IMPORTANT: Server Hacked - spyware alert

iBrian

Peace, Love and Unity
Veteran Member
Messages
6,542
Reaction score
30
Points
48
Location
Scotland
This is a IMPORTANT notice to all members:

Earlier the server that the comparative-religion site is running on was hacked. Here is the explanation from my webhost:
Someone used an exploit with an sql inject command on a sites insecure
script. We have been trying to clean up the mess they caused and the site
that was abused has been suspended. We are now recompiling php and mysql
That along has casued some appreciable downtime for the forums.

However, is not the end of the matter.

Apparently - though this has yet to be confirmed - the person(s) involved in hacking the server may have also installed some form of scumware into the forum via the database software on the server.

ALL MEMBERS OF COMPARATIVE-RELIGION.COM ARE URGED TO DO A PROPER SECURITY CHECK ON THEIR MACHINES.

If you run a Firewall such as ZoneAlarm you will find the following program files trying to be executed:

msvb_7662.exe
mshta.exe

DO NOT CLICK ON "YES" TO CONNECT TO INTERNET WITH THESE PROGRAMS!

Also - DO NOT accept the security prompt asking you to connect to a premium rate number!!

Here are the programs that will help remove the software:

Firewall: Download FREE ZoneAlarm

Spybot S&D and AdAware.

HOWEVER I'm currently having problems removing one particular piece of scumware from my machine, that insists on making my browser homepage "mybookmarks.ws"

Just a note as well - this has apparently affected every site on the same server that used databases (it was the database software itself that was exploited, not this forum itself).

Also note that Internet Explorer users are probably more vulnerable to this use of scumaware than users of the Mozilla Firebird browser, which apparently does not share the same security exploits.

I am not yet aware of the actual extent of this problem, and give full warning to all members of the potential security situation that has arisen.

I would also like to point out that this issue could have happened to any server, and is in now way particular to this site.

I'll keep everybody informed of progress on this issue.
 
I'm honestly not sure if there really has been spyware involved with the site because of the hacking - either way, comparative-religion.com is now running on a completely new - and more powerful - server. :)

Members are highly recommended to run a check for spyware, though.
 
I wonder if this has anything to do with my msn account not being able to log in lately. I doubt it; probably just something about a crummy phone connection. But I will try this ZoneAlarm and see if it fixes it. Thanks for the heads up, B! :D
 
As I say, I've no idea if there was a real secuirity threat - it could be coincidence. However, I thought it best to warn members here. :)
 
Reply To Spyware

MY SPY HUNTER PICKED-UP ON IT A FEW DAYS AGO. :confused: I WAS WONDERING WHY I GETTING RESTICTED ACCESS TO MY PC FILES.
GOOD LOOKIN' OUT
BYRD
 
That is strange, the main link re-directs to a dead page with an error message. I am doing a virus check right now, I will let you know if I picked up the spyware.
 
My Symantec virus software picked up a virus called: Guess-PC. I do not know exactly what this is, but my Symantec was apparently able to quarantine it.

The strange thing is that my computer was apparently first exposed to this threat on June 6. I am a bit confused by that ?

Google does not have anything about this virus.
 
although its more likely an automated process that looks for vulnerable servers rather than interfaith being targeted directly.
 
Brian,

When we try to pull up the main Interfaith/org URL, we are still getting redirected to that hijack site. Can you verify that you still have the URL (CNAME, etc.) pointing to the right location?
 
Brian,

When we try to pull up the main Interfaith/org URL, we are still getting redirected to that hijack site. Can you verify that you still have the URL (CNAME, etc.) pointing to the right location?
All, this is not unique to a few folk. Even the admin staff are having difficulties moving around the forum. We are working on identifying and correcting the problem.

Thanks for your patience.

v/r

Q
 
I think my laptop got something...it went down and I haven't been able to revive it, then someone stole it...

Here's to hoping they don't connect it to their network....
 
i admin linux php, mysql, etc servers for a living, so would be happy to lend my assistance if required.
 
My sincere apologies to everyone about the issue - felt like I needed to come into IO on Saturday, but things have been so hectic and troublesome with work I needed to clear some things first.

What happened is someone basically overwrote the index file for the forums and the front end of the website, by uploading a malicious script as a custom avatar, which pretty much crippled everything.

The site software has now been updated and the index files returned, and I'm currently going through a security checklist of what to lock down to make the site more secure.

In the meantime, again, my sincere apologies for the issue - this was a generic attack rather than targeting IO specifically - and hopefully the measures I put in place now should help prevent anything similar from happening for a very long time.

Now to get to work on the backend...
 
Great work Brian. I haven't been able to log in for days, kept getting redirected to another blank site page.

Not that I have to log in or anything.... I mean... I can quit whenever I want....right?
I'm not addicted or anything... :)
 
Back
Top