Noted Problems with this recent attack

[wareagle]

Unfortunately we have obviously been hit. The HMEM admin team is working on correcting the problem.

This thread has been set up to list the noted issues with the site. If you notice something wrong, please post it here so the admin team can have one spot to look for issues. Your help in this matter is greatly appreciated. Please keep this thread to the point and leave the "Go get 'ems" for elsewhere.

What we have noted so far:

1) Spam on the top Home page
2) Avitars not showing on some members
3) Wierd text showing up in posts
4) Uploaded images not showing


If you see or know of other issues related to this attack, please note them here.

 

[Maryak]

W/E,

Re avatars, not only is mine not showing, but it will not let me reload it in my profile. I will try another and see if it accepts that one.

In my case it won't accept any form of picture or link

Best Regards
Bob

 

[GailInNM]

The same home page spam also shows up on top of the "Members list" and the "Show unread" and "Show replies" from the profile box.

 

[Maryak]

W/E

When I previewed my last 3cc post the first word was null.

Did not show when I posted the message.

Shows again when I previewed this message.

Best Regards and Good Luck
Bob

 

[jack404]

G'day i hate to add to your worries but heres what i have been seeing

this goes back ( i've looked ) to your web hoster

there are a number of machines under remote control who seem to be scanning other machines ( us, we users)

heres my log file

327 11/18/2008 13:27:00 Port Scan Minor Incoming UDP 65.254.52.108 06-00-20-00-06-00 203.194.7.153 00-00-06-00-00-00 John STRATOS Normal 2 11/18/2008 13:25:46 11/18/2008 13:25:58
328 11/18/2008 13:27:42 Port Scan Minor Incoming UDP 65.254.52.105 06-00-20-00-06-00 203.194.7.153 00-00-06-00-00-00 John STRATOS Normal 2 11/18/2008 13:26:27 11/18/2008 13:26:40
329 11/18/2008 13:28:07 Port Scan Minor Incoming UDP 65.254.52.110 06-00-20-00-06-00 203.194.7.153 00-00-06-00-00-00 John STRATOS Normal 2 11/18/2008 13:26:50 11/18/2008 13:27:03
330 11/18/2008 13:28:28 Port Scan Minor Incoming UDP 65.254.52.107 06-00-20-00-06-00 203.194.7.153 00-00-06-00-00-00 John STRATOS Normal 2 11/18/2008 13:27:11 11/18/2008 13:27:23
331 11/18/2008 13:28:49 Port Scan Minor Incoming UDP 65.254.52.111 06-00-20-00-06-00 203.194.7.153 00-00-06-00-00-00 John STRATOS Normal 2 11/18/2008 13:27:32 11/18/2008 13:27:44
332 11/18/2008 13:29:10 Port Scan Minor Incoming UDP 65.254.52.106 06-00-20-00-06-00 203.194.7.153 00-00-06-00-00-00 John STRATOS Normal 2 11/18/2008 13:27:55 11/18/2008 13:28:07
333 11/18/2008 13:38:46 Port Scan Minor Incoming UDP 65.254.52.111 06-00-20-00-06-00 203.194.7.153 00-00-06-00-00-00 John STRATOS Normal 2 11/18/2008 13:37:32 11/18/2008 13:37:44
334 11/18/2008 13:39:12 Port Scan Minor Incoming UDP 65.254.52.106 06-00-20-00-06-00 203.194.7.153 00-00-06-00-00-00 John STRATOS Normal 2 11/18/2008 13:37:56 11/18/2008 13:38:08
335 11/18/2008 13:40:14 Port Scan Minor Incoming UDP 65.254.52.108 06-00-20-00-06-00 203.194.7.153 00-00-06-00-00-00 John STRATOS Normal 2 11/18/2008 13:39:01 11/18/2008 13:39:13
336 11/18/2008 13:41:00 Port Scan Minor Incoming UDP 65.254.52.105 06-00-20-00-06-00 203.194.7.153 00-00-06-00-00-00 John STRATOS Normal 2 11/18/2008 13:39:43 11/18/2008 13:39:55
337 11/18/2008 13:41:20 Port Scan Minor Incoming UDP 65.254.52.110 06-00-20-00-06-00 203.194.7.153 00-00-06-00-00-00 John STRATOS Normal 2 11/18/2008 13:40:04 11/18/2008 13:40:16
338 11/18/2008 13:41:41 Port Scan Minor Incoming UDP 65.254.52.107 06-00-20-00-06-00 203.194.7.153 00-00-06-00-00-00 John STRATOS Normal 2 11/18/2008 13:40:25 11/18/2008 13:40:37
339 11/18/2008 16:37:56 Port Scan Minor Incoming UDP 65.254.52.107 07-00-20-00-07-00 203.194.16.178 00-00-07-00-00-00 John STRATOS Normal 2 11/18/2008 16:36:40 11/18/2008 16:36:51
340 11/18/2008 16:38:17 Port Scan Minor Incoming UDP 65.254.52.111 07-00-20-00-07-00 203.194.16.178 00-00-07-00-00-00 John STRATOS Normal 2 11/18/2008 16:37:00 11/18/2008 16:37:12
341 11/18/2008 16:38:37 Port Scan Minor Incoming UDP 65.254.52.106 07-00-20-00-07-00 203.194.16.178 00-00-07-00-00-00 John STRATOS Normal 2 11/18/2008 16:37:24 11/18/2008 16:37:36
342 11/18/2008 16:38:58 Port Scan Minor Incoming UDP 65.254.52.108 07-00-20-00-07-00 203.194.16.178 00-00-07-00-00-00 John STRATOS Normal 2 11/18/2008 16:37:43 11/18/2008 16:37:55
343 11/18/2008 16:41:06 Port Scan Minor Incoming UDP 65.254.52.105 07-00-20-00-07-00 203.194.16.178 00-00-07-00-00-00 John STRATOS Normal 2 11/18/2008 16:39:52 11/18/2008 16:40:04
344 11/18/2008 16:41:32 Port Scan Minor Incoming UDP 65.254.52.110 07-00-20-00-07-00 203.194.16.178 00-00-07-00-00-00 John STRATOS Normal 2 11/18/2008 16:40:17 11/18/2008 16:40:29
345 11/19/2008 17:29:25 Port Scan Minor Incoming UDP 65.254.52.110 02-00-20-00-02-00 203.194.10.39 00-00-02-00-00-00 John STRATOS Normal 2 11/19/2008 17:28:10 11/19/2008 17:28:22
346 11/19/2008 17:29:51 Port Scan Minor Incoming UDP 65.254.52.107 02-00-20-00-02-00 203.194.10.39 00-00-02-00-00-00 John STRATOS Normal 2 11/19/2008 17:28:34 11/19/2008 17:28:46
347 11/19/2008 17:30:11 Port Scan Minor Incoming UDP 65.254.52.111 02-00-20-00-02-00 203.194.10.39 00-00-02-00-00-00 John STRATOS Normal 2 11/19/2008 17:28:56 11/19/2008 17:29:08
348 11/19/2008 17:30:32 Port Scan Minor Incoming UDP 65.254.52.106 02-00-20-00-02-00 203.194.10.39 00-00-02-00-00-00 John STRATOS Normal 2 11/19/2008 17:29:19 11/19/2008 17:29:31
349 11/19/2008 17:30:53 Port Scan Minor Incoming UDP 65.254.52.108 02-00-20-00-02-00 203.194.10.39 00-00-02-00-00-00 John STRATOS Normal 2 11/19/2008 17:29:39 11/19/2008 17:29:51
350 11/19/2008 17:31:19 Port Scan Minor Incoming UDP 65.254.52.105 02-00-20-00-02-00 203.194.10.39 00-00-02-00-00-00 John STRATOS Normal 2 11/19/2008 17:30:03 11/19/2008 17:30:15


looks like its started yesterday my time a bit after lunchtime or your early morning in the USA

it seeems there is a Admin machine thats been back doored and it has administrative access to a number of other machines and these are now looking for other victims

hope this helps sort out your drama's

jack

 

[Cedge]

Jack
I run a pretty tightly guarded system for being non commercial. I happened to notice my firewall caught and blocked an attempt to intrude on my computer last evening too. I've run a deep scan with three different spyware/ trojan suites and nothing shows up as being amiss. Not a 100% thing, but at least a bit of confidence was gained from the exercise.

Wareagle...
This attack has something to do with the forum database and probably the config.php file along with a couple of others from what I've read, this evening on the net. The symptoms it's generating all revolve around calls being made to the database... IE. Unread posts, New replies, member list and the one i just found that is really strange.

I just went to send you a PM and typed W in the "to:" box. Up popped a very long string of code for "drug adverts" right there in the little "to" box. Right at the very end of the string was your user name. I typed R into the BCC box and the same thing happened, but with Rake60 at the end. For each letter I tried, it gave the code string and a username with the corresponding fist letter.

If you begin by typing an " before the letter, the code string doesn't appear and you can type in the user's name.

I also just noticed while previewing this post, here is indeed a "null" placed in front of the first word. Here is a cut and paste from the preview....nullJack

Steve

 

[compound driver 2]

I logged on to my buisness web site before looking at this site, found the problem on here went awy for half hour then checked my buisness site agin and found my site was down.
Dont know if tehres a connection..

P/s now cant preview posts

 

[jack404]

Cedge just did a double check and yep

every attack was at the SQL ports i run a SQL server here, if you have a decent firewall, its blocked

but the hosted machines would have a "link" of some kind that most folks dont have and i'll bet thats how it got to HMEM the machines scanning me are the admin workstations from my looking without pushing too much
( dont want to be busted myself for back hacking)

heres my trace lookup results

OrgName: Global Net Access, LLC
OrgID: GNAL-2
Address: 1100 White St SW
City: Atlanta
StateProv: GA
PostalCode: 30310
Country: US

ReferralServer: rwhois://rwhois.gnax.net:4321

NetRange: 65.254.32.0 - 65.254.63.255
CIDR: 65.254.32.0/19
OriginAS: AS3595, AS16626
NetName: GNAXNET
NetHandle: NET-65-254-32-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.GNAX.NET
NameServer: DNS2.GNAX.NET
NameServer: NS1.GNAX.NET
NameServer: NS2.GNAX.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment: ********************************************
Comment: Reassignment information for this block is
Comment: available at rwhois.gnax.net port 4321
Comment: ********************************************
RegDate: 2003-12-29
Updated: 2007-06-01

RAbuseHandle: ABUSE745-ARIN
RAbuseName: GNAX ABUSE
RAbusePhone: +1-404-230-9150
RAbuseEmail: [email protected]

RNOCHandle: ENGIN7-ARIN
RNOCName: GNAX ENGINEERING
RNOCPhone: +1-404-230-9150
RNOCEmail: [email protected]

RTechHandle: ENGIN7-ARIN
RTechName: GNAX ENGINEERING
RTechPhone: +1-404-230-9150
RTechEmail: [email protected]

OrgAbuseHandle: ABUSE745-ARIN
OrgAbuseName: GNAX ABUSE
OrgAbusePhone: +1-404-230-9150
OrgAbuseEmail: [email protected]

OrgNOCHandle: ENGIN7-ARIN
OrgNOCName: GNAX ENGINEERING
OrgNOCPhone: +1-404-230-9150
OrgNOCEmail: [email protected]

OrgTechHandle: ENGIN7-ARIN
OrgTechName: GNAX ENGINEERING
OrgTechPhone: +1-404-230-9150
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2008-11-18 19:10


this is part of the back trace data the rest i had better not post but if the admins what it PM me

hope this helps

jack

 

[Cedge]

Jack
Nice trace, but I'd nearly bet you my left testicle it's just a zombied machine. The hacker found an open port and slipped through under the fence. He was long gone without any footprints by the time you ran that whois.

Steve

 

[jack404]

Cedge

no bet

its a bot for sure on 6 machines

65.254.52.105
65.254.52.106
65.254.52.107
65.254.52.108

65.254.52.110
65.254.52.111

IF ( no comments) you monitored the infected machines doing the scans you'll also get a small TCP packet every now and again going back to the bot master which is probably another backdoored machine but with more access than these, but i cant as that would be illegal ( non US scanning US is a no no)

what ever the result, the hoster (Gnax) needs to clean house to prevent this again otherwise it will come back

i'm only worrying about HMEM but the Gnax machines have to be fixed before HMEM is safe

 

[jimmybondi]

hi,

my english is not good enough to understand all - but maybe a solution inside:

http://www.simplemachines.org/community/index.php?topic=273816.0

Frank

 

[rake60]

I've been working on this for 2 days now.
There has been some progress, but not enough to make it go away.

I need to sleep for a couple of hours here.
I'll get back on it as soon as possible!

Rick

 

[GailInNM]

In the downloads and uploads section:

I have been unable to open anything except for a simple jpg file.
The PDF's all report as damaged.
The Word document on drill sizes now contains a treatise on drugs.

Many of these are ones that I have opened in the past.

Gail in NM,USA

 

[wareagle]

The more I dig the more I find....

To all: Thanks for passing along your observations and information!!

 

[Cedge]

Gail
Sounds like the same information that's being seen popping up in the PM addressee box. I checked the downloads and the same thing here. Acrobat reports the file has been corrupted and can't be displayed. Don't think I'd trust any of the files very much, at the moment anyway.

Hang in there.
Steve

 

[BobWarfield]

Seems clear the hackers are continuing to find more they can taint. I'd be careful about downloading any file from the site until it can be verified as virus free. Need to run full virus scans on all the downloadable files and probably the images too.

At some point you'll have to ask yourself whether to take the site down for a little while and try to restore an earlier clean version. I don't know what sort of backups are available or whether they may be clean or not. Changing passwords at the moment may not help at all. They could very well have changed the code so any password changes simply get sent to the hackers and they now have the new password.

The makers of this software ought to be able to provide some help, and it would be in their best interests to do so.

It's been a nasty business!

Best,

BW

 

[mklotz]

I just now (11/19 1010 PST) uploaded a new post to the "Tips and Tricks" forum and almost immediately thereafter AVG detected a Trojan Horse attempt on my system.

Don't know if it's related but it sure seems suspicious.

 

[compound driver 2]

Just browsing here my AVG is going off and Spybot search and destroy is having a field day. im outa here for the forseable future.
Good luck guys

 

[Maryak]

Admins,

Sorry to add to our woes, the "Insert quote" does not work when trying to use it in the reply area. It p@#$es me off when all I am capable of doing is adding to the problems and not the solutions.

Hang in there guys.

Best Regards
Bob

 

[CrewCab]

Well, this machine has been logged in for most of the day and I've run both AV and Spyware programs several times, plus they are always running in the background .......... anyway ............ I have not found any problems, let's not get paranoid guys.

CC