Initial D World - Discussion Board / Forums
   
Welcome Guest ( Log In | Register )Resend Validation Email

DJ Panel ( Server Stats )   Song History   Initial D World Chat Room (Discord)   Broadband Stream
RADIO BROADCAST » streaming at 96kbps with 5 unique listeners, playing DJ Cryptomundo Party Hour CM 1

       

2 Pages  1 2  ( Go to first unread post )

Views: 33,948  ·  Replies: 45 
> Forum Skins Temporarily Disabled
Nomake Wan
Posted: Feb 13 2013, 10:19 AM


ShiMACHaze
**********

Group: Advanced Members
Posts: 19,542
Member No.: 5,394
Joined: Feb 5th 2005
Location: Drydock





QUOTE (Nerubian @ 15 minutes, 28 seconds ago)
Virus alert don't appear anymore, now.

Well yeah, but it's...nah, never mind. We're back so I'm gonna make an announcement post.

EDIT: Scratch that I can't.

Anyway, the gist of it is that while IDW was affected by some unscrupulous individuals sending traffic to other countries there's a chance that all members on Windows PCs have been affected by some payload or another. The actual problem itself was non-malicious--that is, it did not drop payload, it simply pumped traffic to certain websites. However, those websites themselves may have carried malware payload.

As such I am recommending that all members with Windows PCs who browsed the forum from February 9th until now run a malware scanner on their machine(s). A quick scan with Malwarebytes Anti-Malware should suffice to let you know if you have nasties on your machine or not. If you do, run a full scan afterward to make sure you nailed it. If you don't want to install something, Panda Antivirus has a good online scanner on their website.

There's also Sophos's offline scanner for really nasty bugs (like rootkits) but on top of the fact that I don't think any rootkits were involved with this incident that scanner has no user-selectable options and will cause problems afterward if used. It's kind of like using a nuclear bomb to kill a cockroach. Sure it'll work but the collateral damage will make you wonder if you did the right thing.

Those of you on Mac OSX, Linux or a mobile device would not have been affected.

This post has been edited by Nomake Wan on Feb 13 2013, 10:25 AM
Proud Contributor of IDW Forums and the Music Section Revival Project
Spaz
Posted: Feb 14 2013, 09:12 PM


Just a guy towing a car across the country to chase a dream.
Group Icon

Group: FORUM MODERATOR
Posts: 9,272
Member No.: 30,193
Joined: Jul 25th 2008
Location: Plymouth, MN





Not sure if this is due to a recent database update where info was collected pre-codefix, or if it's new, but here you go:

user posted image
Image size reduced, original size: 1360 x 728. Click here to view the image in its original dimension.
Proud Contributor of Initial D World Forums
Nomake Wan
Posted: Feb 14 2013, 10:12 PM


ShiMACHaze
**********

Group: Advanced Members
Posts: 19,542
Member No.: 5,394
Joined: Feb 5th 2005
Location: Drydock





QUOTE (Spaz @ 1 hour, 0 minutes ago)
Not sure if this is due to a recent database update where info was collected pre-codefix, or if it's new, but here you go:

http://i40.photobucket.com/albums/e230/cms...zps97357378.png

It says that it was collected 2/14, which would be today. However that's the main drop website and not the forums so I have no say in the matter. I haven't visited go2id in over half a decade. sad.gif

It's entirely possible that something's on go2id though. IDW and WME appear to be clean but I'm not sure if go2id was actually checked.
Proud Contributor of IDW Forums and the Music Section Revival Project
Spaz
Posted: Feb 15 2013, 05:31 AM


Just a guy towing a car across the country to chase a dream.
Group Icon

Group: FORUM MODERATOR
Posts: 9,272
Member No.: 30,193
Joined: Jul 25th 2008
Location: Plymouth, MN





QUOTE (Nomake Wan @ 7 hours, 18 minutes ago)
It says that it was collected 2/14, which would be today. However that's the main drop website and not the forums so I have no say in the matter. I haven't visited go2id in over half a decade. sad.gif

It's entirely possible that something's on go2id though. IDW and WME appear to be clean but I'm not sure if go2id was actually checked.

The red banner stays on idforums.net, but goes away once you get deeper.
Proud Contributor of Initial D World Forums
Nomake Wan
Posted: Feb 15 2013, 07:05 AM


ShiMACHaze
**********

Group: Advanced Members
Posts: 19,542
Member No.: 5,394
Joined: Feb 5th 2005
Location: Drydock





QUOTE (Spaz @ 1 hour, 33 minutes ago)
The red banner stays on idforums.net, but goes away once you get deeper.

I haven't found any malicious content on the forums themselves so I'm not sure why it would. What happens if you go to the forums (with the red banner showing) then press CTRL+F5? Does the banner go away?
Proud Contributor of IDW Forums and the Music Section Revival Project
Spaz
Posted: Feb 15 2013, 10:53 AM


Just a guy towing a car across the country to chase a dream.
Group Icon

Group: FORUM MODERATOR
Posts: 9,272
Member No.: 30,193
Joined: Jul 25th 2008
Location: Plymouth, MN





QUOTE (Nomake Wan @ 3 hours, 47 minutes ago)
I haven't found any malicious content on the forums themselves so I'm not sure why it would. What happens if you go to the forums (with the red banner showing) then press CTRL+F5? Does the banner go away?

I can check when I get home from work. Comps are preloaded with IE and we can't install anything. dry.gif
Proud Contributor of Initial D World Forums
Spaz
Posted: Feb 15 2013, 03:16 PM


Just a guy towing a car across the country to chase a dream.
Group Icon

Group: FORUM MODERATOR
Posts: 9,272
Member No.: 30,193
Joined: Jul 25th 2008
Location: Plymouth, MN





QUOTE (Nomake Wan @ 8 hours, 11 minutes ago)
I haven't found any malicious content on the forums themselves so I'm not sure why it would. What happens if you go to the forums (with the red banner showing) then press CTRL+F5? Does the banner go away?

Banner stays.

However, if I go directly to the forum, not via the go2id gateway page, the banner does not appear.
Proud Contributor of Initial D World Forums
kyonpalm
Posted: Feb 15 2013, 03:19 PM


Professional Amateur
Group Icon

Group: ADMINISTRATOR
Posts: 10,568
Member No.: 30,882
Joined: Oct 16th 2008
Location: Laniakea





QUOTE (Spaz @ 2 minutes, 53 seconds ago)
Banner stays.

However, if I go directly to the forum, not via the go2id gateway page, the banner does not appear.

Sounds to me like there's a bit of code on the main site that still loads extra links invisibly. If I'm not mistaken, whenever you loaded a page on the forums when they were infected, it would also invisibly load this photography website (or maybe it was the Russian one...) Maybe that's what's happening, except on the main site instead of the forums which are clean. That would explain why loading the forums directly instead of using the portal on the main site solves the problem.
Proud Contributor of the Music Section Revival Project
Nomake Wan
Posted: Feb 15 2013, 04:36 PM


ShiMACHaze
**********

Group: Advanced Members
Posts: 19,542
Member No.: 5,394
Joined: Feb 5th 2005
Location: Drydock





QUOTE (kyonpalm @ 1 hour, 17 minutes ago)
Sounds to me like there's a bit of code on the main site that still loads extra links invisibly. If I'm not mistaken, whenever you loaded a page on the forums when they were infected, it would also invisibly load this photography website (or maybe it was the Russian one...) Maybe that's what's happening, except on the main site instead of the forums which are clean. That would explain why loading the forums directly instead of using the portal on the main site solves the problem.

The photography one was only in certain functions--it wasn't built into the forum bits. The Russian one was built into the forum bits.

I'll check out go2id with my packet sniffer and see what comes up. Thanks for the report, Spaz.

EDIT: go2id.net is very much being affected by the very same attack that had been leveraged on the forums' functions. As of now Go2ID is not a valid site but as far as I know there's no way to shut down access to it at this time since it is not actually connected to the forums in any way.

All I can say is, stop using Go2ID. The forums themselves are perfectly clean.

This post has been edited by Nomake Wan on Feb 15 2013, 05:00 PM
Proud Contributor of IDW Forums and the Music Section Revival Project
Spaz
Posted: Feb 15 2013, 05:39 PM


Just a guy towing a car across the country to chase a dream.
Group Icon

Group: FORUM MODERATOR
Posts: 9,272
Member No.: 30,193
Joined: Jul 25th 2008
Location: Plymouth, MN





You're very welcome. Just passing along what I find.
Proud Contributor of Initial D World Forums
kyonpalm
Posted: Feb 15 2013, 05:46 PM


Professional Amateur
Group Icon

Group: ADMINISTRATOR
Posts: 10,568
Member No.: 30,882
Joined: Oct 16th 2008
Location: Laniakea





QUOTE (Nomake Wan @ 1 hour, 9 minutes ago)
EDIT: go2id.net is very much being affected by the very same attack that had been leveraged on the forums' functions.

Exactly as I predicted.
Proud Contributor of the Music Section Revival Project
THE_HONDA_CG2
Posted: Feb 18 2013, 08:49 PM


Patient Zero
**********

Group: Advanced Members
Posts: 4,279
Member No.: 37,947
Joined: Oct 1st 2011
Location: Update Profile





So uh guys. I don't know what this means but I think I should bring this to your attention. I've never gotten anything like this before so um... Yeah. What do you make of it?

user posted image
Image size reduced, original size: 900 x 506. Click here to view the image in its original dimension.
Nomake Wan
Posted: Feb 19 2013, 12:00 AM


ShiMACHaze
**********

Group: Advanced Members
Posts: 19,542
Member No.: 5,394
Joined: Feb 5th 2005
Location: Drydock





QUOTE (THE_HONDA_CG2 @ 3 hours, 10 minutes ago)
So uh guys. I don't know what this means but I think I should bring this to your attention. I've never gotten anything like this before so um... Yeah. What do you make of it?

http://i.minus.com/jw5TWBLF2TPUk.png

How did you get that? Did you use go2id.net before entering the forums?

This post has been edited by Nomake Wan on Feb 19 2013, 12:00 AM
Proud Contributor of IDW Forums and the Music Section Revival Project
THE_HONDA_CG2
Posted: Feb 19 2013, 12:07 AM


Patient Zero
**********

Group: Advanced Members
Posts: 4,279
Member No.: 37,947
Joined: Oct 1st 2011
Location: Update Profile





I tried checking this thread through this link: https://idforums.net/index.php?showtopic=45369 and that is where I got the warning. Its the AE86 plush doll~ thread.
Nomake Wan
Posted: Feb 19 2013, 12:24 AM


ShiMACHaze
**********

Group: Advanced Members
Posts: 19,542
Member No.: 5,394
Joined: Feb 5th 2005
Location: Drydock





QUOTE (THE_HONDA_CG2 @ 17 minutes, 39 seconds ago)
I tried checking this thread through this link: https://idforums.net/index.php?showtopic=45369 and that is where I got the warning. Its the AE86 plush doll~ thread.

As reported in IRC, the n00b posting in that thread stole his avatar from go2id directly. This is where the warning comes from. Also, the guy is an idiot who not only stole the image but didn't bother to resize it properly or host it on an actual image host.

Buckets full of fail. Buckets full of fail everywhere. facepalm.gif
Proud Contributor of IDW Forums and the Music Section Revival Project
Tessou
  Posted: Feb 19 2013, 08:02 AM


More NEGATIVE than a black hole
Group Icon

Group: ADMINISTRATOR
Posts: 19,345
Member No.: 12,263
Joined: Sep 12th 2005
Location: Update Profile





So... what to do? I'm at the ready to get stuff done.

Edit: nvm, it appears from board logs that Honda already removed the guy's avatar. That leak is plugged, at least.

This post has been edited by Tessou on Feb 19 2013, 08:24 AM
Proud Contributor of IDW Forums and the Music Section Revival Project
Nomake Wan
Posted: Feb 19 2013, 08:48 AM


ShiMACHaze
**********

Group: Advanced Members
Posts: 19,542
Member No.: 5,394
Joined: Feb 5th 2005
Location: Drydock





It's unfortunate that there's no way to set up a forum-level block of the go2id domain temporarily. I wouldn't even know how to begin doing that and with what little experience I have messing with IPB I don't think there's a forum-level way to do that. Pretty sure it would only be possible at the VPS.

If we had access to that, though, we could just fix go2id instead. tongue.gif
Proud Contributor of IDW Forums and the Music Section Revival Project
THE_HONDA_CG2
Posted: Feb 19 2013, 08:50 AM


Patient Zero
**********

Group: Advanced Members
Posts: 4,279
Member No.: 37,947
Joined: Oct 1st 2011
Location: Update Profile





QUOTE (Tessou @ 47 minutes, 47 seconds ago)
So... what to do? I'm at the ready to get stuff done.

Edit: nvm, it appears from board logs that Honda already removed the guy's avatar. That leak is plugged, at least.

Yeah Boss, N1 told me in the IRC to go in and take out his avatar. It was a clean job. That was quite an adventure to say the least. I'll keep an eye out of things like this in the future too.

[ Post made via Mobile Device ]
Tessou
  Posted: Feb 19 2013, 12:55 PM


More NEGATIVE than a black hole
Group Icon

Group: ADMINISTRATOR
Posts: 19,345
Member No.: 12,263
Joined: Sep 12th 2005
Location: Update Profile





You're all doing a great job of keeping the rest of us informed. A few of us, myself included, are not seeing these errors or malware alerts in any shape or form.
Proud Contributor of IDW Forums and the Music Section Revival Project
HorizontalMitsubishi
Posted: Feb 19 2013, 03:36 PM


Part of the Tessou Signature Series
**********

Group: Advanced Members
Posts: 2,439
Member No.: 2,022
Joined: Jun 16th 2004
Location: Torrance California





I'm not seeing any alert on idforums.net but go2id.net is still throwing errors in Google, Firefox and Chrome.

So after taking literally a 30 second look at go2id.net here is what I found.

SPOILER


But as I've said, if you need help with the clean up, you know where to find me.

This post has been edited by HorizontalMitsubishi on Feb 19 2013, 03:55 PM
Nomake Wan
Posted: Feb 19 2013, 03:56 PM


ShiMACHaze
**********

Group: Advanced Members
Posts: 19,542
Member No.: 5,394
Joined: Feb 5th 2005
Location: Drydock





idforums.net was only showing an alert for the thread Honda mentioned because a user in that thread was stealing his avatar from go2id.net, which has the alert.

The infection vector, content and disinfection method have been known this whole time--as you displayed those are the very same infections that had been on idforums.net in the past. As such ridding the domain of those problems is not a matter of expertise but rather one of access. Perry is the only person who can do it because he's the only one with access to those files to make changes. Perry isn't here. As soon as he's back he can fix the whole domain in one swoop in all of five seconds, just as he did with idforums.net.

This post has been edited by Nomake Wan on Feb 19 2013, 03:57 PM
Proud Contributor of IDW Forums and the Music Section Revival Project

2 Pages  1 2