Close Topic Options

A few members have alerted me to the presence of infected code in some of the skins available on IDW.

While we work on correcting the problem and clean up the problem areas, all skins except for IPB Skin Set 1.2 are disabled for all members (including staff like myself). The menu for selecting skins has been removed from all site pages until further notice.

It will not be like this for long. Expect skin selection to come back in less than a week.

Thank you for the heads-up, great work!

EDIT: Uh, looks like the 'Mark all posts as read' function on IPB default got nuked accidentally! Help!

EDIT 2: Temp link for people like me who rely on it:

Mark All Posts As Read

This post has been edited by Nomake Wan on Feb 11 2013, 05:20 PM

Oh, okay, I was wondering why. Thanks!

When everything is fixed, will it remember the skin we had previously, or will we have to go into our control panel and reset it?

Thank you for taking the time to correct the issue.

Does anyone else get virus alerts when clicking on the "View New Posts" link?

How are you even still seeing that? Shouldn't it be gone along with "Mark all posts as read"?

There shouldn't be virus alerts on that function as--if I recall correctly--it is using pure IPB code to run. The problem only affects non-IPB code. Something may be wrong on your end. Can you take a screenshot of the problem and PM it?

(THIS POST WAS REMOVED BY REQUEST)

Yeah, I caught something early this morning when I was making my rounds. It popped up briefly on my screen before it went away. Man it was one hell of a way to wake up! At least it wasn't a creepy picture of a screaming zombie or something. Spoiler'd because it might be a tad NSFW.

SPOILER

that looks russian :x but anyway yea i miss my dark gray skin oh how will i go on it life without it!!!! :x this white skin is WAY to bright :x

Got a shock for a moment, and saw this thread. Good work Pear Pear.

Thank Tessou, not Pear.

i knew something looked different this morning when i got on the site, I just couldnt figure it out till i saw this thread. haha

Unfortunately, the forum will not remember what you were using, so you will have to go and change it back to what you used once we reactivate skins.

This is because I turned off skin selection and then forced all members to use the current skin, effectively locking them out of the other selections. This meant that the system considers that all members chose this skin on their own, so when the other skins become available, you will have to choose them to set them as your default instead of what you see right now.

Thanks to Honda_CG2 and SgtXDNX I've found a much more massive problem than initially expected, one that has likely been plaguing the forums for weeks undetected. Either that or it really has just started up again recently...which would be a best-case scenario, to be honest.

Either way, please note that the forums are currently infected beyond repair at least until Perry returns from overseas. The only solution is to close the forums entirely as a temporary measure. Tessou, I have PM'd you with the information.

In the mean time I'm sick of keeping this quiet. Mods, if I come back and find out my post has been edited then I can be absolutely sure that you're more concerned about covering your asses than you are about security or keeping the member base safe and in he loop.

Point is guys, the forum's javascript was infected by an iframe that was forcing browsers to invisibly visit some stupid photography site to boost that site's hits. This would only be triggered when a javascript function was called, such as the smileys in posts or the spell checker in the non-IPB-default skins. Most javascript functions were cleaned by Perry before he left but the spell-checker in the non-IPB-default skins were still infected. I figure this may be because Perry, like me, only uses the default skin and therefore didn't catch the extra javascript file that those skins use.

However, now come to find out that the IPB itself appears to be infected. I'm not sure of the vector for this one unfortunately but it doesn't appear to be javascript-based. It's embedded in all transfer functions--making posts, editing posts, logging in, changing your avatar, etc. It's a redirect script on a massive scale, redirecting to various websites in Russia. On top of that those redirects include your authorization key since that key is sent in plaintext via the URL. While the pass_hash function is indeed part of this interaction I do not believe it is actually transmitted as that function loads well before the infected code runs. The infected code itself appears to be an IPB-specific version of the very same traffic-pumping infection that had been in the Javascript, albeit to a site in Russia instead of a photography site.

I've already pored over the source code for the forum pages that lead to the affected redirects and the source stylesheets and javascript functions are all clean. That means only one thing: IPB itself is what's infected. The forums must be shut down temporarily.

See you when this is resolved, all. I'm out.

This is something that the mod team did not detect, and we weren't keeping anything hush-hush, so there's no worries as to having anything redacted. You and many other members have done a fantastic job letting us know what's going on, especially considering that the mod team itself has not reported any problems on the site, aside from Honda in this thread. The staff section has been quiet for weeks.

This is a serious matter, and I am heavily considering your suggestion of shutting the site down as a safety measure until we can hammer out this infection.

That's... unfortunate. But then again, it's something that comes with the territory when using software this old.

I hadn't noticed anything myself.

Thought my account got deleted for a second haha
Thanks for the heads up

Now that we're back allow me to formally apologize if it seemed I was 'attacking' you or the way you run the site. This was not the case--I don't believe you and I have ever discussed the situations that have affected the site's code and so it was actually what I had been told by other moderating team members during the first incident that I was rallying against. Generally I got the idea that security issues were to be kept 'hush-hush', but this one was so huge that I just felt I couldn't stay quiet about it.

Again, my apologies... and welcome back, IDW!

If you need help cleaning up the site, I've been doing more and more of that lately, I had two VB based forums get hit and a wordpress site get hit.

It looks like we're all good now and thankfully it wasn't actually the forum software that was vulnerable. So easy it could be done from China!

I never read it that way, so it's all good. No worries.

Just got back, my skin is as set before, thanks for the heads up a couple pages up, Don.

Virus alert don't appear anymore, now.

I had to re-select the skin again but that's not a problem.
Glad it's all working again.