Home › Forums › Archives › Community Center › Forum Support › Bug Reports › Squashed Bugs › Staff Room › Site Hacked (again) :(
- This topic has 18 replies, 7 voices, and was last updated 13 years, 6 months ago by Doris Kenney.
-
AuthorPosts
-
October 2, 2010 at 5:59 pm #33004Jeff HesterKeymaster
Hey guys, just wanted to let you know that the forums have been hacked again for the third time this year.
You may not notice. You can go directly to bigblueball.com/forums and everything works fine. It only effects people who search Google, then click a link to the BigBlueBall forums. They get redirected to a MyFiles site which (I think) tries to download a file (probably something malicious). The MyFiles site has already removed the file from their server — they aren’t the ones hacking the forum — but the redirect is still in place. If you go to the site again, chances are it will work. Or if you already logged in in most likely will work. It’s very tricky to detect (for me) because I get to the site just fine. It only effects search traffic, which as you can see from this pic, can be substantial.
As you can see, we were hacked toward the end of February. This went undetected for nearly a month. We were hacked again at the beginning of July, again going undetected for a long time (partly because of my vacation). And the third hack occurred at approximately September 26th, and has not yet been fixed.
The problem is related to vbSEO, the software that I use to create user-readable and SEO-friendly URLs. I can turn it off, but that can cause other problems.
I’ve opened a ticket at the vbSEO help desk, and hopefully they will respond soon.
October 3, 2010 at 9:34 pm #177168MrOatsMemberUh oh…Hope everything get’s fixed soon.
If I see anything fishy I will let you know.
October 3, 2010 at 10:38 pm #177169PolarBearNPRParticipantGah! Some people really need to get a different hobby! This is just plain stupid. Ah well… do what you can!
October 3, 2010 at 11:15 pm #177153Jeff HesterKeymasterActually, you can help me keep on top of this by doing two things:
1. Visit BigBlueBall – Instant Messaging, Social Networking and Collaboration Technology (the home page) periodically just to make sure it’s working properly.
2. Sign-off the forums, then Google bigblueball, then on the search results, click the forum link. If you don’t get the forums, then something is hacked.
October 4, 2010 at 11:55 am #177170Doris KenneyParticipantCan I just verify the extent of the hack is a simple redirect? I just want to make sure that no credentials (especially those we type for Facebook) have been compromised.
October 7, 2010 at 4:45 pm #177155FanaticMemberYes, just a redirect, and only if you come through Google search results to a forum page. They don’t actually get into the database, they used an exploit in the URL rewrite code of vbSEO. I’ve patched and corrected the problem.
October 20, 2010 at 6:19 pm #177160DermotParticipantYou could install the bad behaviour mod for wordpress/vb
it should stop stuff like that happening in future
but might be a lil too restrictive
October 21, 2010 at 5:06 am #177158detn8rParticipantThought it was worth mentioning that McAfee has “red listed” BBB again.
bigblueball.com | McAfee SiteAdvisor Software
It’s being reported due to a Yahoo messenger patch of some sort.
October 25, 2010 at 1:39 am #177156FanaticMemberActually, that’s Dermot’s file from this thread: https://bigblueball.com/forums/yahoo-messenger-support/36408-y-messenger-8-0-multi-patch.html
Dermot, can you comment on this?
October 25, 2010 at 12:43 pm #177162DermotParticipanti read the advisory,As you can see it only does one thing, change one reg key and back again, would seem mcafee thinks it could be harmful because it edits the registry and doesn’t have a publisher id like microsoft/google/yahoo, so they have given it a threat level 3 or “Minor risk issue found”, i don’t use mcafee or trust them, but if the file is giving that much a problem i will delete it.
October 25, 2010 at 1:37 pm #177157FanaticMember@Dermot 249959 wrote:
i read the advisory,As you can see it only does one thing, change one reg key and back again, would seem mcafee thinks it could be harmful because it edits the registry and doesn’t have a publisher id like microsoft/google/yahoo, so they have given it a threat level 3 or “Minor risk issue found”, i don’t use mcafee or trust them, but if the file is giving that much a problem i will delete it.
Thanks Dermot. Could you host the file somewhere else and create a link that page? I suspect a direct link to the file would be treated the same by McAfee.
October 25, 2010 at 2:00 pm #177161DermotParticipantThat particular program is small, hell i don’t recall what language i wrote it in, think it’s in Delphi. I did e-mail them and want a clarification on why they’re labeling it so, but I’ll just remove it and link to my site because it’s mcafee and i’d be waiting a lifetime for a response, since they can’t advise on my site because downloads are locked to members only and their spiders can’t register or read Captcha.
October 25, 2010 at 3:47 pm #177159detn8rParticipantIt seems the download is still being reported, but BBB is no longer red listed.
October 25, 2010 at 4:17 pm #177164DermotParticipantI have contacted mcafee myself and requested clarification on why it’s been flagged since the Yahoo! SDK specifically allows the function for plugin development testing, however i have rewritten it…totally to be more..cautious to the user, and will replace it in a few moments.
October 25, 2010 at 4:47 pm #177163DermotParticipantYou think this is better?
-
AuthorPosts
- You must be logged in to reply to this topic.