Demand your FTP!
- Hermskii
- Site Admin
- Posts: 8522
- Joined: Sun Jul 10, 2005 9:56 pm
- NoMoreSpam: Silver
- Location: Houston, Texas
- Contact:
Demand your FTP!
Hey folks,
As you know I got hacked here at the forum recently. My web space provider caught it very fast and repaired everything but turned off several features until I met with certain security requirements at their request. I have completed my list of things to do and informed them I was turning everything back on now which I have already done. The last step is to have Google recheck out the forum and all FTP related storage I have and give this site a clean bill of health again which it had enjoyed for over 4 straight years.
Me research has not turned up much. At first I thought this started to happen on OCT 2nd but later determined I was wrong and it had started on OCT 8th. My provider was quick to shut me down but is very tight lipped about telling where this started and how it was done. My web usage was off the chart several months ago and I determined that I had a single file on the FTP that I thought was being downloaded but it may have been pushing info the whole time. I don't know if it was related but I removed it a long time ago and my numbers are all square. Then this happened. In short, all is back to normal almost and I'm sorry for this issue. I think we were a random victom of a script. I don't think anyone here did this knowingly or on purpose. Peace!
As you know I got hacked here at the forum recently. My web space provider caught it very fast and repaired everything but turned off several features until I met with certain security requirements at their request. I have completed my list of things to do and informed them I was turning everything back on now which I have already done. The last step is to have Google recheck out the forum and all FTP related storage I have and give this site a clean bill of health again which it had enjoyed for over 4 straight years.
Me research has not turned up much. At first I thought this started to happen on OCT 2nd but later determined I was wrong and it had started on OCT 8th. My provider was quick to shut me down but is very tight lipped about telling where this started and how it was done. My web usage was off the chart several months ago and I determined that I had a single file on the FTP that I thought was being downloaded but it may have been pushing info the whole time. I don't know if it was related but I removed it a long time ago and my numbers are all square. Then this happened. In short, all is back to normal almost and I'm sorry for this issue. I think we were a random victom of a script. I don't think anyone here did this knowingly or on purpose. Peace!
~Peace~
Hermskii
Hermskii
-
- Posts: 1396
- Joined: Tue Nov 18, 2008 9:32 am
Re: Demand your FTP!
FTP wouldn't do this sort of thing. It's more like a storage locker and won't/can't activate like an .exe file. Perhaps someone uploaded a nasty and linked back into it but that wouldn't result in the forum blacklist that google gave. They would have blocked the redirected portion only but the current block is for the entire site. I've seen this before and they (usually) found a "trigger" somewhere in the forum on a normal crawl that either links to a malware loader or is one itself.
Think of it like this: If I want to share a picture I do my post, add a hyperlink so the jpeg renders in the post and then submit it. The other people only see writing and jpeg, with no idea that part is "linked in" from another site, effectively giving a window into their rig. I saw the same issue with Gametracker blocks in people's signatures. They were infected, unbeknownst to the person using them, and people who viewed the sig had the potential to themselves become infected.
You wouldn't click a link in a pr0n website, would you? Well these sort of things are exactly like you clicked on the link and all you had to do was look at them. AVG is updating their entire engine to deal with some of the stuff we are talking about, as it is new and very nasty.
This is totally unsolicited advice Herm but you'd do very well to disable any sort of hyperlinking in signatures. It will mean extra work for you because you'll have to host people's sig photos locally but I can pretty much guarantee you a re-infection if you don't if you can't identify the person(s). If someone is stupid enough to post the infecting link in an actual post you'll have a clear google link to the offending one and you'll know without a doubt.
BTW when tech support is "close lipped" that usually means they either can't be a$$ed to help or they are in over their heads.
Think of it like this: If I want to share a picture I do my post, add a hyperlink so the jpeg renders in the post and then submit it. The other people only see writing and jpeg, with no idea that part is "linked in" from another site, effectively giving a window into their rig. I saw the same issue with Gametracker blocks in people's signatures. They were infected, unbeknownst to the person using them, and people who viewed the sig had the potential to themselves become infected.
You wouldn't click a link in a pr0n website, would you? Well these sort of things are exactly like you clicked on the link and all you had to do was look at them. AVG is updating their entire engine to deal with some of the stuff we are talking about, as it is new and very nasty.
This is totally unsolicited advice Herm but you'd do very well to disable any sort of hyperlinking in signatures. It will mean extra work for you because you'll have to host people's sig photos locally but I can pretty much guarantee you a re-infection if you don't if you can't identify the person(s). If someone is stupid enough to post the infecting link in an actual post you'll have a clear google link to the offending one and you'll know without a doubt.
BTW when tech support is "close lipped" that usually means they either can't be a$$ed to help or they are in over their heads.
- Feralidragon
- Posts: 100
- Joined: Thu Mar 12, 2009 4:32 am
Re: Demand your FTP!
Well, either ways is nice to see Hermskii site up again without any malicious alerts of any sort.
But yes, it just takes a small thing from outside to execute when it shouldn't, to evolve to something like this...
Btw, my hyperlink is clean, so you can exclude me from the list
But I don't agree on deactivating hyperlinks on signs. Well, I agree with it 50%.
Deactivate the "pure" hyperlinks but keep the images activated (something that even if the person clicks, doesn't go anywhere, and everything as http:\\www not detected as url).
Even because, only Hermskii got infected relative hundreds of other forums, with the exact same technology and host, so if it was from a signature, just delete every users signature and let us post our signatures again.
The culprit won't most likelly set it up again, and if someone does, you can identify imediatly imo. Better than having extra space to host the imagens themselves (even because you can do some heavy sh*t within the jpeg image itself, and not what you link it to).
Just my 2 cents
But yes, it just takes a small thing from outside to execute when it shouldn't, to evolve to something like this...
Btw, my hyperlink is clean, so you can exclude me from the list
But I don't agree on deactivating hyperlinks on signs. Well, I agree with it 50%.
Deactivate the "pure" hyperlinks but keep the images activated (something that even if the person clicks, doesn't go anywhere, and everything as http:\\www not detected as url).
Even because, only Hermskii got infected relative hundreds of other forums, with the exact same technology and host, so if it was from a signature, just delete every users signature and let us post our signatures again.
The culprit won't most likelly set it up again, and if someone does, you can identify imediatly imo. Better than having extra space to host the imagens themselves (even because you can do some heavy sh*t within the jpeg image itself, and not what you link it to).
Just my 2 cents
Nali Weapons 3: http://www.moddb.com/mods/nali-weapons-3
- Hook
- Posts: 3444
- Joined: Fri Feb 16, 2007 9:41 am
- NoMoreSpam: Silver
- Location: Minnesota USA (Just West of MPLS - by a pond beneath a tree - Dead & Buried)
- Contact:
Re: Demand your FTP!
Mine is CLEAN also!
It is internally generated from my site's host and my site.
They have very strict protection.
And all mine does is link TO my site! (that is it)
It is internally generated from my site's host and my site.
They have very strict protection.
And all mine does is link TO my site! (that is it)
=Hook= of Hook's UT Place - Hopelessly Addicted to UT99!
Forum: https://hooksutplace.freeforums.net
CROSSBONES Missile Madness {CMM} (GT Top 50)
PRO-Redeemer | PRO-SNIPER-Redeemer | SEEKER-Redeemer
Birth Place of ALL Seeker/Scoped Deemers!
IP: NEW IP to come!
CROSSBONES Monster Hunt {CMH} (Special Edition MH by mars007)
IP: 108.61.238.93:7777
Forum: https://hooksutplace.freeforums.net
CROSSBONES Missile Madness {CMM} (GT Top 50)
PRO-Redeemer | PRO-SNIPER-Redeemer | SEEKER-Redeemer
Birth Place of ALL Seeker/Scoped Deemers!
IP: NEW IP to come!
CROSSBONES Monster Hunt {CMH} (Special Edition MH by mars007)
IP: 108.61.238.93:7777
- Hermskii
- Site Admin
- Posts: 8522
- Joined: Sun Jul 10, 2005 9:56 pm
- NoMoreSpam: Silver
- Location: Houston, Texas
- Contact:
Re: Demand your FTP!
No time right now but here goes. I was hacked from a place called Sapparo Japan. It is a little city on a little island just above the big one. My notes say it started at 7:00 AM on Oct. 8th but I may be wrong. Time for good news / bad news:
Good news: I did do everything that was required of me per my provider and Google and had them recheck after wards to give this website a clean bill of health.
Bad News: This wasn't the only thing I had that was hacked. I logged in to my FaceBook for the first time in a month or two and behold, it was hacked too! I have that all fixed now but am nervous since I used that same password on so many other things too. I have already run around and changed it.
I think as GOPO said that my people are in deeper than they can admit. I do feel this will happen again and I'd bet the setting for the links is already disabled but if not, I'll let the site get hacked again and then I'll lock it down next time.
The amazing thing to me was that bot that got through the other day. It is the first and only one since I last modified my registration Captcha. I must have logged in on a machine somewhere that was already hacked is my best guess to all of this.
Good news: I did do everything that was required of me per my provider and Google and had them recheck after wards to give this website a clean bill of health.
Bad News: This wasn't the only thing I had that was hacked. I logged in to my FaceBook for the first time in a month or two and behold, it was hacked too! I have that all fixed now but am nervous since I used that same password on so many other things too. I have already run around and changed it.
I think as GOPO said that my people are in deeper than they can admit. I do feel this will happen again and I'd bet the setting for the links is already disabled but if not, I'll let the site get hacked again and then I'll lock it down next time.
The amazing thing to me was that bot that got through the other day. It is the first and only one since I last modified my registration Captcha. I must have logged in on a machine somewhere that was already hacked is my best guess to all of this.
~Peace~
Hermskii
Hermskii
- Hook
- Posts: 3444
- Joined: Fri Feb 16, 2007 9:41 am
- NoMoreSpam: Silver
- Location: Minnesota USA (Just West of MPLS - by a pond beneath a tree - Dead & Buried)
- Contact:
Re: Demand your FTP!
So it sounds like it is merely a blind and Random act - even robotic.
Nothing from our members I would guess.
Nothing from our members I would guess.
=Hook= of Hook's UT Place - Hopelessly Addicted to UT99!
Forum: https://hooksutplace.freeforums.net
CROSSBONES Missile Madness {CMM} (GT Top 50)
PRO-Redeemer | PRO-SNIPER-Redeemer | SEEKER-Redeemer
Birth Place of ALL Seeker/Scoped Deemers!
IP: NEW IP to come!
CROSSBONES Monster Hunt {CMH} (Special Edition MH by mars007)
IP: 108.61.238.93:7777
Forum: https://hooksutplace.freeforums.net
CROSSBONES Missile Madness {CMM} (GT Top 50)
PRO-Redeemer | PRO-SNIPER-Redeemer | SEEKER-Redeemer
Birth Place of ALL Seeker/Scoped Deemers!
IP: NEW IP to come!
CROSSBONES Monster Hunt {CMH} (Special Edition MH by mars007)
IP: 108.61.238.93:7777
- Hermskii
- Site Admin
- Posts: 8522
- Joined: Sun Jul 10, 2005 9:56 pm
- NoMoreSpam: Silver
- Location: Houston, Texas
- Contact:
Re: Demand your FTP!
Yes, as I said before, I don't think it was anybody here.
By the way, I was hacked even more than I thought. I logged in to my facebook to find it all hacked to hell too!
My bet is I logged in on a key logger infected computer somewhere. The rest is history.
The lesson here is to only do your main business on computers you feel strongly are up to date with all the defenses like anti-virus and anti-spyware.
By the way, I was hacked even more than I thought. I logged in to my facebook to find it all hacked to hell too!
My bet is I logged in on a key logger infected computer somewhere. The rest is history.
The lesson here is to only do your main business on computers you feel strongly are up to date with all the defenses like anti-virus and anti-spyware.
~Peace~
Hermskii
Hermskii
-
- Posts: 1396
- Joined: Tue Nov 18, 2008 9:32 am
Re: Demand your FTP!
If you read on my other thread the malware this site was installing was a keylogging variant. It's easily removed but nasty if you aren't properly firewalled because the thing can call home with info it finds.
Someone really has it in for you Herm. We have discussed this before on the phone and it's pretty evident now. For the forseeable future you are going to have to lock things down, and I'd pay special care to your personal financial information. If they keylogged passwords you can be sure they harvested chat as well as banking info if you use the same connection.
I guess this is the thanks you get for years of UT support.
Someone really has it in for you Herm. We have discussed this before on the phone and it's pretty evident now. For the forseeable future you are going to have to lock things down, and I'd pay special care to your personal financial information. If they keylogged passwords you can be sure they harvested chat as well as banking info if you use the same connection.
I guess this is the thanks you get for years of UT support.
- David
- Posts: 1600
- Joined: Sat Oct 18, 2008 11:06 am
- NoMoreSpam: Silver
- Location: Arizona
Re: Demand your FTP!
What will be a good firewall? I have the standard Windows firewall and my router is firewalled... I believe..... What would be a free....good... firewall?gopostal wrote: if you aren't properly firewalled because the thing can call home with info it finds.
Are you going to pull those pistols or whistle Dixie?
-
- Posts: 1396
- Joined: Tue Nov 18, 2008 9:32 am
Re: Demand your FTP!
David, here's a short primer on what you need and why.
Generally a hardware firewall (like a properly configured router) and even basic Windows Firewall protection is adequate. The problem is that it is set up as a brick wall in front of your house. Great to keep things out, but poor protection once something makes it past. You need to consider outbound protection just as much because of this.
What happens is you are cruising someplace infected and the exploit rides in with the webpage you are looking at. This is generally port 80, your "surfing" port and since said exploit is on the webpage it can get past the defense you have set up. Now keyloggers are nasty because they set up shop without altering anything or making changes. This keeps your anti-virus from triggering. Yes, you can find them with a malware scan now but this is after the fact. The truth is most people get infected and they cannot stop it. You have to deal with the problem at this point and it's why google blacklists sites so readily.
So you have this keylogger quietly running in the background until you scan and delete it. How do you protect from this? Well, get any free software firewall (I use Kerio) and configure it to block everything until you add exclusions. It's kind of a drag for a day or two because you have to manually set these as they want to access the internet but the upside is that NOTHING gets out without your say. Now the keylogger can mine all the data it wants but it can't send. Next time you scan with Malwarebytes you'll find and delete it, so all is now good.
BTW, if you have rootkits running (an especially bad infection) you might need to use the bigger, badder brother of Malwarebytes: Combofix http://www.combofix.org/ This needs to be a last resort as Combofix will scour your system for everything but I have heard of it removing damaged components and breaking programs that were infected. Consider it like penicillium for the infection. It's gonna remove it all, but it doesn't care what the infected stuff is linked to. Now I have used it many times on many computers and it has never failed me or harmed anything that was clean. Still, I'd use it dead last if you can't clean any other way (and that has happened to me before).
Generally a hardware firewall (like a properly configured router) and even basic Windows Firewall protection is adequate. The problem is that it is set up as a brick wall in front of your house. Great to keep things out, but poor protection once something makes it past. You need to consider outbound protection just as much because of this.
What happens is you are cruising someplace infected and the exploit rides in with the webpage you are looking at. This is generally port 80, your "surfing" port and since said exploit is on the webpage it can get past the defense you have set up. Now keyloggers are nasty because they set up shop without altering anything or making changes. This keeps your anti-virus from triggering. Yes, you can find them with a malware scan now but this is after the fact. The truth is most people get infected and they cannot stop it. You have to deal with the problem at this point and it's why google blacklists sites so readily.
So you have this keylogger quietly running in the background until you scan and delete it. How do you protect from this? Well, get any free software firewall (I use Kerio) and configure it to block everything until you add exclusions. It's kind of a drag for a day or two because you have to manually set these as they want to access the internet but the upside is that NOTHING gets out without your say. Now the keylogger can mine all the data it wants but it can't send. Next time you scan with Malwarebytes you'll find and delete it, so all is now good.
BTW, if you have rootkits running (an especially bad infection) you might need to use the bigger, badder brother of Malwarebytes: Combofix http://www.combofix.org/ This needs to be a last resort as Combofix will scour your system for everything but I have heard of it removing damaged components and breaking programs that were infected. Consider it like penicillium for the infection. It's gonna remove it all, but it doesn't care what the infected stuff is linked to. Now I have used it many times on many computers and it has never failed me or harmed anything that was clean. Still, I'd use it dead last if you can't clean any other way (and that has happened to me before).
- Hermskii
- Site Admin
- Posts: 8522
- Joined: Sun Jul 10, 2005 9:56 pm
- NoMoreSpam: Silver
- Location: Houston, Texas
- Contact:
Re: Demand your FTP!
Does it show you what it wants to fix before it fixes it. I imagine so. I'd also think it creates a restore point or an undo option. Does it?
~Peace~
Hermskii
Hermskii
-
- Posts: 1396
- Joined: Tue Nov 18, 2008 9:32 am
Re: Demand your FTP!
Interestingly enough combofix will not work unless your restore is functional (whether you have it on or not is irrelevant). If your system restore has been turned off, it will still create a point for you. However if the malware has broken the system restore function completely (I've had this happen too), it will fix the system restore back to working order THEN begin the cleansing process after creating a working restore point.
Combo has saved my life a couple of times from bad infections. I recommend it without hesitation if you have a sticky problem you can't get resolved.
Combo has saved my life a couple of times from bad infections. I recommend it without hesitation if you have a sticky problem you can't get resolved.
- Hermskii
- Site Admin
- Posts: 8522
- Joined: Sun Jul 10, 2005 9:56 pm
- NoMoreSpam: Silver
- Location: Houston, Texas
- Contact:
Re: Demand your FTP!
That is awesome GOPO. Now tell me this, I have used a free product before called CCleaner. It can be turned up to be wildly strong and I have recovered machines before that nobody thought would ever boot up again. It has saved me plenty of times. All of that said, here is my question:
MalwareBytes really has no options so the default settings are good to go.
CCleaner has tons of options but out of the box it is very weak just like AVG Anti-Virus.
Does this program you mention have lots of options and is the default install scan settings good enough by itself to catch most nasty-hiding-things in your OS?
Oh, oh, oh, oh, oh, oh, oh! ..............Mr. Carrrrrrrrter! Can it be loaded onto a boot CD and ran also?
MalwareBytes really has no options so the default settings are good to go.
CCleaner has tons of options but out of the box it is very weak just like AVG Anti-Virus.
Does this program you mention have lots of options and is the default install scan settings good enough by itself to catch most nasty-hiding-things in your OS?
Oh, oh, oh, oh, oh, oh, oh! ..............Mr. Carrrrrrrrter! Can it be loaded onto a boot CD and ran also?
~Peace~
Hermskii
Hermskii
-
- Posts: 1396
- Joined: Tue Nov 18, 2008 9:32 am
Re: Demand your FTP!
Ccleaner is ok, it's handy to keep a rig lean and clean but it won't help much once you are infected. I Cclean about once every three days, just to keep the internet cache empty. System runs better that way and the time between defrags can be extended too. All those orphan files don't just keep taking up disk space.
Here's the pecking order for a guaranteed clean machine:
Run Ccleaner (at least) once a week. Sunday is my "clean the computer" day. I used to do it daily but I'm using my computer much less now so I can go with Sundays.
Run defraggler once a week (google it, it's free). Windows defrag is nowhere near as good. Don't skimp and do the "quick defrag" either. Let it sort your entire drive that your OS is on.
Run Malwarebytes at least once a week too. More if you "feel" like your computer is acting funny. If it finds something besides tracking cookies let it clean and then delete whatever it flags. Reboot and rescan. Don't skip this, you need to reboot to try to reactivate the malware if it wasn't cleaned correctly. If after a reboot you find more infections this means you probably have a rootkit, something Malwarebytes sometimes has trouble with. See next step.
If you had what I call a "double positive scan" from the previous paragraph, it is time to bring out the big gun. Shut down anything running, turn off your antivirus (use taskmanager if you have to kill the processes), and then run Combofix. Drink a beer and wait for a clean computer. Combofix has never failed me, not once.
ADDENDUM=
Some notes on combofix....C-fix has *no* options. It is run outside of windows (you'll see the command prompt come up) and really you just click it and it takes off. If you are infected with that damn Window Defender 2010, or whatever variant, and you can't run *anything* boot into safe mode and then run C-fix. Yes, you can run it from a jump drive but I'd recommend it is ran from the drive being scoured. It will require an internet connection to check for latest version so if you boot into safe mode select the "with networking" option.
Guys don't be afraid of Combofix. I would for sure add that to your toolbelt for computer maintenance.
(whew.....sorry so long Herm. Lots to say though)
Here's the pecking order for a guaranteed clean machine:
Run Ccleaner (at least) once a week. Sunday is my "clean the computer" day. I used to do it daily but I'm using my computer much less now so I can go with Sundays.
Run defraggler once a week (google it, it's free). Windows defrag is nowhere near as good. Don't skimp and do the "quick defrag" either. Let it sort your entire drive that your OS is on.
Run Malwarebytes at least once a week too. More if you "feel" like your computer is acting funny. If it finds something besides tracking cookies let it clean and then delete whatever it flags. Reboot and rescan. Don't skip this, you need to reboot to try to reactivate the malware if it wasn't cleaned correctly. If after a reboot you find more infections this means you probably have a rootkit, something Malwarebytes sometimes has trouble with. See next step.
If you had what I call a "double positive scan" from the previous paragraph, it is time to bring out the big gun. Shut down anything running, turn off your antivirus (use taskmanager if you have to kill the processes), and then run Combofix. Drink a beer and wait for a clean computer. Combofix has never failed me, not once.
ADDENDUM=
Some notes on combofix....C-fix has *no* options. It is run outside of windows (you'll see the command prompt come up) and really you just click it and it takes off. If you are infected with that damn Window Defender 2010, or whatever variant, and you can't run *anything* boot into safe mode and then run C-fix. Yes, you can run it from a jump drive but I'd recommend it is ran from the drive being scoured. It will require an internet connection to check for latest version so if you boot into safe mode select the "with networking" option.
Guys don't be afraid of Combofix. I would for sure add that to your toolbelt for computer maintenance.
(whew.....sorry so long Herm. Lots to say though)
- Hermskii
- Site Admin
- Posts: 8522
- Joined: Sun Jul 10, 2005 9:56 pm
- NoMoreSpam: Silver
- Location: Houston, Texas
- Contact:
Re: Demand your FTP!
Good stuff GOPO. That was exactly what I wanted to hear. Thanks!
~Peace~
Hermskii
Hermskii