Hypography under attack
Posted 28 February 2010 - 10:57 AM
Some members may have had display or access problems, or had access blocked by your browser’s security features. Some, but not all pages of our site were infected
Although at present, we’re reading clean via such advisory services as Google Safe Browsing, there’s a strong possibility that the infecting files attempted to install malware on your computer. If you have a common antivirus program (eg: McAfee, Norton) installed, it should have prevented this, but you may want to check to see that you have antivirus software, that it’s working, and scan all your files for trouble.
Our and our hosting service’s dev & support staff are investigating, but at present, the precise means of the intrusion haven’t been identified, so we can’t rule out the possibility of more trouble.
Posted 28 February 2010 - 12:10 PM
I came up with PolicePro crap using my malware scan, but I cannot say it was from here or elsewhere where it was installed from.
Posted 28 February 2010 - 12:35 PM
I’ve not many details. Google Safe Browsing describes the infecting site as “includes 8 trojan(s), 6 exploit(s)”, the only actual antivirus log entry I got was for a port access attempt from a Chinese host. I found some forums discussing the hosts involved that mention TrojWare.Java.TrojanDownloader.Agent.*, for which I found little detailed information, other than it.
Do you have info on what malware/virus was found?
If you mistrust your antivirus, I recommend searching your files for *TrojWare* or *TrojanDownloader*, and, if your comfortable doing such things, your registry for TrojWare or TrojanDownloader.
When more details are available, we’ll post them here.
Posted 01 March 2010 - 04:24 AM
Then on entering hypography later I got a request from Microsoft© Register server on my pc to do something. I declined, because the advert area had an error message, but before I did I noticed that it was trying to connect to (http colon //rebellion dot servh#p dot com/404.php, replace the dots with '.' and the colon with ':' but don't go there).
If you've got an extra icon on your taskbar that says Java and you downloaded an addon in the past week then uninstall Java 5(?) now. If you click on the icon you get the Microsoft © Register server again trying to access (nofear dot serv dot http) with the message
Website wants to open web content using this program Windows Host Process (rundll32)
Java 2 Platform
Don't click this link either.
The 'ads by Google' server may have been poisoned with a bad ad that gave hypography users bad malware.
And interestingly enough MS issued unscheduled patches to their server 2008/2003 client side x64 software on friday. I've got 32 bit Vista (dual Pentium huh).
Just re-read the first post and clicked on the link, if you were asked by an ad (on the hypography website) to load Java in the past week or so, uninstall it and rescan your pc now.
Posted 01 March 2010 - 04:43 AM
We will be upgrading our server as well as our forum software this evening and hopefully that will sort the issues for us.
I apologize to everyone who have been infected with virus or malware - this has apparently been a blanket attack on many vbulletin sites, and it is very difficult to stop these things when they first happen.
Posted 01 March 2010 - 08:55 PM
After 8 hours I managed to salvage a backup from our storage. So we have only lost a few hours of posts! Wehave also worked hard to secure the forums as best we can.
We will repeat the upgrade attempt at a later date. For now I'm just happy to see everything back.
- DougF likes this
Posted 10 March 2010 - 11:14 AM
Posted 10 March 2010 - 04:19 PM
let me know what you want & how you want it. Hypography Good; hackers Bad!
Posted 10 March 2010 - 04:36 PM
When it came back, I kept getting messages about updating java and an acrobat plugin error, which I ignored.
All three of my machines seemed to be running a little slowly, so to be on the safe side I uninstalled Java and then reinstalled from the Sun microsystems website. Everything seems ok now.
The Firefox message came back again today but I overrode it and cautiously tiptoed on to the site. It's gone again now, but google "hypography" and you get the message "This site may harm your computer" (confusingly, with a green "ok" tick from AVG).
I suspect it's a cunning ploy by the admin to make me sign up again for sponsorship status: no adverts, no malware Honest, guys, I was going to do it this week... it just slipped my mind!
edit: Firefox malware message came back while I was making this post.
Posted 10 March 2010 - 04:38 PM
i read that a tracking cookie can be a single pixel.
this is what was blocked just 10 minutes ago:
Date: Wednesday, March 10, 2010 1:17 PM (PST)
Actor: program filesgoogleupdategoogleupdate.exe
Actor: PID 2512
Target: Defense files
Action: Open Process Token
Posted 10 March 2010 - 05:01 PM
Diagnostic page for hypography.com/forums
What is the current listing status for hypography.com/forums?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 135 pages we tested on the site over the past 90 days, 10 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-02-27, and the last time suspicious content was found on this site was on 2010-02-27.
Malicious software includes 8 trojan(s), 6 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
Malicious software is hosted on 1 domain(s), including rebellion.servehttp.com/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including nofear.servehttp.com/.
This site was hosted on 1 network(s) including AS13438 (VIVIO).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, hypography.com/forums did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
* Return to the previous page.
* If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Updated 23 hours ago
Nothin to worry about:hihi:
Posted 10 March 2010 - 05:39 PM
Hackers should be shot on sight.
or on site; wherever ya find 'em is good.
Posted 10 March 2010 - 09:22 PM
Something was shutting down my firewall.
I updated java
I un-installed java
Did a bunch of rescans / reboots to clear the system.
During the worst of it (firewall shutdown) I was also getting Acrobat errors even though that program was not running. Went through my java temp files and found 3 files with the servehttp or httpserve name. I deleted those thinking there might be something going on with them. Still had issues. After taking out the java AND a rescan, the firewall hasnt shut down and the acrobat errors stopped. I do need a more current version of acrobat, but the last time I updated, I hated the changes and so I went back to an older version.
A few times visiting in the last day or so, I was seeing the httpserve or servehttp name coming up in the status bar as I loaded hypo. Scans afterwords did not fine issues. I still do not have Java installed.
Posted 11 March 2010 - 03:03 AM
Right now it seems as if we have managed to patch the box up for a while. We have done a throrough scan of the system and updated everything to the latest patches etc. And Google has removed our blacklisting.
Posted 11 March 2010 - 08:21 AM