Author Topic: Being "hacked"?  (Read 10710 times)

Offline Chas

  • Regulars
  • Sr. Member
  • ****
  • Posts: 268
    • View Profile
    • http://
    • Email
Being "hacked"?
« on: August 14, 2007, 03:01:37 PM »
First off, I AM PARANOID ... this could be a false alarm.

However, when I went to "http://www.plakias.co.uk/" (testing a link I posted on another forum), I had two unusual things happen:

1.  My AV software popped-up a Trojan warning - reassuringly to say it hadn't downloaded anything.

2.  Firefox / NoScript warning bar popped-up to notify me that a (new) script was pending execution, from "wdqccrzpmd.hk" - needless to say, I haven't allowed it to run!

Ploppy, please calm my nerves, tell me (1) was just coincidence (I had several other tabs open) and (2) is something you inserted to do good things.
Chas



Stupidity is its own reward.

Offline George

  • Regulars
  • Hero Member
  • *****
  • Posts: 1375
    • View Profile
    • Email
Being "hacked"?
« Reply #1 on: August 14, 2007, 03:27:14 PM »
Hi Chas

I used to get the Trojan warning on the home page through 'Sophos', so I tend now to enter the site from the email notification links to the messages.

Haven't been near the home page for ages!!

My IT guys didn't seem all that concerned about it.

I've got a pop-up blocker so wouldn't know about No 2.

george g...

Offline ostraco

  • Administrator
  • Sr. Member
  • *****
  • Posts: 493
    • MSN Messenger - bbaazz@hotmail.com
    • Yahoo Instant Messenger - FinikasUK
    • View Profile
    • Welcome to Plakias
    • Email
Being "hacked"?
« Reply #2 on: August 14, 2007, 06:14:23 PM »
Quote from: George
Hi Chas

I used to get the Trojan warning on the home page through 'Sophos', so I tend now to enter the site from the email notification links to the messages.

Haven't been near the home page for ages!!

My IT guys didn't seem all that concerned about it.

I've got a pop-up blocker so wouldn't know about No 2.

george g...
I don't know what's going on either - had trouble logging on at work - had to enter my password a few times before it would let me post - but the same happened at home (yes, I do have a slow connection back) - where normally I get straight in!
Let's keep our eyes open!
John
John - Ostraco

Offline Ploppy

  • Administrator
  • Hero Member
  • *****
  • Posts: 720
    • View Profile
    • Hounslow Weather
    • Email
Being "hacked"?
« Reply #3 on: August 14, 2007, 06:25:36 PM »
Sorry still at work at the moment.

Absolutely swamped and not sure when I will get home.

Not sure there is an issue. My AV doesn't complain. Yes NoScript complains but then it does about 99% of sites.

For more info about wdqccrzpmd.hk

See here: http://www.castlecops.com/t193370-Trojan_D..._aftermath.html

I'll try and have another look later.

Cheers,

Paul

Offline Chas

  • Regulars
  • Sr. Member
  • ****
  • Posts: 268
    • View Profile
    • http://
    • Email
Being "hacked"?
« Reply #4 on: August 14, 2007, 07:46:52 PM »
Thanks, Paul,

Not exactly the news we wanted to hear - that Castlecops report is quite an eyeopener!

Thank goodness for Firefox and NoScript  

Let us know when the offending (offensive) script has been flushed.  
Chas



Stupidity is its own reward.

Offline Graham_and_Karen

  • Regulars
  • Hero Member
  • *****
  • Posts: 762
    • Facebook
    • Google+
    • View Profile
    • Email
Being "hacked"?
« Reply #5 on: August 14, 2007, 10:27:20 PM »
Quote from: Chas
Thanks, Paul,

Not exactly the news we wanted to hear - that Castlecops report is quite an eyeopener!

Thank goodness for Firefox and NoScript  

Let us know when the offending (offensive) script has been flushed.  
Chas, I'm not convinced there is a problem. I'm using Firefox and went to the plakias webite today from work - no warnings at all. Castlecops - I hadn't realised they were a good site to check for malware etc. I rely on Adaware - it hasn't let me down so far (unlike Windows Defender)

Offline Ploppy

  • Administrator
  • Hero Member
  • *****
  • Posts: 720
    • View Profile
    • Hounslow Weather
    • Email
Being "hacked"?
« Reply #6 on: August 14, 2007, 11:16:10 PM »
Unfortunately it does look like we had a problem.  Various files (index.htmls & index.phps) had been altered on the 9th of August to include a script. Not sure what they did, NoScript did not report the wdqccrzpmd.hk for me as it did for Chas.  I have edited the files to remove the offending script calls and will be in touch with Invision to see if they can help ascertain how it happened.  Chas can you see how it is behaving for you now.  Anyone using Firefox can install the NoScript addin as it is pretty useful. However disabling scripts on the forum can cause other problems like Fast Reply will not work and you don't get all your posting options. Only started using it so maybe Chas can give us some pointers? i.e how do you add smileys in your posts when NoScript disables the side panel?  I will try and give an update tomorrow. It has been a long c%$p day and I need to go to bed!  Thanks,  Paul

Offline Chas

  • Regulars
  • Sr. Member
  • ****
  • Posts: 268
    • View Profile
    • http://
    • Email
Being "hacked"?
« Reply #7 on: August 15, 2007, 01:14:50 AM »
A very brief tutorial on "NoScript"

NoScript is an add-in to the Firefox browser - it won't work for Internet Explorer or Opera.

Basically, it "does just what it says on the tin" - no scripts are allowed to run ... unless you OK them, either "temporarily" for the current session and site or permanently (if you're happy).

If you have (or have used) ZoneAlarm firewall, it works in a similar way - when it finds something it hasn't been OKayed for, it asks you to check.

It pops-up a full-width bar at the bottom of the screen, just above the taskbar, listing what it's been allowed to run and noting how many other scripts it has found that are not (yet) allowed.

If you click on the "options" button, it pops-up a drop-down (erm? well, you know what I mean) list of all the script sources, showing which are allowed and which are dis-allowed.  The listing allows you to swap the setting for each script source.

In today's case, the list showed plakias.co.uk, mediacount.net, about:neterror (all allowed) and the dreaded wdqccrzpmd.hk (not yet allowed ... and no way was I going to allow it!).

How did I know?  Well, plakias.co.uk is pretty obvious; mediacount.net is a fairly common "site traffic counter" and about:neterror is a common "bug catcher".  However, wdqccrzpmd.hk I had never come across before, it wasn't there last time I went to the Home page (a week or so ago) and the "hk" suffix (Hong Kong) seemed pretty improbable for UK or Greek sites, so  let it stay dis-allowed.


If you are presented with a new site and don't know what to allow, a few simple tests can be used:

* Is the website listed - if so, it should be OK (unless you go to dodgy websites   ).
* Have you seen any of the sources before - probably OK, they are common tools, like mediacount.
* Is "google" part of the name - again, common site usage recording.
* Is the national suffix somewhere dodgy (ru - Russia and hk - Hong Kong are known areas for malware distribution) - take great care.
* Not at all sure? - leave it dis-allowed and see if the site works;
- if it doesn't, temporarily allow it (if you have confidence in you security-ware)
- if it now works and nothing nasty happens, you can consider allowing it properly next time you go to the site.

Right, that's enough, I said this was a brief tutorial but I've gone on and on .... and it's well past my bedtime!
Chas



Stupidity is its own reward.

Offline Graham_and_Karen

  • Regulars
  • Hero Member
  • *****
  • Posts: 762
    • Facebook
    • Google+
    • View Profile
    • Email
Being "hacked"?
« Reply #8 on: August 15, 2007, 08:39:16 AM »
Quote from: Ploppy
Unfortunately it does look like we had a problem.  Various files (index.htmls & index.phps) had been altered on the 9th of August to include a script. Not sure what they did, NoScript did not report the wdqccrzpmd.hk for me as it did for Chas.  I have edited the files to remove the offending script calls and will be in touch with Invision to see if they can help ascertain how it happened.  Chas can you see how it is behaving for you now.  Anyone using Firefox can install the NoScript addin as it is pretty useful. However disabling scripts on the forum can cause other problems like Fast Reply will not work and you don't get all your posting options. Only started using it so maybe Chas can give us some pointers? i.e how do you add smileys in your posts when NoScript disables the side panel?  I will try and give an update tomorrow. It has been a long c%$p day and I need to go to bed!  Thanks,  Paul
Maybe I haven't seen a problem because my security level is lower and I routinely add sites like plakias.co.uk to my trusted sites list. Maybe I should be more cautious in the future

Offline Ploppy

  • Administrator
  • Hero Member
  • *****
  • Posts: 720
    • View Profile
    • Hounslow Weather
    • Email
Being "hacked"?
« Reply #9 on: August 15, 2007, 08:45:30 AM »
Quote from: Chas
A very brief tutorial on "NoScript"

Excellent, Thanks Chas.

That clears up the one query I had. In that you 'Allow' Plakias... hence all functionality is there for you. But allowing Plakias... will still not run scripts referencing external sites which I thought it might.

Offline Ploppy

  • Administrator
  • Hero Member
  • *****
  • Posts: 720
    • View Profile
    • Hounslow Weather
    • Email
Being "hacked"?
« Reply #10 on: August 15, 2007, 11:13:06 AM »
An update.

Invision say that they did have some FTP accounts compromised and that all customer were notified to change thier passwords. I don't recall seeing any e-mail (but that doesn't mean I didn't get it  ), I can check later.

I have deleted most FTP accounts and changed passwords (get in touch John if you want to do any uploading).

So there has been a threat since the 9th, however both my home and work machine would have been affected and I have found nothing suspicious on either machine after a full Virus and Spyware scan.

Let me know if you encounter any problems.

Thanks,

Paul

Offline ostraco

  • Administrator
  • Sr. Member
  • *****
  • Posts: 493
    • MSN Messenger - bbaazz@hotmail.com
    • Yahoo Instant Messenger - FinikasUK
    • View Profile
    • Welcome to Plakias
    • Email
Being "hacked"?
« Reply #11 on: August 15, 2007, 01:00:19 PM »
Quote from: Ploppy
An update.

Invision say that they did have some FTP accounts compromised and that all customer were notified to change thier passwords. I don't recall seeing any e-mail (but that doesn't mean I didn't get it  ), I can check later.

I have deleted most FTP accounts and changed passwords (get in touch John if you want to do any uploading).

So there has been a threat since the 9th, however both my home and work machine would have been affected and I have found nothing suspicious on either machine after a full Virus and Spyware scan.

Let me know if you encounter any problems.

Thanks,

Paul
I haven't seen any email either Paul - tho my connection at home is still flakey, and I can't check at work.
Things seem to be behaving OK for me at work today - will also check tonight when I get home.
As for uploading Paul - would love to be doing some re-working of the site - but I can't see that happening in the near future.
Cheers all!
John - Ostraco

Offline ostraco

  • Administrator
  • Sr. Member
  • *****
  • Posts: 493
    • MSN Messenger - bbaazz@hotmail.com
    • Yahoo Instant Messenger - FinikasUK
    • View Profile
    • Welcome to Plakias
    • Email
Being "hacked"?
« Reply #12 on: August 15, 2007, 01:00:46 PM »
Quote from: Ploppy
An update.

Invision say that they did have some FTP accounts compromised and that all customer were notified to change thier passwords. I don't recall seeing any e-mail (but that doesn't mean I didn't get it  ), I can check later.

I have deleted most FTP accounts and changed passwords (get in touch John if you want to do any uploading).

So there has been a threat since the 9th, however both my home and work machine would have been affected and I have found nothing suspicious on either machine after a full Virus and Spyware scan.

Let me know if you encounter any problems.

Thanks,

Paul
I haven't seen any email either Paul - tho my connection at home is still flakey, and I can't check at work.
Things seem to be behaving OK for me at work today - will also check tonight when I get home.
As for uploading Paul - would love to be doing some re-working of the site - but I can't see that happening in the near future.
Cheers all!
John - Ostraco

Offline Chas

  • Regulars
  • Sr. Member
  • ****
  • Posts: 268
    • View Profile
    • http://
    • Email
Being "hacked"?
« Reply #13 on: August 15, 2007, 04:01:13 PM »
Point of information -

I found the problem on the "Welcome to Plakias" Homepage - not here in the forum.

If, like me, you come direct to the Forum, you shouldn't have been compromised.
Chas



Stupidity is its own reward.

Offline George

  • Regulars
  • Hero Member
  • *****
  • Posts: 1375
    • View Profile
    • Email
Being "hacked"?
« Reply #14 on: August 15, 2007, 04:12:14 PM »
Come on Chas your not paying attention. I mentioned that further back in the thread.

Well done all you guys, this thread went way over my head.

george g...