- This topic has 18 replies, 7 voices, and was last updated 15 years, 4 months ago by
.
-
Posts
-
Hey guys, just wanted to let you know that the forums have been hacked again for the third time this year.
You may not notice. You can go directly to bigblueball.com/forums and everything works fine. It only effects people who search Google, then click a link to the BigBlueBall forums. They get redirected to a MyFiles site which (I think) tries to download a file (probably something malicious). The MyFiles site has already removed the file from their server — they aren’t the ones hacking the forum — but the redirect is still in place. If you go to the site again, chances are it will work. Or if you already logged in in most likely will work. It’s very tricky to detect (for me) because I get to the site just fine. It only effects search traffic, which as you can see from this pic, can be substantial.
As you can see, we were hacked toward the end of February. This went undetected for nearly a month. We were hacked again at the beginning of July, again going undetected for a long time (partly because of my vacation). And the third hack occurred at approximately September 26th, and has not yet been fixed.
The problem is related to vbSEO, the software that I use to create user-readable and SEO-friendly URLs. I can turn it off, but that can cause other problems.
I’ve opened a ticket at the vbSEO help desk, and hopefully they will respond soon.
Gah! Some people really need to get a different hobby! This is just plain stupid. Ah well… do what you can!
Actually, you can help me keep on top of this by doing two things:
1. Visit BigBlueBall – Instant Messaging, Social Networking and Collaboration Technology (the home page) periodically just to make sure it’s working properly.
2. Sign-off the forums, then Google bigblueball, then on the search results, click the forum link. If you don’t get the forums, then something is hacked.
Can I just verify the extent of the hack is a simple redirect? I just want to make sure that no credentials (especially those we type for Facebook) have been compromised.
Yes, just a redirect, and only if you come through Google search results to a forum page. They don’t actually get into the database, they used an exploit in the URL rewrite code of vbSEO. I’ve patched and corrected the problem.
You could install the bad behaviour mod for wordpress/vb
it should stop stuff like that happening in future
but might be a lil too restrictive
Thought it was worth mentioning that McAfee has “red listed” BBB again.
bigblueball.com | McAfee SiteAdvisor Software
It’s being reported due to a Yahoo messenger patch of some sort.
Actually, that’s Dermot’s file from this thread: https://bigblueball.com/forums/yahoo-messenger-support/36408-y-messenger-8-0-multi-patch.html
Dermot, can you comment on this?
i read the advisory,As you can see it only does one thing, change one reg key and back again, would seem mcafee thinks it could be harmful because it edits the registry and doesn’t have a publisher id like microsoft/google/yahoo, so they have given it a threat level 3 or “Minor risk issue found”, i don’t use mcafee or trust them, but if the file is giving that much a problem i will delete it.
@Dermot 249959 wrote:
i read the advisory,As you can see it only does one thing, change one reg key and back again, would seem mcafee thinks it could be harmful because it edits the registry and doesn’t have a publisher id like microsoft/google/yahoo, so they have given it a threat level 3 or “Minor risk issue found”, i don’t use mcafee or trust them, but if the file is giving that much a problem i will delete it.
Thanks Dermot. Could you host the file somewhere else and create a link that page? I suspect a direct link to the file would be treated the same by McAfee.
That particular program is small, hell i don’t recall what language i wrote it in, think it’s in Delphi. I did e-mail them and want a clarification on why they’re labeling it so, but I’ll just remove it and link to my site because it’s mcafee and i’d be waiting a lifetime for a response, since they can’t advise on my site because downloads are locked to members only and their spiders can’t register or read Captcha.
I have contacted mcafee myself and requested clarification on why it’s been flagged since the Yahoo! SDK specifically allows the function for plugin development testing, however i have rewritten it…totally to be more..cautious to the user, and will replace it in a few moments.
- You must be logged in to reply to this topic.