URGENT NOTICE

For the announcement stuff that used to go in the feedback forum

Moderators: GreenBean, Gouezeri, bruceb, CakeBoy

RE: Is this email from TMC for real?

Postby marionhaste » Tue Jul 17, 2007 9:33 pm

Ah. Thanks. Missed that.
User avatar
marionhaste
 
Posts: 139
Joined: Sun Dec 24, 2006 7:24 pm
Location: Whitby, North Yorkshire, UK

Postby icke » Tue Jul 17, 2007 9:44 pm

i guess that means that all members email addresses have been 'harvested'?

ah well, cr_p happens....
Black KvdW Speedster / Arrarex Caravel / Elektra Nino / Vario / Huky 500 / and a bunch of less frequently used things...
LMWDP #386
User avatar
icke
 
Posts: 315
Joined: Sat Mar 17, 2007 10:05 am
Location: Nice, France

Postby Cas » Tue Jul 17, 2007 10:19 pm

I've just got in, a little drunk, and opened the email with the virus in the link. Luckily my virus checker picked it up. I was a bit confused until I saw this thread :shock:
Reneka Techno V2M ~ Mazzer Mini E ~ Swiss Gold
User avatar
Cas
 
Posts: 144
Joined: Tue Sep 19, 2006 8:43 pm
Location: Hampshire

Postby phil » Tue Jul 17, 2007 10:45 pm

OK

I *think* I've tracked down the exploit and applied a temporary patch. I've also notified the software authors and asked them to approve the temporary patch and supply the approved way of sanitising the input.

My apologies to everyone for the inconvenience. I expect that other Postnuke / PNphpBB sites were affected as well though.

'Night all.
La Spaziale Spazio 2 group semi-auto

La Spaziale Lusso grinder (espresso),
Macap MC4 shop grinder (brewed coffee)
Three Thor tampers
Two Hottops, first since Feb 2003
No partridge, no pear tree either
Conas, Zassenhaus hand grinder....
User avatar
phil
Founder Member
 
Posts: 2321
Joined: Fri Aug 22, 2003 12:05 pm
Location: Swindon, UK

Postby Gouezeri » Tue Jul 17, 2007 11:06 pm

For anybody not as technically minded, what Phil is saying is that there was a flaw in the forum software that TMC uses. This software is used by a wide number of internet forums, who are all at risk to the same exploit. Unfortunately there will always be a small number of exploits which will be used maliciously before a fix can be applied. To put things into perspective, the site is generally attacked on a daily basis and this is the first time, to my knowledge, that it has ever been compromised.

At the moment there does not appear to be an official fix for this flaw, but Phil has spent a considerable amount of time tracking down exactly what has happened and how best to fix it. The fact that he has provided the authors with his own patch, before an official patch is released, is testament to his own skills and dedication!

In the mean time we would like to recommend that users make sure that both their anti-virus and anti-spyware are up to date. If you do not currently have one or the other installed, then we strongly recommend you install something such as AVG Free and Spybot S&D. Personally, I would also recommend switching Internet Explorer for an alternative such as Firefox.

Any further updates will be added to this thread.

Again we are extremely sorry for any inconvenience caused.
D
This week I are feeling sleepy!
User avatar
Gouezeri
 
Posts: 4185
Joined: Fri Oct 22, 2004 9:56 am

Postby CakeBoy » Tue Jul 17, 2007 11:07 pm

Various 'incident' related threads merged into this topic for tidiness and a single resource. Please make any additions/comments, if necessary, in this thread, rather than creating new threads and covering the forum with repetitions of the same information. We are working on this, and will let you know as soon as we have any further information.
www.CakeBoy.co.uk
International muffin blagger

Iberital L'Anna 1 Gp Hand-Fill | Wega Orion 2 Gp | Bezzera 1 Gp | Rancilio Audrey PID | Spidem Trevi
Iberital MC2 Timed | Macap M4 DS & MXA DS | Mazzer SJ | Starbucks Barista Grinder (Dualit E60/Solis 166)
Pinhalense 2x500g Gas Batch/Sample Roaster | Gene Cafe | IMEX CR-100
Aerobie | eSantos | Zassenhaus | Bodum P/Over | Chemex | Hario Woodneck | Timer Filter
User avatar
CakeBoy
 
Posts: 10006
Joined: Tue Oct 18, 2005 10:43 pm
Location: Oxfordshire, England

Postby Sunnyfield » Wed Jul 18, 2007 12:14 am

I installed an ActiveX component that was found on this site. It was from "Microsoft Corporation". Did I install the trojan this way or is it genuine? Can I disable it?
La Marzocco GS/3, Elektra Nino, Feima 800N solid drum gas roaster
User avatar
Sunnyfield
Founder Member
 
Posts: 547
Joined: Sat Aug 23, 2003 11:11 am
Location: Hong Kong, China

Postby CakeBoy » Wed Jul 18, 2007 12:23 am

From the site the link took you to? The trojan concerned is called "Downloader". Details and removal tools can be found on the usual AV sites, Symantec, McAfee, Kasperhy, Panda, Sophos and all the others. You should scan your computer to make sure. Shout if you get stuck.
www.CakeBoy.co.uk
International muffin blagger

Iberital L'Anna 1 Gp Hand-Fill | Wega Orion 2 Gp | Bezzera 1 Gp | Rancilio Audrey PID | Spidem Trevi
Iberital MC2 Timed | Macap M4 DS & MXA DS | Mazzer SJ | Starbucks Barista Grinder (Dualit E60/Solis 166)
Pinhalense 2x500g Gas Batch/Sample Roaster | Gene Cafe | IMEX CR-100
Aerobie | eSantos | Zassenhaus | Bodum P/Over | Chemex | Hario Woodneck | Timer Filter
User avatar
CakeBoy
 
Posts: 10006
Joined: Tue Oct 18, 2005 10:43 pm
Location: Oxfordshire, England

Postby moisty » Wed Jul 18, 2007 1:19 am

It's still here, nod32 picked it up as soon as I opened the forum index page a few moments ago. Like others , the same happened when I stupidly clicked on the link in the dodgy email and came here to see what was happening!

:puts tin-foil hat on:
User avatar
moisty
 
Posts: 50
Joined: Tue Sep 19, 2006 3:49 pm

Postby Sunnyfield » Wed Jul 18, 2007 2:38 am

CakeBoy, the ActiveX control is both on the link AND TMC! I feel quite stupid installing it, but I thought it was genuine. :oops:

I use Norton 360 (Symantec). The AV programme is supposed to be user-friendly, so all warnings are hidden from the user. I have no idea if it was removed. I will do some testing tonight.

Can somebody post a link to a virus database with the virus description, please?
La Marzocco GS/3, Elektra Nino, Feima 800N solid drum gas roaster
User avatar
Sunnyfield
Founder Member
 
Posts: 547
Joined: Sat Aug 23, 2003 11:11 am
Location: Hong Kong, China

Update

Postby phil » Wed Jul 18, 2007 8:12 am

Last night I went to bed thinking that I'd not only blocked the exploit, I'd also dealt with all of the places where the hackers had planted links to the trojan.

The above posts showed me that I was wrong. It turns out that they'd placed another link in the name of the "Espresso" forum. B*stards.

I'm hoping that that's the end of it, but I'm going to run further tests. Frankly I feel somewhat violated that this scumbag could come in and hack my site. :mad:
La Spaziale Spazio 2 group semi-auto

La Spaziale Lusso grinder (espresso),
Macap MC4 shop grinder (brewed coffee)
Three Thor tampers
Two Hottops, first since Feb 2003
No partridge, no pear tree either
Conas, Zassenhaus hand grinder....
User avatar
phil
Founder Member
 
Posts: 2321
Joined: Fri Aug 22, 2003 12:05 pm
Location: Swindon, UK

A take-away from this sad episode

Postby phil » Wed Jul 18, 2007 8:39 am

I'm very upset that a number of TMC members may have suffered as a result of this evil attack on our site and community.

One thing that in future would help those members who had problems is to check their browser security settings if they are still using Internet Explorer.

Much better would be to just get Firefox or Opera. Firefox is free after all and only takes a few moments to download and install.

Once again, I'm sorry that these dirtbags were able to do this to us (and presumably a whole bunch of other sites using the same software).

Peace,

Phil
La Spaziale Spazio 2 group semi-auto

La Spaziale Lusso grinder (espresso),
Macap MC4 shop grinder (brewed coffee)
Three Thor tampers
Two Hottops, first since Feb 2003
No partridge, no pear tree either
Conas, Zassenhaus hand grinder....
User avatar
phil
Founder Member
 
Posts: 2321
Joined: Fri Aug 22, 2003 12:05 pm
Location: Swindon, UK

Postby GreenBean » Wed Jul 18, 2007 8:52 am

Hi Phil,

I was one of the people affected by this virus yesterday and again early this morning. AVG free edition caught it each time without any problem.

I can confirm that as of about 09:30 today I am no longer having a problem. I know it is not possible to make any site absolutely secure, especially when using third party software, and I am sure we all appreciate your efforts to sort it out so quickly.

Why anyone would want to attack a community like TMC is a mystery to me. Sadly there seem to be some sick people out there.
Image

Izzo Alex Duetto | Gaggia XD 2 Group | Mazzer Super Jolly | La Cimbali Max | Solis 166 | Dalian 1 kg roaster | Hottop P | Hottop B | French Press (several) | Kettle modded, no really, added digital thermometer |
User avatar
GreenBean
 
Posts: 2215
Joined: Wed Jan 03, 2007 2:15 pm
Location: Chester

Postby lukas » Wed Jul 18, 2007 9:19 am

Good work Phil. Be sure to check the server of rootkits, the last time such a hack happened to me the rootkit went undiscovered until the server crashed (and I was lucky that that rootkit was originally written for redhat while I was using debian ;)) :(
Lukas

This week I like my coffee luke-warm.
--
Newest kit: Ghibli R-15
User avatar
lukas
 
Posts: 2798
Joined: Mon Jul 25, 2005 8:41 pm
Location: Germany

Postby phil » Wed Jul 18, 2007 9:36 am

First thing I did was to scan the site for updated files. There weren't any other than compiled Smarty templates and a handful of piccies uploaded to the forum.

Thanks for the advice Lukas - valued as always mate! :)
La Spaziale Spazio 2 group semi-auto

La Spaziale Lusso grinder (espresso),
Macap MC4 shop grinder (brewed coffee)
Three Thor tampers
Two Hottops, first since Feb 2003
No partridge, no pear tree either
Conas, Zassenhaus hand grinder....
User avatar
phil
Founder Member
 
Posts: 2321
Joined: Fri Aug 22, 2003 12:05 pm
Location: Swindon, UK

PreviousNext

Return to Site Announcements

Who is online

Users browsing this forum: No registered users and 9 guests

cron