN

Blacklist status
Domain clean by Google Safe Browsing: gt-rider.com - reference
Domain clean by Norton Safe Web: gt-rider.com - reference
Domain clean on Phish tank: gt-rider.com - reference
Domain clean on the Opera browser: gt-rider.com - reference
Domain clean on Sucuri IP/URL malware blacklist: gt-rider.com - reference

We've also contacted vBulletin Tech Support to request a check on the /images/editor/smilie.gif files reported by AVAST AV as per post by mbox999
Click to expand...
 
rob7711

rob7711

0
Oct 30, 2010
203
5
0
These are screen grabs off my laptop of the issue. I am no techie but perhaps they may provide some useful info for admin to work on. Cheers!

Capture1.jpg


Capture2.jpg


Capture3.jpg
 
C

Champasak

0
Jan 12, 2003
258
1
0
Hi Rob7711

Thanks for taking the time to provide those screen shots - the wierd thing is, those files don't actually exist on the GT-Rider server... :crazy:
- examining the directory contents via Smart FTP, those files are not there
- if you try and open the URL for the image link, all you get is a 404 Page Not Found Error

Tech Support at vBulletin say they don't understand why this is ocurring either...
 
Ian Bungy

Ian Bungy

0
Sep 19, 2006
2,393
376
83
63
www.chiangmai-xcentre.com
I just tried Your Link LivinLos and got the 404 Page Not Found Error as Admin said? Obviously there is some disparity between computers used I guess? At No time have I had any Warnings? Weird, sorry for those of You who are!
 
rob7711

rob7711

0
Oct 30, 2010
203
5
0
Admin001;276400 wrote: Hi Rob7711

Thanks for taking the time to provide those screen shots - the wierd thing is, those files don't actually exist on the GT-Rider server... :crazy:
- examining the directory contents via Smart FTP, those files are not there
- if you try and open the URL for the image link, all you get is a 404 Page Not Found Error

Tech Support at vBulletin say they don't understand why this is ocurring either...
Click to expand...
You are welcome admin.

Hmmmmmm .... the plot thickens ..
 
mudboots

mudboots

0
Feb 1, 2012
183
1
18
Good morning here from OZ, Having my morning coffee and read of what is new on GTR before leaving for work ... After reading about Intrusion/Hacking attempts on here over the last week and having none of of the talked about things happen to me i thought all good.
But this morning i get a worning..

THREAT WAS BLOCKED

FILE NAME: www.gt-rider.com/thailand-motorcycle=forum/images/editor/smilie.gif

THREAT NAME: Exploit Blackhole Exploit Kit (Type 2115)
 
C

Champasak

0
Jan 12, 2003
258
1
0
Hi guys

Thanks to those who have expressed their concern and/or prodided screenshots etc.

An update on the odd issue thats been going on over the past few days;

  • Checks today show that AVG now reports an unidentified "potential threat" issue occurred on 4 unidentified pages on 15th Feb - which is not too helpful... Previously, AVG reported the site as clean.
  • All other AV sites with URL checkers previously listed show no issues
  • In addition, checks on TrendMicro how no issues
 
feejer

feejer

0
Feb 16, 2007
444
2
18
I thought things had settled down as nothing was detected by my firewall for several days. But just got this one a few minutes ago through a completely different ISP in another state and on my desktop at home vs. the laptop. This "attack" is different than the first ones in that it now shows GT-Rider as the actual attacking site. The ones prior were a remote attack from a totally different Russian IP as if GT-Rider was acting as a forwarding server to the IP attempting the intrusion. I have a friend who is a former IT manager and co-owner of a local ISP. If you want, I can bounce this off of him tonight over some beers to see if he has ever encountered/resolved anything like this during his travels.

I just ran this http://security.symantec.com/nbrt/npe.aspx?lcid=1033 to be sure my desktop has not been compromised and it is clean.

Webattack4.jpg
 
mudboots

mudboots

0
Feb 1, 2012
183
1
18
I am getting a threat every time i enter GTR now so have been doing some looking myself i hate shit popping up on my lapy found this about.
THREAT NAME: Exploit Blackhole Exploit Kit (Type 2115) on a AGV forum.

17.2.2012 15:56 Re: Blackhole Exploit Kit Removal #190919
Reply with Quote | Quick Reply | Top

I am not a super brain when it comes to working bloody computers out but what i can figger out i think is ( Master boot record or system driver is infected ) if this has happend to the GTR forum web site has it now been passed on to all of us now ? I do not get this worning from any of the other sites i am a menber of and i am the same as most of you have checked my pc and nothing so it says.
I will keep looking and if i find anything that may help will post.

cheers Brad.

nemethste



Manager
Join Date: 1.11.2011
Posts: 785
 Hello Esinem,

If you have some resilient infection that keeps coming back, it may mean that your Master boot record or system driver is infected by some rootkit.

Please restore master boot record and then scan your computer with updated AVG Rescue CD.

You might also want to consider installing AVG which should be able to stop the infection.

Thank you

___________________AVG TeamHow-To articles | FAQ | Free SupportWe Protect Us

 
mudboots

mudboots

0
Feb 1, 2012
183
1
18
Hummm seems this is going on all over the place E-Bay so on found this all so..

Gabethebabe
Malware Jedi



Join Date: Oct 2007
Location: In front of my monitor
Posts: 8,063

Re: Blackhole Exploit Kit (type 1889)??
Note that an exploit kit is a piece of software that is designed to exploit (hence the name exploit kit) a collection of known security holes present in common software. E.g. security holes in outdated java versions, outdated browsers, outdated PDF readers, etc. If a security leak is found by the exploit kit, a mechanism is activated to abuse this security leak and install some piece of malware.

If you are using Chrome there is a very decent possibility that you are invulnerable to this exploit kit, because Chrome´s built-in sandbox has proven in hackers conventions that it is practically inpenetratable.
Also Internet Explorer 8 requires some brilliant script to crack and still it takes 1-2 minutes. Means if you hit a poisoned webpage and get out in 30 seconds, you are safe.

The weakest link imo in the browser category is Mozilla Firefox, without NoScript. Running that is asking for problems (older IE is definitely worse though)
 
mudboots

mudboots

0
Feb 1, 2012
183
1
18
I have had a good look and this seems to be the only answer i have found but am unsure if its my coputer or the GTR forum server.
I have also read that its happening on face book, hotmail, so on.

faq_folder.gif
AVG Forums » Other topics » How-Tos » How To Restore The Master Boot Record

3.2.2011 11:57 How To Restore The Master Boot Record #147645
Top
jirka82



Manager
Join Date: 19.6.2009
Posts: 3587
How to restore the Master Boot Record:

Sometimes, viruses will copy (a part of) their payload to the Master Boot Record. This portion of the hard drive is not checked and it is difficult to remove the infection from there. When there is a confirmed infection, you can rebuild your Master Boot Record by using a specialized utility:

MbrFix utility

1. Download the MbrFix utility.
2. Extract the downloaded archive to C:temp.
3. Run the command line.
4. Go to the folder with extracted MbrFix utility by typing this command:

cd

- Where is a full path to the respective folder (e.g. "C:temp")

5. Run the MbrFix utility using a command in this syntax:

MbrFix /drive fixmbr {/vista|/win7}

Where:
refers to hard drive number - should be 0 in almost all cases
{/vista|/win7} are optional parameters for Windows Vista or 7

Examples:

To restore MBR code on Windows 2000 or Windows XP systems:

MbrFix /drive 0 fixmbr

To restore MBR code on Windows Vista systems:

MbrFix /drive 0 fixmbr /vista

To restore MBR code on Windows 7 systems:

MbrFix /drive 0 fixmbr /win7

Incorrect usage of the MbrFix utility may render your system unbootable. We recommend using this utility only when asked to do so by a forum moderator.

Offline mode

In some cases, the master boot sector needs to be restored in offline mode (to avoid an active infection manipulating with system calls used for rewriting). The Windows operating system offers own maintenance tools to do so.

Windows XP

1. Follow this MS knowledge base article. We recommend using the Option 2: Starting the Windows Recovery Console from the Windows XP CD-ROM.
2. When the recovery console is started, type the fixmbr command and press Enter (this command is described below on the page).
3. Confirm overwriting of the MBR sector (type Y and press Enter).
4. After the command is performed, please restart your system by pressing Ctrl + Alt + Del.

Windows Vista/7

1. Follow this MS knowledge base article.
2. Instead of using plain Bootrec.exe command as described in step 7 of the above linked MS article, type this:

bootrec.exe /fixmbr

3. Press Enter.
4. Restart the computer.


Go toSelectAVG Forums General Information Information AVG Free AVG 2012 Free Edition AVG E-mail Protection AVG Network Protection AVG Update AVG Installation/Uninstallation AVG 2011 Free Edition AVG E-mail Protection AVG Network Protection AVG Update AVG Installation/Uninstallation AVG 9/8.5 Free Editions AVG Standalone LinkScanner Free Edition AVG for Linux AVG Home AVG 2012 AVG E-mail Protection AVG Network Protection AVG Update AVG Installation/Uninstallation AVG 2011 AVG E-mail Protection AVG Network Protection AVG Update AVG Installation/Uninstallation AVG 9/8.5 PC Tuneup Family Safety AVG SMB AVG Client AVG Admin AVG for servers AVG for Linux Other AVG products LiveKive AVG Mobilation MultiMi AVG RescueCD AVG Quick ThreatScan AVG trusted Apps & Services AVG TechBuddy BillGuard - Anti-Virus for Credit Cards Speedtest Other topics Virus Removal, Tools for Removing Registration and License issues How-Tos Archive Archive Ideas and Suggestions AVG LinkScanner for Mac AVG Standalone LinkScanner 8.5 Free Edition AVG Standalone LinkScanner 9.0 Free Edition AVG Standalone LinkScanner 2011 Free Edition AVG 8.5 Free Edition AVG E-mail Protection AVG Network Protection AVG Update AVG Installation/Uninstallation AVG 9.0 Free Edition AVG E-mail Protection AVG Network Protection AVG Update AVG Installation/Uninstallation [OBSOLETE] Sales Information [OBSOLETE] Information and Alerts AVG 8.0 Free Edition AVG Update AVG Installation/Uninstallation AVG 7.5 Free Edition AVG Update AVG Installation/Uninstallation
mnu3_arrow_left.jpg
Previous thread |
mnu3_arrow_up.jpg
Up to parent | Next thread
mnu3_arrow.gif



Free Antivirus | Internet Security | Business Security | PC Tuneup | Free Online Backup
Antivirus for Android | Site Safety Reports | Forum Index | Privacy Policy | About Us
© 2012 AVG Technologies
 
monsterman

monsterman

0
Oct 17, 2006
1,824
39
48
I use AVG and it has been blocking this site for 8 days , I have a warning about a Trojan tracj=king software on GT Rider site ??????
 
C

Champasak

0
Jan 12, 2003
258
1
0
Update:
It seems the Blackhole exploit kit was what I found and removed several days ago. That was embedded in an unused WordPress Calendar plugin. The unsolved mystery is why https://www.gt-rider.com/thailand-motorcycle-forum/images/editor/smilie.gif and 2 other files were flagged as infected, as these don't exist on the forum and are not part of the vB4 system - but they may have been part of the previous version removed/replaced over a week ago.

Feejer: the Norton warning is odd because http://safeweb.norton.com/report/show?url=www.gt-rider.com reports no issues

Personal Computers
Keeping your PC clean is a troublesome issue, as no one program detects every form of virus, malware, phishing and/or Trojan ... I run Macafee AV on my own computer. I‘ve experimented overnight with online anti-virus checking for my PC, using;

Macafee has never reported any issues, Housecall and BitDefender scans showed nothing. However, the ESET service found and quarantined;
- some suspicious code in Users/BJK/AppData/Local/Temp in 3 temporary directories
- Trojan-infected code in a backup copy of a client’s site that has been stored on my PC for approx 3 years.

That’s the underlying problem – it seems no one program is good enough to deal with all threats.
 
LivinLOS

LivinLOS

0
Mar 11, 2008
534
1
0
Admin001;276508 wrote: Update:
It seems the Blackhole exploit kit was what I found and removed several days ago. That was embedded in an unused WordPress Calendar plugin. The unsolved mystery is why https://www.gt-rider.com/thailand-motorcycle-forum/images/editor/smilie.gif and 2 other files were flagged as infected, as these don't exist on the forum and are not part of the vB4 system - but they may have been part of the previous version removed/replaced over a week ago.
Click to expand...
Without wanting to sound attacking..

Your saying you DID find, and remove the blackhole exploit kit from the server a few days ago ??

I was under the impression that up to now it was all a mystery why the AV warnings were happening and nothing on the site was compromised ??
 
C

Champasak

0
Jan 12, 2003
258
1
0
As per 14th Feb - SUCURI.NET - its possible that the JavaScript code in the WordPress plugin was a Blackhole exploit. From what we've learned this week, poorly written WordPress plugins and design themes using JavaScript are a prime target of the Blackhole exploit kit.

Given that it triggerered a warning on Sucuri.net, we were not going to waste time proving it really was a Blackhole exploit kit before deleting it...

Admin001;276364 wrote: In addition to the previous blacklist checks, we've signed up for a couple of online malware scanning services;
QualsysGUARD: scanned 2000 pages on GT-Rider, no issues found
HackAlert: no issues found
Sucuri.net: reported a JavaScript issue with a WordPress plugin (outer portion of the site). Whilst it called code from another site, that appeared to be legitimate code from the author of the plugin. No other malware servcie reported this as an issue... Deleted the plugin as it was unused.
VirusTotal.com: squeaky-clean site on all their tests...
Norton SafeWeb: http://safeweb.norton.com/report/show?url=www.gt-rider.com - CLEAN
Macafee.com: http://www.siteadvisor.com/sites/www.gt-rider.com - CLEAN
AVG.com.au: http://www.avgthreatlabs.com/sitereports/domain/www.gt-rider.com/domain-search-widget/www.avg.com.au - CLEAN
Click to expand...
For your own peace of mind, you could run any/all of the online PC scanning applications previously mentioned;

 
LivinLOS

LivinLOS

0
Mar 11, 2008
534
1
0
Hmm ok.. Well the 'javascript issue' you mentioned on the 14th may well have been it.

I read the "aside from the Kaspersky / Avast warnings on individual PC's, there is no discernable indication that it has been compromised. NONE of the Anti-Virus software providers that have an online website checking service find any issues... Therefore its a mystery why those warnings are appearing in the past few days" above on the 15th.

However if the wordpress plug in was removed back then, why are we still getting warnings from this site if its now clean ?? That doesnt add up to me.

BTW I am far more likely to get warnings when browsing the forum index than browsing via new posts and threads. In case that helps.
 
C

Champasak

0
Jan 12, 2003
258
1
0
I guess the problem is that this JavaScript Blackhole exploit kit is an entirely new breed of website threat. Its clear that not all of the Anti-Virus systems are up to speed on it yet, which no doubt explains the inconsistencies we are experiencing.

Whilst I routinely deal with cleaning up the aftermath of website hacking, the issue on client sites is usually a security breach. For example, incorrect file or directory permissions, insecure passwords that automated scripts can evenutally crack etc. These breaches allow an external agency to insert code into the site, edit the site's pages etc etc.

In the case of Blackhole exploits, this is breaking into the JavaScript that a site runs as part of an internal program (WordPress / vBulletin etc), and enabling that code to something other than what it was designed to do.
 
feejer

feejer

0
Feb 16, 2007
444
2
18
Admin001;276520 wrote: I guess the problem is that this JavaScript Blackhole exploit kit is an entirely new breed of website threat. Its clear that not all of the Anti-Virus systems are up to speed on it yet, which no doubt explains the inconsistencies we are experiencing.

Whilst I routinely deal with cleaning up the aftermath of website hacking, the issue on client sites is usually a security breach. For example, incorrect file or directory permissions, insecure passwords that automated scripts can evenutally crack etc. These breaches allow an external agency to insert code into the site, edit the site's pages etc etc.

In the case of Blackhole exploits, this is breaking into the JavaScript that a site runs as part of an internal program (WordPress / vBulletin etc), and enabling that code to something other than what it was designed to do.
Click to expand...
I believe you are right on the money with this as it is exactly what my friend told me last night. Based on the limited info available, he believes the web hosting server had/has been compromised most likely through legitimately purchased adspace, not the GT-Rider website itself. At least initially. He said that malware exploits are now so profitable by getting personal user info to be later sold on the black market like a commodity, that an "external agency"/cybercriminals will actually purchase adspace and then run their malware infected apps on the server to distribute it to legit sites hosted on that server. So it is likely that GT-Rider was not actually directly targeted, but just got caught up in a messy security breach with the hosting service and got infected with the Blackhole kit later. That seems to explain why my A/V initially did not show GT-Rider listed as the source of the Javacode exploit, but a remote IP address in St. Petersburg.

As a side note, he said that when his company offered web hosting, they actually blocked entire IP address ranges that originate in Russia due to the extent of the daily threat. After they did that, the spam, intrusion attempts and general headache immediately fell by 90%. He said the crimeware coming out of China is now getting almost as bad. Unfortunately, China is such a global power now, nobody that wants to stay in business could dream of blocking that country out. So expect this problem to get much worse before it gets better. Just have to stay vigilant and be armed with the best firewall/AV you can buy and know how to setup and use it. Still no guarantees, but it's the first line of defense we have and it usually is enough.
 
LivinLOS

LivinLOS

0
Mar 11, 2008
534
1
0
C

Champasak

0
Jan 12, 2003
258
1
0
LivinLOS - appearances can be deceptive - that was written in response to my questions on that site. The underlying problem being that the file/s in question do not exist, so we cannot determine what on earth that was all about... :-(
 
C

Champasak

0
Jan 12, 2003
258
1
0
The problem over the last couple of days was unrelated to the previous issue. It was due to Data Centre shutting down the entire VPS running 20-odd websites. That was done in response to a phishing attack on a single "under construction" site. I was notified of this by FraudWatch Security on Saturday, 18 February 2012 2:36 a.m.

I dealt with it immediately; Saturday, 18 February 2012 1:40 AM (my local time)
- I eliminated the phishing issue on the one site
- I forwarded the zipped file of inserted stuff as requested by the FraudWatch Security agency
- I got a “thanks very much in return” at Sent: Saturday, 18 February 2012 3:55 a.m.
That was 2 days ago, so shutting EVERY site down 24 hours after the problem was satisfactorily resolved was extremely harsh, I’d say… :cry:

That it was a Sunday was bad timing, as no one from the Hosting Company was available to help...
- all very stressful, as you can imagine
 
LivinLOS

LivinLOS

0
Mar 11, 2008
534
1
0
Well additional data for you..

Opening the links that were listed as problematic, even tho the files were not there, used to make my virus protection ping..

Now I open them, I get the GT-R 404 error.. which I wouldnt get to before as the virus checker halted the action.

Thats testing now after the outage or update..

EDIT post was written before above explanation of outage.
 
You must log in or register to reply here.
Top Bottom