Plakias Forums

Administration, Feedback and Bugs => Forum and Website discussion => Topic started by: Chas on August 14, 2007, 03:01:37 PM

Title: Being "hacked"?
Post by: Chas on August 14, 2007, 03:01:37 PM
First off, I AM PARANOID ... this could be a false alarm.

However, when I went to "http://www.plakias.co.uk/" (testing a link I posted on another forum), I had two unusual things happen:

1.  My AV software popped-up a Trojan warning - reassuringly to say it hadn't downloaded anything.

2.  Firefox / NoScript warning bar popped-up to notify me that a (new) script was pending execution, from "wdqccrzpmd.hk" - needless to say, I haven't allowed it to run!

Ploppy, please calm my nerves, tell me (1) was just coincidence (I had several other tabs open) and (2) is something you inserted to do good things.
Title: Being "hacked"?
Post by: George on August 14, 2007, 03:27:14 PM
Hi Chas

I used to get the Trojan warning on the home page through 'Sophos', so I tend now to enter the site from the email notification links to the messages.

Haven't been near the home page for ages!!

My IT guys didn't seem all that concerned about it.

I've got a pop-up blocker so wouldn't know about No 2.

george g...
Title: Being "hacked"?
Post by: ostraco on August 14, 2007, 06:14:23 PM
Quote from: George
Hi Chas

I used to get the Trojan warning on the home page through 'Sophos', so I tend now to enter the site from the email notification links to the messages.

Haven't been near the home page for ages!!

My IT guys didn't seem all that concerned about it.

I've got a pop-up blocker so wouldn't know about No 2.

george g...
I don't know what's going on either - had trouble logging on at work - had to enter my password a few times before it would let me post - but the same happened at home (yes, I do have a slow connection back) - where normally I get straight in!
Let's keep our eyes open!
John
Title: Being "hacked"?
Post by: Ploppy on August 14, 2007, 06:25:36 PM
Sorry still at work at the moment.

Absolutely swamped and not sure when I will get home.

Not sure there is an issue. My AV doesn't complain. Yes NoScript complains but then it does about 99% of sites.

For more info about wdqccrzpmd.hk

See here: http://www.castlecops.com/t193370-Trojan_D..._aftermath.html (http://www.castlecops.com/t193370-Trojan_Downloader_amp_aftermath.html)

I'll try and have another look later.

Cheers,

Paul
Title: Being "hacked"?
Post by: Chas on August 14, 2007, 07:46:52 PM
Thanks, Paul,

Not exactly the news we wanted to hear - that Castlecops report is quite an eyeopener!

Thank goodness for Firefox and NoScript  

Let us know when the offending (offensive) script has been flushed.  
Title: Being "hacked"?
Post by: Graham_and_Karen on August 14, 2007, 10:27:20 PM
Quote from: Chas
Thanks, Paul,

Not exactly the news we wanted to hear - that Castlecops report is quite an eyeopener!

Thank goodness for Firefox and NoScript  

Let us know when the offending (offensive) script has been flushed.  
Chas, I'm not convinced there is a problem. I'm using Firefox and went to the plakias webite today from work - no warnings at all. Castlecops - I hadn't realised they were a good site to check for malware etc. I rely on Adaware - it hasn't let me down so far (unlike Windows Defender)
Title: Being "hacked"?
Post by: Ploppy on August 14, 2007, 11:16:10 PM
Unfortunately it does look like we had a problem.  Various files (index.htmls & index.phps) had been altered on the 9th of August to include a script. Not sure what they did, NoScript did not report the wdqccrzpmd.hk for me as it did for Chas.  I have edited the files to remove the offending script calls and will be in touch with Invision to see if they can help ascertain how it happened.  Chas can you see how it is behaving for you now.  Anyone using Firefox can install the NoScript addin as it is pretty useful. However disabling scripts on the forum can cause other problems like Fast Reply will not work and you don't get all your posting options. Only started using it so maybe Chas can give us some pointers? i.e how do you add smileys in your posts when NoScript disables the side panel?  I will try and give an update tomorrow. It has been a long c%$p day and I need to go to bed!  Thanks,  Paul
Title: Being "hacked"?
Post by: Chas on August 15, 2007, 01:14:50 AM
A very brief tutorial on "NoScript"

NoScript is an add-in to the Firefox browser - it won't work for Internet Explorer or Opera.

Basically, it "does just what it says on the tin" - no scripts are allowed to run ... unless you OK them, either "temporarily" for the current session and site or permanently (if you're happy).

If you have (or have used) ZoneAlarm firewall, it works in a similar way - when it finds something it hasn't been OKayed for, it asks you to check.

It pops-up a full-width bar at the bottom of the screen, just above the taskbar, listing what it's been allowed to run and noting how many other scripts it has found that are not (yet) allowed.

If you click on the "options" button, it pops-up a drop-down (erm? well, you know what I mean) list of all the script sources, showing which are allowed and which are dis-allowed.  The listing allows you to swap the setting for each script source.

In today's case, the list showed plakias.co.uk, mediacount.net, about:neterror (all allowed) and the dreaded wdqccrzpmd.hk (not yet allowed ... and no way was I going to allow it!).

How did I know?  Well, plakias.co.uk is pretty obvious; mediacount.net is a fairly common "site traffic counter" and about:neterror is a common "bug catcher".  However, wdqccrzpmd.hk I had never come across before, it wasn't there last time I went to the Home page (a week or so ago) and the "hk" suffix (Hong Kong) seemed pretty improbable for UK or Greek sites, so  let it stay dis-allowed.


If you are presented with a new site and don't know what to allow, a few simple tests can be used:

* Is the website listed - if so, it should be OK (unless you go to dodgy websites   ).
* Have you seen any of the sources before - probably OK, they are common tools, like mediacount.
* Is "google" part of the name - again, common site usage recording.
* Is the national suffix somewhere dodgy (ru - Russia and hk - Hong Kong are known areas for malware distribution) - take great care.
* Not at all sure? - leave it dis-allowed and see if the site works;
- if it doesn't, temporarily allow it (if you have confidence in you security-ware)
- if it now works and nothing nasty happens, you can consider allowing it properly next time you go to the site.

Right, that's enough, I said this was a brief tutorial but I've gone on and on .... and it's well past my bedtime!
Title: Being "hacked"?
Post by: Graham_and_Karen on August 15, 2007, 08:39:16 AM
Quote from: Ploppy
Unfortunately it does look like we had a problem.  Various files (index.htmls & index.phps) had been altered on the 9th of August to include a script. Not sure what they did, NoScript did not report the wdqccrzpmd.hk for me as it did for Chas.  I have edited the files to remove the offending script calls and will be in touch with Invision to see if they can help ascertain how it happened.  Chas can you see how it is behaving for you now.  Anyone using Firefox can install the NoScript addin as it is pretty useful. However disabling scripts on the forum can cause other problems like Fast Reply will not work and you don't get all your posting options. Only started using it so maybe Chas can give us some pointers? i.e how do you add smileys in your posts when NoScript disables the side panel?  I will try and give an update tomorrow. It has been a long c%$p day and I need to go to bed!  Thanks,  Paul
Maybe I haven't seen a problem because my security level is lower and I routinely add sites like plakias.co.uk to my trusted sites list. Maybe I should be more cautious in the future
Title: Being "hacked"?
Post by: Ploppy on August 15, 2007, 08:45:30 AM
Quote from: Chas
A very brief tutorial on "NoScript"

Excellent, Thanks Chas.

That clears up the one query I had. In that you 'Allow' Plakias... hence all functionality is there for you. But allowing Plakias... will still not run scripts referencing external sites which I thought it might.
Title: Being "hacked"?
Post by: Ploppy on August 15, 2007, 11:13:06 AM
An update.

Invision say that they did have some FTP accounts compromised and that all customer were notified to change thier passwords. I don't recall seeing any e-mail (but that doesn't mean I didn't get it  ), I can check later.

I have deleted most FTP accounts and changed passwords (get in touch John if you want to do any uploading).

So there has been a threat since the 9th, however both my home and work machine would have been affected and I have found nothing suspicious on either machine after a full Virus and Spyware scan.

Let me know if you encounter any problems.

Thanks,

Paul
Title: Being "hacked"?
Post by: ostraco on August 15, 2007, 01:00:19 PM
Quote from: Ploppy
An update.

Invision say that they did have some FTP accounts compromised and that all customer were notified to change thier passwords. I don't recall seeing any e-mail (but that doesn't mean I didn't get it  ), I can check later.

I have deleted most FTP accounts and changed passwords (get in touch John if you want to do any uploading).

So there has been a threat since the 9th, however both my home and work machine would have been affected and I have found nothing suspicious on either machine after a full Virus and Spyware scan.

Let me know if you encounter any problems.

Thanks,

Paul
I haven't seen any email either Paul - tho my connection at home is still flakey, and I can't check at work.
Things seem to be behaving OK for me at work today - will also check tonight when I get home.
As for uploading Paul - would love to be doing some re-working of the site - but I can't see that happening in the near future.
Cheers all!
Title: Being "hacked"?
Post by: ostraco on August 15, 2007, 01:00:46 PM
Quote from: Ploppy
An update.

Invision say that they did have some FTP accounts compromised and that all customer were notified to change thier passwords. I don't recall seeing any e-mail (but that doesn't mean I didn't get it  ), I can check later.

I have deleted most FTP accounts and changed passwords (get in touch John if you want to do any uploading).

So there has been a threat since the 9th, however both my home and work machine would have been affected and I have found nothing suspicious on either machine after a full Virus and Spyware scan.

Let me know if you encounter any problems.

Thanks,

Paul
I haven't seen any email either Paul - tho my connection at home is still flakey, and I can't check at work.
Things seem to be behaving OK for me at work today - will also check tonight when I get home.
As for uploading Paul - would love to be doing some re-working of the site - but I can't see that happening in the near future.
Cheers all!
Title: Being "hacked"?
Post by: Chas on August 15, 2007, 04:01:13 PM
Point of information -

I found the problem on the "Welcome to Plakias" Homepage - not here in the forum.

If, like me, you come direct to the Forum, you shouldn't have been compromised.
Title: Being "hacked"?
Post by: George on August 15, 2007, 04:12:14 PM
Come on Chas your not paying attention. I mentioned that further back in the thread.

Well done all you guys, this thread went way over my head.

george g...
Title: Being "hacked"?
Post by: Noopsy on August 15, 2007, 07:05:18 PM
Mine too.  
To start off, can anyone tell me what is meant by "script"?
Title: Being "hacked"?
Post by: Greecemad on August 15, 2007, 09:24:31 PM
Quote from: Noopsy 500
To start off, can anyone tell me what is meant by "script"?

It's what doctors and pharmacists use as shorthand for "prescription"  
Title: Being "hacked"?
Post by: Ploppy on August 16, 2007, 08:53:02 AM
Quote from: Noopsy 500
Mine too.  
To start off, can anyone tell me what is meant by "script"?

A script is a set of instructions or commands to be carried by some program/application.

In our case the offending items were inside HTML or PHP files. HTML (HyperText Markup Language) are files that store web page information and are 'read' by your browser (i.e Internet Explorer, Firefox, Opera etc).
PHP is a scripting language used on a web server to do stuff like read and write files, query databases etc (for completeness it stands for PHP: Hypertext Preprocessor).
Title: Being "hacked"?
Post by: Chas on August 16, 2007, 12:03:56 PM
Quote from: Ploppy
Quote from: Noopsy 500
Mine too.  
To start off, can anyone tell me what is meant by "script"?

A script is a set of instructions or commands to be carried by some program/application.

In our case the offending items were inside HTML or PHP files. HTML (HyperText Markup Language) are files that store web page information and are 'read' by your browser (i.e Internet Explorer, Firefox, Opera etc).
PHP is a scripting language used on a web server to do stuff like read and write files, query databases etc (for completeness it stands for PHP: Hypertext Preprocessor).
Scripts come in various "flavours" (java, PHP, VB and several others) and are meant to make writing programs (sic) and websites "easier" .... unfortunately, they have two big drawbacks - they are very powerful and they are easier to write for non-techies, so the ranks of "hackers" have been swelled by "script kiddies".
Title: Being "hacked"?
Post by: Chas on August 16, 2007, 04:16:49 PM
Oh, dear !

It looks like there is still a problem ..... or two!

I don't recognise either 1sense.info or veryfastmoney.biz - and I don't think either of them sounds "kosher".

I was actually just going to do an illustrated bit on NoScript .... great sense of timing?  


(http://thumb4.webshots.net/t/55/455/3/52/92/2495352920046486184rAUgPY_th.jpg) (http://entertainment.webshots.com/photo/2495352920046486184rAUgPY)
>>thumbnail - click on it to go to better image AND THEN click on FULL SIZE, finally click over bottom-right corner to see things properly (at full size)<<
Title: Being "hacked"?
Post by: Noopsy on August 16, 2007, 04:33:28 PM
Quote from: Chas
[a href=\"http://entertainment.webshots.com/photo/2495352920046486184rAUgPY\" target=\"_blank\"]
Title: Being "hacked"?
Post by: Ploppy on August 16, 2007, 04:56:55 PM
Could you just try it again Chas?
Title: Being "hacked"?
Post by: Chas on August 16, 2007, 05:56:14 PM
Done ... still the same!
Title: Being "hacked"?
Post by: Chas on August 16, 2007, 06:01:44 PM
Quote from: Noopsy 500
Quote from: Chas
[a href=\"http://entertainment.webshots.com/photo/2495352920046486184rAUgPY\" target=\"_blank\"]

Did you click on the thumbnail picture?

I logged-out, came back in as a guest and it worked fine for me (http://www.chatitaliachat.it/serpe/msn/214.gif)
Title: Being "hacked"?
Post by: Graham_and_Karen on August 16, 2007, 07:53:25 PM
Quote from: Chas
Quote from: Noopsy 500
Quote from: Chas

 ([url]http://entertainment.webshots.com/photo/2495352920046486184rAUgPY[/url])

Did you click on the thumbnail picture?

I logged-out, came back in as a guest and it worked fine for me ([url]http://www.chatitaliachat.it/serpe/msn/214.gif[/url])

Chas,
1 - I don't get the same the smae dodgy scripts showing when I go to www.plakias.co.uk - just harmless advertising.
2 - Please can you explain the difference between allowing plakias.co.uk, www.plakias.co.uk and [a href=\"http://www.plakias.co.uk\" target=\"_blank\"]http://www.plakias.co.uk[/url] - as in the attached screenshot.
Thanks [attachment=490:SP32_160...7_194318.jpg]
Title: Being "hacked"?
Post by: Ploppy on August 16, 2007, 08:34:44 PM
Quote from: Graham_and_Karen
1 - I don't get the same the smae dodgy scripts showing when I go to [url=http://www.plakias.co.uk]www.plakias.co.uk[/url] ([url]http://www.plakias.co.uk[/url]) - just harmless advertising.
2 - Please can you explain the difference between allowing plakias.co.uk, [url=http://www.plakias.co.uk]www.plakias.co.uk[/url] ([url]http://www.plakias.co.uk[/url]) and [url]http://www.plakias.co.uk[/url] ([url]http://www.plakias.co.uk[/url]) - as in the attached screenshot.
Thanks [attachment=490:SP32_160...7_194318.jpg]


Graham,

Those two allow options should do the same thing I would of thought.
Title: Being "hacked"?
Post by: Ploppy on August 16, 2007, 08:36:38 PM
OK I think I have got it all now.

Missed a bit of embedded java script.

Hopefully this is the end of it, though Invisions FTP has been down for 24 hours so they may have other problems.
Title: Being "hacked"?
Post by: Chas on August 17, 2007, 12:35:03 AM
@Paul

Looks good .............. Yipee!


@G&K

I'm running NoScript v.1.1.6.12  under Firefox v.2.0.0.6 -- I assume you have not updated to one or both of those versions, hence the different screenshot contents.

As Paul says, all three "plakias" flavours are essentially the same ... and from the screenshot, all are disallowed ???? !!!!!!
Title: Being "hacked"?
Post by: Graham_and_Karen on August 17, 2007, 08:12:27 AM
Chas and Paul - Thanks for the info. I presume though, on other sites, the three options could apply different restrictions (otherwise why give 3 options). I'm guessing that disallowing eg. anyname.com could apply to more than http://www.anyname.com (http://www.anyname.com) with www.anyname.com in the middle.

Graham
Title: Being "hacked"?
Post by: Noopsy on August 17, 2007, 03:33:33 PM
Quote from: Chas
Quote from: Noopsy 500
Quote from: Chas
[a href=\"http://entertainment.webshots.com/photo/2495352920046486184rAUgPY\" target=\"_blank\"]

Did you click on the thumbnail picture?

I logged-out, came back in as a guest and it worked fine for me ([url]http://www.chatitaliachat.it/serpe/msn/214.gif[/url])

Chas, I clicked on the picture appearing in your post.
Title: Being "hacked"?
Post by: Chas on August 17, 2007, 04:14:22 PM
@Graham

I'm not sure what versions of Firefox and/or NoScript you have .... BUT you really should click on the <Help>drop-down of Firefox and click on "Check for updates".

There has been a bucket-load of critical fixes in the past couple of months.

Along with the vital stuff, the old "Extensions" gizmo has been renamed as "Add-ins" and is now automated, so updates are notified each time you open FF - great for keeping you up to date.


@Noopsy

I'm at a bit of a loss ... if you're clicking on the right bits of images, it should work (http://www.abestweb.com/smilies/breakcomp.gif)


Can you see the image below (http://zorbas.de/scripts/phpBB2/images/smiles/icon_question.gif)

(http://inlinethumb59.webshots.com/6970/2495352920046486184S600x600Q85.jpg)
Title: Being "hacked"?
Post by: Graham_and_Karen on August 17, 2007, 05:29:56 PM
Quote from: Chas
@Graham

I'm not sure what versions of Firefox and/or NoScript you have .... BUT you really should click on the <Help>drop-down of Firefox and click on "Check for updates".

There has been a bucket-load of critical fixes in the past couple of months.

Along with the vital stuff, the old "Extensions" gizmo has been renamed as "Add-ins" and is now automated, so updates are notified each time you open FF - great for keeping you up to date.
Ok - But I don't have a problem with NoScript - I was just after more info on the 3 site options when choosing whether to allow or disallow scripts from a site. BTW I'm running the latest vsn of both NoScript and Firefox.

Overall, I'm happy with the way NoScript is working - as well as stopping external scripts by default, it identifies what's running (or wants to run).
Title: Being "hacked"?
Post by: Chas on August 17, 2007, 05:49:05 PM
Quote from: Graham_and_Karen
Quote from: Chas
@Graham

I'm not sure what versions of Firefox and/or NoScript you have .... BUT you really should click on the <Help>drop-down of Firefox and click on "Check for updates".

There has been a bucket-load of critical fixes in the past couple of months.

Along with the vital stuff, the old "Extensions" gizmo has been renamed as "Add-ins" and is now automated, so updates are notified each time you open FF - great for keeping you up to date.
Ok - But I don't have a problem with NoScript - I was just after more info on the 3 site options when choosing whether to allow or disallow scripts from a site. BTW I'm running the latest vsn of both NoScript and Firefox.

Overall, I'm happy with the way NoScript is working - as well as stopping external scripts by default, it identifies what's running (or wants to run).
OOeeeeeeerrrrrrrrrrrrr!  Now I'm even more cofusticated!!

I guessed your versions were not up-to-date because the display was quite different to the one I get (and I know I'm fully u-t-d) so, where to go from here?

As to "which site option" - my advice would be to start at the highest level (http:/www.whatever.com) and see if that auto-allows the lower levels.
Title: Being "hacked"?
Post by: Graham_and_Karen on August 17, 2007, 07:22:22 PM
Cheers Chas -