We Got Hacked

[admin]

As alluded to and discussed in my BURP!!! post, we did in fact get hacked and it was several more files than I thought.
As of this writing all of the infected files have been restored.
If you have anti-virus and firewall software installed on your machine, you are most likely ok.
I'm the closest to all of these files as I surf all parts of the site all day. I scanned my machine and it's fine.
You may want to scan your machines just to be safe, and if you don't have anti-virus and firewall software, you have no business being online, and you better get some right away.
This is a brand new exploit that just cropped up last month. I haven't found the holes and closed them yet. I still have pages and pages of reading to do.
Please do me a favor. If your anti-virus software throws a warning when you come to the site, please let me know by EMAIL, not by PM.

 

[admin]

If you've recently changed your avatar and used the same file name as the old one, it may have got replaced, like mine did. It was easier to just restore all files than pick and choose.

 

[admin]

Since this is a new exploit, I suggest making sure you have downloaded the latest detections for your anti-virus programs.

 

[francois1]

KEVIN in the last 2 days my computer has been blocking the site it does not happen all the time

david

 

[admin]

This is a pain in the butt. I just killed two hours on this crap.
I found a love.php file in the root that looks like the culprit. Oddly, when searching for info on it, there is nothing to be found.
There's also some weird binary file "Atomic Archive configuration script".
Any geeks out there know anything about this stuff?

 

[seanz]

Its way out of my world, i just a pipe smoking butcher.. did that report help.

Oh yeah i back in

 

[juozapas]

These "Hackers" need to find a better hobby....like pipe smoking !! :clap:

 

[morlader]

When I logged in this morning my avitar had changed to an old one.I,ve changed it.Yesterday my anti-virus AVG warned me that it had blocked an intruder.All OK here now.

 

[admin]

@coalsmoke - thanks for that. The server tech informed me it was something he was messing with and told me I could delete it. It raised suspicion since it was a binary file and it wasn't on my local drive.
As to the hack - it should be fixed now, but I am still working on closing the hole. So, it could come back if he beats me to the punch. Please let me know if you still have this issue after today, but you don't have to email about virus / trojan warnings today.
It's not what I planned on working on today, but I am enjoying an amazing pipe full of Stokkebye Proper English.

 

[nemrod]

if you don't have anti-virus and firewall software, you have no business being online, and you better get some right away.

I have no AV. Then again I use Linux.
If that love.php wasn't there originally the real problem is that someone was able to put an arbitrary file on the server.

 

[admin]

@nemrod - ha! I guess you are fine using Linux. You're a "Super Geek". :wink:
It seems it is an issue with timthumb.php, which generates the little thumbnails on the "Most Popular Posts" plugin.
I do not like the way the new version of the plugin functions, so I am trying to just update timthumb.php without installing the new version of the plugin.
The love.php file is at least polite enough to tell you what it is right in the header comments -
/**

* WSO 2

* Web Shell by oRb

*/
It's pretty interesting looking at the code. Lmk if you want me to email it to you Nemrod.

 

[admin]

I replaced the file with the exploit, so hopefully we're ok now.

 

[admin]

Thanks for all the emails guys.
This should be under control now, so I don't need any more emails about this unless it happens from this moment forward.
Thanks.

 

[flat4driven]

My system caught some malicious files too. I thought maybe it was just me

 

[maduroman]

i had a hickup and it locked up my computer but nothing was found...

 

[marmal4de]

If you don't use antivirus software, you're probably using a Mac, and belong on the Internet just as much, if not more than anyone. Super bummer in the hacked bullshit.

 

[philip]

This is a pain in the butt.

Thanks for dealing with it, Kevin.

 

[classicgeek]

What I'd like to know is how you keep the forums so spam-free. Whatever you're doing, keep it up!
Simon

 

[collindow]

Yeah, my computer popped up a warning the other day. The site was loading super-slowly, too, so I just closed to page. I figured it was either an error (Norton is a tad retarded,) or that the site had gotten hacked. Too bad it wasn't just norton being a dunce.

 

[scotrob]

Even though Avast supposedly blocked a Trojan which tried to install itself when I was on forums page, the Trojan (Trojan.Gen for anyone interested) still installed- had to remove it with Spyware Doctor...all is well again now I think