PDA

View Full Version : UU was hacked last night - help us fix!



rayan
05-01-2010, 08:35 AM
Hey everybody. Got some not so great news.

Last night, UU was hacked. It looks like the vulnerability was in our ad server. We've rolled back all the files on our site and taken down all advertising for now.

We need your help though. If you see any thing suspicious, get a warning from your browser etc, could you please screenshot and email it to ukuleleunderground(at)gmail.com

I'm doing the best I can trying to fix it and make sure everyone is safe.

It's probably not necessary but I would recommend everyone change their password just to be on the safe side. Especially if you use a skeleton password.

Sorry about all of this.

Rzr
05-01-2010, 08:51 AM
I was going to ask because I couldn't get in this morning. I tried to send an e-mail and it was taking forever so I just shut everything down. Glad to hear you're on top of it, good luck. I don't know what I would do without UU!

byjimini
05-01-2010, 08:57 AM
Hmm, that explains why I couldn't access the forum until now. I'll report anything out of the ordinary, just pleased we're mostly back up and running! :)

rayan
05-01-2010, 09:02 AM
Thank you guys for understanding.

rayan
05-01-2010, 09:15 AM
We have reports of malware being installed on one one user's computer during the short time our server was compromised. Please run your spyware sweeper and virus scan as soon as possible if you're running a PC.

If you have any problems and malware did make its way to your computer, post your problem here and we'll try to fix it together.

Farm3r_T3d
05-01-2010, 09:24 AM
When I tried posting to the Mya Moe thread I couldn't access the forum. I tried on my iphone and it popped up with some weird page. I quickly quit but it looked like it was trying to load something. I haven't been on a pc in a while but the page looked like the... not the preferences but... i think it's called the control panel. It said it was accessing my c:/ drive and it had a loading bar but obviously it wasn't because it's an iphone. When I saw that I quickly shut the page down. Hopefully it didn't do anything. I don't know if this helps at all but it is what I saw.

rayan
05-01-2010, 09:29 AM
When I tried posting to the Mya Moe thread I couldn't access the forum. I tried on my iphone and it popped up with some weird page. I quickly quit but it looked like it was trying to load something. I haven't been on a pc in a while but the page looked like the... not the preferences but... i think it's called the control panel. It said it was accessing my c:/ drive and it had a loading bar but obviously it wasn't because it's an iphone. When I saw that I quickly shut the page down. Hopefully it didn't do anything. I don't know if this helps at all but it is what I saw.

Yeah if you were on your iphone, it should be ok. This warning is more for the PC people, especially those running XP.

bt93
05-01-2010, 09:30 AM
when i tried to click on my notifications (from my macbook) a file began to download that my computer said was an application. i immediately stopped the download and reset my safari and deleted the download

rayan
05-01-2010, 09:33 AM
when i tried to click on my notifications (from my macbook) a file began to download that my computer said was an application. i immediately stopped the download and reset my safari and deleted the download
Do you remember what the program name was?

byjimini
05-01-2010, 09:34 AM
I haven't had anything Mac-related here, and I also clicked on my notifications.

rayan
05-01-2010, 09:38 AM
Thanks everybody for helping during this really crappy situation. Aaron drove down to my place pretty early in the morning and knocked on my door til I woke up. Been working on it every since. We're really sorry for any UU member that was affected by this.

rayan
05-01-2010, 09:40 AM
Just to be clear though,

the UU store (ukeunderground.bigcartel.com), UUU classes and registration, and Ukulele Uprising are all hosted on different servers so they were all unaffected. It was only the main page, the forum and our ad server

itsme
05-01-2010, 09:41 AM
We have reports of malware being installed on one one user's computer during the short time our server was compromised. Please run your spyware sweeper and virus scan as soon as possible if you're running a PC.
When I first tried to access the forum this morning, I was barraged with some kind of "your computer is infected, click here" type of malware. I got a screenshot, but was unable to dismiss the pop-up alerts that were coming fast and furious (I know better than to click on them) so I had to reboot without a chance to save the screenshot.

I know for a fact that it was UU, because I have UU set as my homepage in FF (since the formatting is whack in IE8) and had just launched FF and not gone to any other pages.

After rebooting, I updated and ran both MSE and Superantispyware and came up clean. (Well, SAS always finds lots of cookies it doesn't like, but that's par for the course.)

rayan
05-01-2010, 09:41 AM
When I first tried to access the forum this morning, I was barraged with some kind of "your computer is infected, click here" type of malware. I got a screenshot, but was unable to dismiss the pop-up alerts that were coming fast and furious (I know better than to click on them) so I had to reboot without a chance to save the screenshot.

I know for a fact that it was UU, because I have UU set as my homepage in FF (since the formatting is whack in IE8) and had just launched FF and not gone to any other pages.

After rebooting, I updated and ran both MSE and Superantispyware and came up clean. (Well, SAS always finds lots of cookies it doesn't like, but that's par for the course.)

Thanks for the update. Is it all clear now?

Matt Clara
05-01-2010, 09:45 AM
I left the forum open on my computer last night, this morning when I refreshed the page, I could only see the stickies at the top, and when I clicked on them nothing happened. So I went to the root site, ukuleleunderground.com, to see if someone had posted an explanation as to what was going on. I immediately got a java pop-up that there might be a problem with the website, warning me of malware on the site. This was interesting, as I'm running Ubuntu, and I don't have any software installed to warn me of malware. Instead of clicking the Ok, or the Cancel buttons, I clicked the little red X in the upper right corner. I was immediately redirected to a new web page designed to look like a Virus scan interface with a Windows My Computer look, complete with the windows defender shield logo and little green scan progress lines climbing towards completion (again, less than effective in my case, because I'm not running windows). When the the completion bars complete, the site declares your computer to be infected, and another java pop up loads, instructing you to click Ok to download the software to clean up your computer. Again I clicked neither of the buttons presented me, and instead clicked the little close prompt X in the corner, and the software started downloading anyway. Ubuntu asked me if I wanted to save the download and I said no. It was a pretty slick setup, though, and I could see somebody (my mom) clicking Ok. The first trojan horse of this nature I encountered some years ago eventually tried to sell me software to clean up the mess that it had made. And it won't let your browser(s) search for a solution to the problem (or anything else) either. You just keep getting redirected. Frustrating as hell.

jontom
05-01-2010, 09:45 AM
I don't know if this might help rayan but when I tried to navigate the forum, it was pointing to some files like bt93 said before. I couldn't download it because I'm on a macbook but.. I've seen the code like when you try to download some app in your browser and you don't have any association on your OS. I guess it was a snippet or something like that...

rayan
05-01-2010, 09:47 AM
I left the forum open on my computer last night, this morning when I refreshed the page, I could only see the stickies at the top, and when I clicked on them nothing happened. So I went to the root site, ukuleleunderground.com, to see if someone had posted an explanation as to what was going on. I immediately got a java pop-up that there might be a problem with the website, warning me of malware on the site. This was interesting, as I'm running Ubuntu, and I don't have any software installed to warn me of malware. Instead of clicking the Ok, or the Cancel buttons, I clicked the little red X in the upper right corner. I was immediately redirected to a new web page designed to look like a Virus scan interface with a Windows My Computer look, complete with the windows defender shield logo and little green scan progress lines climbing towards completion (again, less than effective in my case, because I'm not running windows). When the the completion bars complete, the site declares your computer to be infected, and another java pop up loads, instructing you to click Ok to download the software to clean up your computer. Again I clicked neither of the buttons presented me, and instead clicked the little close prompt X in the corner, and the software started downloading anyway. Ubuntu asked me if I wanted to save the download and I said no. It was a pretty slick setup, though, and I could see somebody (my mom) clicking Ok. The first trojan horse of this nature I encountered some years ago eventually tried to sell me software to clean up the mess that it had made. And it won't let your browser(s) search for a solution to the problem (or anything else) either. You just keep getting redirected. Frustrating as hell.

Sorry Matt, is everything ok now? or has the damage been done? Thanks for posting your experience. It will probably be helpful to others,.

Dane
05-01-2010, 10:13 AM
Oh wait, now I remember my firefox spazzing out at one point. Like, it started to bring up all these blank tabs and stuff and it kept switching between my current tabs, it was really weird. Whenever something happens with my computer that I'm not controlling I often turn it off immediately. I don't remember if this was last night or the night before though =/

Also, who would make the effort to hack a ukulele forum? Go hack a Rolex forum or something, might be more beneficial.

bbycrts
05-01-2010, 10:14 AM
Ryan - I got a hit this morning when I tried to go to the UU main page. Here's the URL of the site that Avast hit on (jpg so it won't hotlink):

http://i154.photobucket.com/albums/s268/bbycrts/virushit.jpg

Dane
05-01-2010, 10:18 AM
I left the forum open on my computer last night, this morning when I refreshed the page, I could only see the stickies at the top, and when I clicked on them nothing happened. So I went to the root site, ukuleleunderground.com, to see if someone had posted an explanation as to what was going on. I immediately got a java pop-up that there might be a problem with the website, warning me of malware on the site. This was interesting, as I'm running Ubuntu, and I don't have any software installed to warn me of malware. Instead of clicking the Ok, or the Cancel buttons, I clicked the little red X in the upper right corner. I was immediately redirected to a new web page designed to look like a Virus scan interface with a Windows My Computer look, complete with the windows defender shield logo and little green scan progress lines climbing towards completion (again, less than effective in my case, because I'm not running windows). When the the completion bars complete, the site declares your computer to be infected, and another java pop up loads, instructing you to click Ok to download the software to clean up your computer. Again I clicked neither of the buttons presented me, and instead clicked the little close prompt X in the corner, and the software started downloading anyway. Ubuntu asked me if I wanted to save the download and I said no. It was a pretty slick setup, though, and I could see somebody (my mom) clicking Ok. The first trojan horse of this nature I encountered some years ago eventually tried to sell me software to clean up the mess that it had made. And it won't let your browser(s) search for a solution to the problem (or anything else) either. You just keep getting redirected. Frustrating as hell.

I'm not the person to ask about these situations, but I always try to find a way to close the window without touching it. I'm PC so often I will open up my task manager and either end the window, or find it's process and end that. Sometimes I can also just right click on the task bard and hit Close

Melissa82
05-01-2010, 10:19 AM
when i tried to click on my notifications (from my macbook) a file began to download that my computer said was an application. i immediately stopped the download and reset my safari and deleted the downloadNow that I think of it, the same thing happened to me. I got a pop-up on Chrome that was trying to save a file called c:/

UkuleleHill
05-01-2010, 10:26 AM
Ryan - I got a hit this morning when I tried to go to the UU main page. Here's the URL of the site that Avast hit on (jpg so it won't hotlink):

http://i154.photobucket.com/albums/s268/bbycrts/virushit.jpg

I had the same thing happen and the same site hit. Mine went to the site like Matt's did. I am scanning right now to ensure I am not infected. Thank you Ryan for everything you do!

antirealist
05-01-2010, 10:35 AM
I was redirected to http://www3[dot]workfree36-td[dot]xorg[dot]pl/?p=p52dcWpkbG6Hnc3KbmNToKV1iqHWnG3KXsWYlGhnZWuVmA% 3D%3D. No problems here, but I'm on a Mac.

itsme
05-01-2010, 10:49 AM
Update: After telling my husband what happened, he said to get Malwarebytes and run it. It found a bunch of nasties in the form of backdoor bots and a trojan installer, although they weren't dated so who knows when I got them for sure. And yes, I'm running XP.


EDIT: Here is the log file, if that helps any.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4057

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/1/2010 1:35:42 PM
mbam-log-2010-05-01 (13-35-42).txt

Scan type: Full scan (C:\|E:\|F:\|)
Objects scanned: 174649
Time elapsed: 21 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explo rer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explo rer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explo rer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\syste m32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\myname\Local Settings\Temp\WjVIZsM4.exe.part (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\7.tmp (Trojan.Zbot) -> Quarantined and deleted successfully.

haolejohn
05-01-2010, 11:08 AM
I left the forum open on my computer last night, this morning when I refreshed the page, I could only see the stickies at the top, and when I clicked on them nothing happened. So I went to the root site, ukuleleunderground.com, to see if someone had posted an explanation as to what was going on. I immediately got a java pop-up that there might be a problem with the website, warning me of malware on the site. This was interesting, as I'm running Ubuntu, and I don't have any software installed to warn me of malware. Instead of clicking the Ok, or the Cancel buttons, I clicked the little red X in the upper right corner. I was immediately redirected to a new web page designed to look like a Virus scan interface with a Windows My Computer look, complete with the windows defender shield logo and little green scan progress lines climbing towards completion (again, less than effective in my case, because I'm not running windows). When the the completion bars complete, the site declares your computer to be infected, and another java pop up loads, instructing you to click Ok to download the software to clean up your computer. Again I clicked neither of the buttons presented me, and instead clicked the little close prompt X in the corner, and the software started downloading anyway. Ubuntu asked me if I wanted to save the download and I said no. It was a pretty slick setup, though, and I could see somebody (my mom) clicking Ok. The first trojan horse of this nature I encountered some years ago eventually tried to sell me software to clean up the mess that it had made. And it won't let your browser(s) search for a solution to the problem (or anything else) either. You just keep getting redirected. Frustrating as hell.

I fell for this virus back in December or November. It destroyed my lap top. It looked so legit.

SweetWaterBlue
05-01-2010, 11:15 AM
I left the forum open on my computer last night, this morning when I refreshed the page, I could only see the stickies at the top, and when I clicked on them nothing happened. So I went to the root site, ukuleleunderground.com, to see if someone had posted an explanation as to what was going on. I immediately got a java pop-up that there might be a problem with the website, warning me of malware on the site. This was interesting, as I'm running Ubuntu, and I don't have any software installed to warn me of malware. Instead of clicking the Ok, or the Cancel buttons, I clicked the little red X in the upper right corner. I was immediately redirected to a new web page designed to look like a Virus scan interface with a Windows My Computer look, complete with the windows defender shield logo and little green scan progress lines climbing towards completion (again, less than effective in my case, because I'm not running windows). When the the completion bars complete, the site declares your computer to be infected, and another java pop up loads, instructing you to click Ok to download the software to clean up your computer. Again I clicked neither of the buttons presented me, and instead clicked the little close prompt X in the corner, and the software started downloading anyway. Ubuntu asked me if I wanted to save the download and I said no. It was a pretty slick setup, though, and I could see somebody (my mom) clicking Ok. The first trojan horse of this nature I encountered some years ago eventually tried to sell me software to clean up the mess that it had made. And it won't let your browser(s) search for a solution to the problem (or anything else) either. You just keep getting redirected. Frustrating as hell.

A lot of people get trojans that way. You think you are closing the box by hitting the X, but don't do it!!! The designers of these things know you may click that close box X, or fall for a message about your computer being infected, so it doesn't do what you think it does. Anyone can easily build an image map that executes a script no matter where you click it.

NEVER CLICK ANYWHERE ON ANY BOX YOU WERE NOT EXPECTING.

Even though I usually run Ubuntu and my Firefox is well protected with no-script and several other pop-up and ad killers, I still occasionally get one of those stupid pop-ups. I immediately go to the system monitor and kill firefox and any pop ups. None of them can really do much in Ubuntu anyway, but why take a chance? Clamscan usually finds it sitting harmlessly in my Mozzilla folder.

Downloading the add-ons, No-Script, Web of Trust, and the Netcraft anti-phishing app into your Firefox will make your life better, even if you have to run Windows for some reason.

I guess everyone in the World is aware now that you also don't ever open email attachments from someone you don't know, or from your silly relatives (at least if they are like mine) who think its fun to send chain-mail attachments to each other loaded with hidden trojans and viruses.

AnnaUK
05-01-2010, 12:10 PM
Hey Rayan, sincerely THANK YOU for the warning. I just scanned my computer (PC with XP) and found 4 pieces of spyware had appeared. All gone now.

Mahalo for taking the time to warn us all. I'm grateful for you looking out for us :)

Best wishes
Anna

ukeshale
05-01-2010, 12:14 PM
Same deal here. I've just finished scanning and found a couple of pieces. All sorted now.

Thanks for getting this sorted so quickly and for the heads up

Toucan Mango
05-01-2010, 01:06 PM
When I logged on this morning I think all I saw was a couple of stickies that would not open, I then did a google search for "ukulele hanger" to find a link to UU & when I clicked on one my computer alerted me that it blocked a Trojan horse virus. I then ran a check & my computer is fine.

itsme
05-01-2010, 01:58 PM
I just scanned my computer (PC with XP) and found 4 pieces of spyware had appeared. All gone now.


Same deal here. I've just finished scanning and found a couple of pieces. All sorted now.


I then ran a check & my computer is fine.
I think if there's one thing my last post above shows, it's that no single A/V program is able to catch 100% of everything. Don't lull yourself into thinking that if "your" program didn't find something (or even if it did) that it found everything.

UkuLeLesReggAe
05-01-2010, 02:22 PM
I haven't had anything suspicious. Out of curiosity, what is a skeleton password?

Dane
05-01-2010, 02:31 PM
I'm guessing a skeleton password is like a skeleton key, in which it will open many things, in this case, maybe your email or paypal accounts, ebay, all sorts of things that would have the same password.

I ran malwarebytes and found 3 trojans, but I haven't scanned in a while, I like to think I'm very protective but obviously not. Will it help to post the logs Rayan?

And yes to the comment about multiple scanning programs. It's just like the scan I did, I did a quick scan first, 2 trojans, then a deep scan and another trojan, running another deep now to check, going to look into some more scanning software.

CountryMouse
05-01-2010, 03:06 PM
I didn't see any popups. I was just looking at a couple threads. This morning I checked the calendar and did birthday wishes. I am running XP, and I have the latest version of Firefox.

I may be having unrelated problems, possibly with iTunes going nuts (everything totally disappeared from iTunes late this morning. I'm pretty sure everything is still on my HD, but NOTHING is in iTunes now, and it was earlier today). And not only that, the program that seems to've unexpectedly shown up on my start menu might've been installed by Cat'r when he was repairing something he'd messed up in my codec packs. (??) Or it could've been installed by Keep It! (which allows you to grab YouTube videos). The name of the program (which I have not knowingly run) is 3ivx MPEG 4 5.0.3

I'm having Microsoft Security Essentials do a deep scan right now. This is going to take a WHILE.

And I'm going to have to ask Cat'r about how my computer is starting up. It might be the used external HD he gave me and set up is causing problems. My PC starts up, then there are a scary couple moments where the screen goes black and you hear nothing happening. So I don't know if I'm having unrelated hardware problems. I can't ask The Caterpillar about this stuff now because he's at a convention in St. Louis. So he can't help from there, even if he had the time.

What I am most concerned about is was whatever this was grabbing passwords? If I used this password for somewhere else, am I going to have to change ALL my passwords?? At Rayan's suggestion, earlier today over on Twitter, I changed my password here.

Thanks.

CountryMouse, who apologizes for rambling incoherently

itsme
05-01-2010, 05:24 PM
I'm having Microsoft Security Essentials do a deep scan right now. This is going to take a WHILE.
MSE didn't find anything for me, nor did Superantispyware, Malwarebytes did.

CountryMouse
05-01-2010, 06:09 PM
Update: I had a trojan: JS/Adclicker. Microsoft Security Essentials is getting rid of it now.

iTunes was being flaky, but Cat'r told me what to do over the phone--it's fine now. Weird stuff (stuff I'm just not used to) happening at startup is normal because of the external HD. The program I didn't remember seeing was one that Cat'r had installed, so that's okay too.

All's well that ends well. :)

CountryMouse

Vindelanda
05-01-2010, 07:00 PM
Ack, I think I was on UU when it was probably being hacked. It would only show half the page, and wouldn't let me click on anything so I presumed the site was down and left.
Thus far nothing suspicious has happened to my computer, but I've got AVG running a scan right now to be on the safe side.
Thanks for the warning, and it really, really sucks that this happened to you guys!

hosenfeferdave
05-01-2010, 07:03 PM
My computer detected the www1.protectsys28-pd.xorg.pl, I think when I attempted to browse UU. I noticed the site was down at that pint. This was at 9:58AM PST. My browser is chrome.

freackykit
05-02-2010, 02:41 AM
I had a similar problem to above...firstly couldn't access the forums just a few stickies, then a suspicious pop up said it was scanning my machine and that I was infected. I closed everything and ran a full scan and now it appears ok.

I also changed my password when I got on here last night just to be sure!

I mean...what is the point for these people doing this kind of stuff...spite?

Hope everyone else is ok who experienced difficulties as well,

Ronnie Aloha
05-02-2010, 05:03 AM
Got the infected pop up but ran Ad-Aware and malwarebytes and no real problems.

AnnaUK
05-02-2010, 09:20 AM
I think if there's one thing my last post above shows, it's that no single A/V program is able to catch 100% of everything. Don't lull yourself into thinking that if "your" program didn't find something (or even if it did) that it found everything.

Yes, you're absolutely right. I've got two anti-virus programs for scanning.

I've scanned again today and it looks all clear (fingers crossed). But you're spot on, you can never be too careful. Thanks for the heads-up :)

whetu
05-03-2010, 10:45 AM
Do you remember what the program name was?

netcraft (http://toolbar.netcraft.com/site_report?url=http://www.ukuleleunderground.com) says you're on Linux/Apache, so whatever happened should be in the server logs. I don't know what your particular setup is - the netblock says godaddy, who I've never used, so I don't know what level of log access you have. If it was a site I was running though, it wouldn't take me long to grep some results. Let me know if I can be any help (I'm a Linux/Unix sysadmin)


I guess everyone in the World is aware now that you also don't ever open email attachments from someone you don't know, or from your silly relatives (at least if they are like mine) who think its fun to send chain-mail attachments to each other loaded with hidden trojans and viruses.

Unfortunately no, but hey... cleaning up their mess keeps me quite well paid :D

Dane
05-03-2010, 08:27 PM
I like trojans, but my computer really has no need for them

ichadwick
05-06-2010, 02:21 AM
My sympathies, too. I had my own forum hacked a couple of years back, a Mysql vulnerability combined with some PHP weakness that really messed it up. Got it back online but took some effort. Good luck.

E-Lo Roberts
05-06-2010, 10:54 AM
A side note question...

Can anyone tell me why and for what suppose someone would want to hack a site like UU?
What are they looking for?
Is it simply because they can do it, and therefore that is their buzz?
Or are these people just hacking because they are "lacking" a life or what?

Never understood the whole hacker concept. .... thanks, e.lo...

salukulady
05-06-2010, 07:05 PM
A side note question...

Can anyone tell me why and for what suppose someone would want to hack a site like UU?
What are they looking for?
Is it simply because they can do it, and therefore that is their buzz?
Or are these people just hacking because they are "lacking" a life or what?

Never understood the whole hacker concept. .... thanks, e.lo...My thoughts exactly.....is there some connection to getting our passwords and then trying to use them on other sites to get access to credit cards etc? If not for money.....why?

Dane
05-06-2010, 07:55 PM
I would have to guess it's some unpopular kid who gets his kicks off giving viruses to people, they brag about it and everything, I've seen it. A lot of the time they don't want anything other than that, because they're afraid of getting caught if they try to steal money and things of that nature, you can get in big trouble for stealing from people! Why did they choose a harmless ukulele community? I dunno, easier target? Practice?

Either way it is someone who needs to grow up and do something with their life, that much can be easily assumed.

whetu
05-07-2010, 09:47 PM
A side note question...

Can anyone tell me why and for what suppose someone would want to hack a site like UU?
What are they looking for?
Is it simply because they can do it, and therefore that is their buzz?
Or are these people just hacking because they are "lacking" a life or what?

Never understood the whole hacker concept. .... thanks, e.lo...

Hmmm... can of worms question. Google for "hacker vs cracker" and you'll get a bunch of resources that will explain to you what a hacker really is. Then read this (http://en.wikipedia.org/wiki/Hacker_%28computer_security%29#Hacker_attitudes) to get an understanding of the different types of hackers/crackers.

Without seeing any logs or what the site was like when it was hacked, I can't say for sure who or what caused this. It may have been a hack bot, they tend to go after forums...

rayan
05-08-2010, 12:47 AM
A side note question...

Can anyone tell me why and for what suppose someone would want to hack a site like UU?
What are they looking for?
Is it simply because they can do it, and therefore that is their buzz?
Or are these people just hacking because they are "lacking" a life or what?

Never understood the whole hacker concept. .... thanks, e.lo...

This specific hack was a malware attack. What the hacker attempted to do was install a script onto certain pages which automatically downloaded malware (spyware) onto a visitors computer. This is why many people said they experienced pop ups and weird downloading screens.

Once these programs are installed on a user's computer, they can be used for a variety from just minor annoyances of popping up advertising on the computer to downright nasty things like installing keystroke recorders to try and gain login info to online banking etc.

The reason why they attacked UU is because we have a pretty decent amount of traffic which means there would be a potentially high install rate of these malware programs if we're getting tens of thousands of visits a day.

It was a very serious issue and it has been dealt with. I can say that the same attack can never be used again on UU. It was done through our adserver which i have completely removed.

E-Lo Roberts
05-08-2010, 03:22 AM
This specific hack was a malware attack. What the hacker attempted to do was install a script onto certain pages which automatically downloaded malware (spyware) onto a visitors computer. This is why many people said they experienced pop ups and weird downloading screens.

Once these programs are installed on a user's computer, they can be used for a variety from just minor annoyances of popping up advertising on the computer to downright nasty things like installing keystroke recorders to try and gain login info to online banking etc.

The reason why they attacked UU is because we have a pretty decent amount of traffic which means there would be a potentially high install rate of these malware programs if we're getting tens of thousands of visits a day.

It was a very serious issue and it has been dealt with. I can say that the same attack can never be used again on UU. It was done through our adserver which i have completely removed.

Thanks for the comments everyone. It's a sad state the world has fallen into. The kicker is, these leechers sleep better at night than I do... e.lo

rayan
05-12-2010, 12:12 AM
Not to alarm anyone, but I just found another fishy file on the server. I deleted it, ran a thorough scanning program to clean out any other malware and changed all our master passwords. It should be all coasts are clear but If you do see anything suspicious though, please report here in this thread. As the mayor of Kauai says, "Together, we can!"

UkuLeLesReggAe
05-15-2010, 05:21 AM
I actually couldn't log in... And my password is always the same... So I changed it.

but yeah, anybody else?....

mrplatypus70
05-16-2010, 06:39 PM
Hey just a little while ago I opened the home page to UU and got a warning about malware from my Avira software
this is what it said
Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]'
detected in file 'C:\Users\Tom\AppData\Local\Microsoft\Windows\Temp orary Internet Files\Low\Content.IE5\A4NX1ZTX\ads[1].htm.
Action performed: Deny access

itsme
05-16-2010, 06:46 PM
\Content.IE5\A4NX1ZTX\ads[1].htm
Please don't tell me you're still running IE5.

mrplatypus70
05-16-2010, 06:58 PM
Nope IE8, I did not notice that the folder is called IE5, weird! This is a newer PC and I neve had anything but IE8 on it.

whetu
05-16-2010, 09:31 PM
Hey just a little while ago I opened the home page to UU and got a warning about malware from my Avira software
this is what it said
Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]'
detected in file 'C:\Users\Tom\AppData\Local\Microsoft\Windows\Temp orary Internet Files\Low\Content.IE5\A4NX1ZTX\ads[1].htm.
Action performed: Deny access

Chances are a cookie is trying to fire up a cached version of a possibly infected ads file. Clear temporary internet files, clear cookies for UU and try again :)

Skitzic
05-17-2010, 04:34 AM
I recieved the same virus warning and my cookies are cleared nightly. I suppose they were hacked again?

Ukulelerob
05-17-2010, 06:44 AM
When I tried to get on the UU forum this morning it wouldn't work. So after a few tries I tried the main UU. Almost instantly my browser shut down and a new window opened and said that I had all kinds of problems and it was going to fix it. Some of this page looked like my McAfee software. A small pop up came up and ask if I wanted to download this program. I stopped and turned off all the open windows and started a scan through my McAfee software. After it did it's work, which seamed to take for ever, it said it found no problems. I restarted my computer and here I am. I run Vista OS and Fire Fox browser.

rayan
05-17-2010, 07:41 AM
Thank you everyone for keeping us up to date. Let me tell you guys what we're doing now. Please let us know if you see anything else fishy.

These attacks are all made possible by Godaddy's servers which are NOT secure. We've found a new hosting provider and our migration from Godaddy was started on Friday. It's costing us an arm and a leg but your security is very important to us and we're doing everything we can on our end to keep you guys safe. We should be moved over completely by the end of the week, if not sooner.

Thanks for bearing with us, I know this sucks.

Here's all the info http://blog.sucuri.net/2010/05/continuing-attacks-at-godaddy.html

Lori
05-17-2010, 07:49 AM
Thank you everyone for keeping us up to date. Let me tell you guys what we're doing now. Please let us know if you see anything else fishy.

These attacks are all made possible by Godaddy's servers which are NOT secure. We've found a new hosting provider and our migration from Godaddy was started on Friday. It's costing us an arm and a leg but your security is very important to us and we're doing everything we can on our end to keep you guys safe. We should be moved over completely by the end of the week, if not sooner.

Thanks for bearing with us, I know this sucks.

Here's all the info http://blog.sucuri.net/2010/05/continuing-attacks-at-godaddy.html
Yikes! GoDaddy is hosting my site. Is it in danger? It is just a website, with a web store... no forums or ads. I am on a Mac. I had no problem on UU today. How will I know if something is going wrong?
–Lori

rayan
05-17-2010, 07:54 AM
Yikes! GoDaddy is hosting my site. Is it in danger? It is just a website, with a web store... no forums or ads. I am on a Mac. I had no problem on UU today. How will I know if something is going wrong?
–Lori

The attacks are caused by a vulnerability in their servers, but it seems to be a php exploit. If you don't have php files, you might not be affected. This was the 3rd time this month we got attacked, we removed our adserver, cleaned all files, changed all passwords. If you haven't been hacked yet, you may be a lucky one.

Lori
05-17-2010, 08:24 AM
The attacks are caused by a vulnerability in their servers, but it seems to be a php exploit. If you don't have php files, you might not be affected. This was the 3rd time this month we got attacked, we removed our adserver, cleaned all files, changed all passwords. If you haven't been hacked yet, you may be a lucky one.
Thanks for the info. I am sort of a non-techy on the webcode area. I used GoDaddy Website Tonite App and Quick Shopping Cart. How would I know if they used php files, or should I call them. The shopping cart worked last night, because I got 2 orders. I don't think I have a lot of "members" signed-up to my site yet. Is that where the problem would be?
Thanks.
–Lori

PhilUSAFRet
02-26-2011, 05:25 AM
Going to do anything about the Shoe sales site on the Kala Users group?

fitncrafty
02-26-2011, 05:51 AM
Thank you everyone for keeping us up to date. Let me tell you guys what we're doing now. Please let us know if you see anything else fishy.

These attacks are all made possible by Godaddy's servers which are NOT secure. We've found a new hosting provider and our migration from Godaddy was started on Friday. It's costing us an arm and a leg but your security is very important to us and we're doing everything we can on our end to keep you guys safe. We should be moved over completely by the end of the week, if not sooner.

Thanks for bearing with us, I know this sucks.

Here's all the info http://blog.sucuri.net/2010/05/continuing-attacks-at-godaddy.html

Sorry you are all dealing with all this.. but I have to thank you all for caring about all of us and this forum so much! I have changed my password and will do anything else I can to keep this place safe for all the users....

seeso
02-26-2011, 06:04 AM
Going to do anything about the Shoe sales site on the Kala Users group?

Give me a link, I'll zap it.

dans003
02-27-2011, 06:54 AM
Give me a link, I'll zap it.
Seeso, as the admin of this group (Kala Owners Group memberS) , as soon as I heard about this I removed the posts, and banned the member involved from the group.

dans003
02-27-2011, 06:57 AM
Seeso, as the admin of this group (Kala Owners Group memberS) , as soon as I heard about this I removed the posts, and banned the member involved from the group.
sorry, after the last post, I realised that although the member had remained banned, the posts keep re-appearing after I deleted them. HELP!!!

UkuleleHill
02-27-2011, 08:21 AM
sorry, after the last post, I realised that although the member had remained banned, the posts keep re-appearing after I deleted them. HELP!!!

What is the group?

dans003
02-27-2011, 08:25 AM
What is the group?
its on the main site, rather than the forum, and its called KOGS - Kala Owners Group memberS (http://ukuleleunderground.com/groups/kods-kala-owners-group-members/home/).
Hopefully there's a hyperlink on the name!

UkuleleHill
02-27-2011, 08:49 AM
its on the main site, rather than the forum, and its called KOGS - Kala Owners Group memberS (http://ukuleleunderground.com/groups/kods-kala-owners-group-members/home/).
Hopefully there's a hyperlink on the name!

I've reported this to the guys that can take care of that. Thanks!

dans003
02-27-2011, 08:50 AM
I've reported this to the guys that can take care of that. Thanks!
thanks so much!!

seeso
02-27-2011, 08:52 AM
I can't do anything on the main site side of UU. I'm only an admin for this side. I'll see if Ryan can help you.

dans003
02-27-2011, 08:53 AM
I can't do anything on the main site side of UU. I'm only an admin for this side. I'll see if Ryan can help you.
thanks, that'll really help! its just so annoying that someone would do something like this!

seeso
02-27-2011, 08:58 AM
thanks, that'll really help! its just so annoying that someone would do something like this!

You should be good now. Check it out.

dans003
02-27-2011, 08:59 AM
You should be good now. Check it out.
thanks so much! oh the brilliance that is UU! :)

seeso
02-27-2011, 09:02 AM
thanks so much! oh the brilliance that is UU! :)

Thank Ryan (http://www.ukuleleunderground.com/forum/member.php?2-rayan)! He did the zapping.

dans003
02-27-2011, 09:04 AM
Thank Ryan (http://www.ukuleleunderground.com/forum/member.php?2-rayan)! He did the zapping.
just done! :)

UkuleleHill
02-27-2011, 09:14 AM
Woot! I knew one of you guys could do it, thanks Seeso!

UkuleleHill
02-27-2011, 10:43 AM
Woot! I knew one of you guys could do it, thanks Seeso!

And Ryan!