URGENT - VIRUS AND TROJAN WARNING -updated am 6/11

[Nottingham Nick]

Please see this thread.

It would appear that the site has been subject to a SQL Injection Attack (whatever that may be. [?] )

Clicking on links on the front page of the site causes you to be diverted to adult sites and your computer to be attacked.

It is all way out of my league, but Pete will no doubt sort it. [oo]

I would suggest that anyone who has clicked on a link from the front page runs their virus checker ASAP.

Nick

[Darren Wheeler]

Am I the only one who finds it a bit suspicious that it happens just before Pete heads off?

Paranoid? Me??

Or when a bunch of angry people started posting here about pay issues?

[B)]

45.

[Scrooge]

Originally posted by GrinningJackanapes
Or when a bunch of angry people started posting here about pay issues?

GJ

Let's not even go there please, whilst there have been words exchanged I don't feel that anyone that has posted here would ever try to take the site down, perform an SQL attack or anything that malicious.

[Nottingham Nick]

Update to this thread.

Got a PM from Pete at 0330 to say that he had managed to fix it. [oo]

He will no doubt post an update later.

Thanks to p17blo and flyingfox for letting us know about it.

Nick

Originally posted by Scrooge

Originally posted by GrinningJackanapes
Or when a bunch of angry people started posting here about pay issues?

GJ

Let's not even go there please, whilst there have been words exchanged I don't feel that anyone that has posted here would ever try to take the site down, perform an SQL attack or anything that malicious.

Well there was malifixious (sp.?) [:w][:w] ... but no, I agree no one would go that far!

Nick

Thanks for the update, just clicked on that link again and the anti-virus has kicked in [B)]... [:#]

[Nottingham Nick]

Yes, I have just tried it, and it is still trying to divert the browser to the 'adult' sites. [n]

I will PM Pete.

Nick

[Pete]

Multiple tables appear to have been targeted.

I'm going through and disabling anything that has had the script tags injected. Hopefully I'll be able to fix this before I go

[Bazz]

Can you effectively block the tables from further injections Pete?

[Pete]

I'm still trying to identify how they got in, but once I do, don't worry, I'll be blocking that route.

[mitchja]

I think the porn people where seeing was just a 'honey trap' or a diversion to what was actually going on - the main purpose was probably to spread a trojan or virus to as many IP's as possible.

Regards

[Scrooge]

As long time members here will/may/should know...When we know who did it for sure, the dogs of war will be unleashed, it will be fun, there will be tears and a couple of us will be smiling a lot.

What people don't seem to get is that the people that run this site are made up of a lot of tech savvy people who kind of take this type of attack personally....Then there is the bod who has a vengeance streak a mile wide.

To give you a rough idea...the last time someone tried something with the site....

He started receiving emails....from himself [y]
His boss started receiving emails..from him [y]
His wife was called just so she knew what he got up to in his spare time [y]
His blog became a no go zone for him [y]

Oh and that was 2 years ago.....now I really know how to have fun.

Originally posted by GrinningJackanapes
And are Macs at risk from this virus?

I don't think so, I use a Mac and nothing happened to my computer when I "ended up" clicking on the link.[}:)][:I]

[Pete]

Ok, I think I know have a pretty clear picture of what went on, and how much damage was caused. Unfortunately some data was badly effected, and may never be recovered. But I guess we should be lucky that the hacker didn't get into the forum and delete years of posts.

V-Flyer (thankfully) uses several databases, and this damage was only inflicted on one. Just to reassure everyone, the database that contains passwords was not accessed, and even if it had of been, we use a one-way encryption method which means a hacker wouldn't be able to use them.

What did get attacked were the tables that held the store, the news pages and seat ratings. The store is recoverable, and the news pages more of an inconvenience than a real problem, but the loss of most of the comments attached to seat ratings really saddens me. The ratings themselves are there, but thousands of passenger comments were truncated by the script injection. It's not the end of the world, but it is a bit depressing.

The code the hacker was injecting appears to set a cookie (count) and then attempt to set your homepage to that nasty porn site. I recommend you delete your cookies and check your homepage settings. The script didn't effect my Mac, so not sure about a trojan - but I'm happy to believe it the site it sends you tries to exploit something in IE on Windows.

Thanks for your support on this, and hopefully (please!) it won't happen again. I've been doing as much as I can to try and shore up our defences - but nothing is ever totally secure.

[mitchja]

My windows PC looks un-affected here as my Norton 360 AV/firewall/spyware protection software looks to have blocked/intercepted everything. My Windows XP is also up-to-date with all the security patches too.

Done a virus scan and nothing was found.

Thanks for sorting this Pete [y]

Regards

I have to say that I run a number of websites that use various technologies most of which rely on some form of SQL backend. I recently had installed on one of my sites a feature called sentinel which looks for these type of hacks. I get notified of at least 1 failed attack a day on one of my sites. Luckily this new 'guard dog' is active and instantly blocks the ip address for ever more and can, dependant on type of attack, launch an immediate 'counter strike' to the offender!

There are some sad sad people out there. For me I don't believe it is a personal attack just people looking to make life unpleasant for the rest of us.

I feel for you Pete as it frustrates the hell out of me.

Paul

Sorry you've been plagued with this Pete
Scrooge - I like it!!!!
Must say no problems at all here - Norton 360 must have had it covered - but surprisingly has not logged any attack

It's unlikely this sort of thing was "targeted" specifically at V-flyer or any of it's participants.

The miscreant's primary goal is to spread malware, compromising the security of users' machines and join them as drones to botnets, which they can then misuse to send spam and launch attacks, infect other computers, and capture personal information that you may enter on your keyboard (by the use of a keystroke logger).

Some miscreant worked out that one of the tables on this site was vulnerable to an injection attack. But the injection attack itself was just a means to an end - to distribute malware, thus adding additional zombies to the botnet.

They injected code which corrupted links and clickthroughs on the site to send you away from V-flyer to another site, which attepmts to drop malware onto your computer by exploiting other vulnerabilities in your operating system or browser (e.g. i-frame exploits).

Clearing cookies, browser cache and history, and updating and running your virus scanner is a very sensible move if you've found yourself following a link which didn't take you to where you expected.

Mike

[mitchja]

I'm just trying to actually see what it is that Norton 360 has blocked, all the Norton 360 stats are telling me is that since yesterday it has blocked & deleted 32 viruses and 1 malicious program (I'd clicked a dodgy link twice [:I])

Norton A/V used to tell you exactly what it was it had blocked (ie the trojan/virus name) but it doesn't look like 360 does this, unless anyone knows otherwise?

Regards

Originally posted by mike-smashing
It's unlikely this sort of thing was "targeted" specifically at V-flyer or any of it's participants.

The miscreant's primary goal is to spread malware, compromising the security of users' machines and join them as drones to botnets, which they can then misuse to send spam and launch attacks, infect other computers, and capture personal information that you may enter on your keyboard (by the use of a keystroke logger).

Some miscreant worked out that one of the tables on this site was vulnerable to an injection attack. But the injection attack itself was just a means to an end - to distribute malware, thus adding additional zombies to the botnet.

They injected code which corrupted links and clickthroughs on the site to send you away from V-flyer to another site, which attepmts to drop malware onto your computer by exploiting other vulnerabilities in your operating system or browser (e.g. i-frame exploits).

Clearing cookies, browser cache and history, and updating and running your virus scanner is a very sensible move if you've found yourself following a link which didn't take you to where you expected.

Mike

I would consider myself a techie, maybe even a geek and I found that hard to follow [}:)][}:)]:D:D:D:D

Paul

I use Zone Alarm, have checked the log and the virus that currently sits in quarantine following that link is Trojan-Downloader.JS.Psyme.KF

Cheers

Neil

[Scrooge]

Just to note, I split this topic as it was wandering off in a different direction and this is an important topic.

The other direction can be found here

Originally posted by Scrooge
Just to note, I split this topic as it was wandering off in a different direction and this is an important topic.

The other direction can be found here

I don't have access to that forum. Should I?

Paul

I don't have access either, but I'm guessing it has something to do with Moderators...I only saw the two first posts.

But, er, yay for no viruses!