Have the forums been hacked?

[Si Veteran]

Didn't know you were a mod.

Maybe not, but he's right.

[u_diddy]

Didn't know you were a mod.

On topic- You had me worried as I have no virus scanner till I read that it didn't work in firefox *pets firefox* :D

You shouldn't pet foxes (especially one's that are on fire), they may bite your hand off or you may get burnt.

[DaveLegg Developer]

Can I request people don't post code samples from the virus involved in this, people who get email subscriptions to the thread will receive the code and may result in a virus warning (I almost lost my entire inbox, spent a while recovering it). If you want to post a code sample, please post elsewhere and link to it.

NOTE: This is a personal request, I'm not writing that as a staff member, I just don't want to see people lose their emails.

[DreadBoat89]

You shouldn't pet foxes (especially one's that are on fire), they may bite your hand off or you may get burnt.

you shouldn't meet with ie cuz you could get sick... and cant listen to opera cuz you could get your ears destroyed >.>

quality of invision products had been going downhill... the money they are making is getting to their heads

[RootWind]

From IPB:

We've seen recently a number of 'new' hack attempts in adding iframes to a board wrapper. This is because a previous exploit allowed access to the ACP and to upload a 'trojan' PHP file which has been dormant. The hacker has simply come back and started to use the trojan files to deface boards.

As it stands, the very latest IPB 2.1.6 is secure against all known attacks and if you find your board defaced or an iFrame pop-up appears it's likely to be because of a trojan file which is somewhere in your installation.

[Ferret]

You had me worried as I have no virus scanner till I read that it didn't work in firefox *pets firefox* :D

Moi too - So have just installed the AV.

I completly forgot about, since I formatted about a month ago.

[Neil]

you shouldn't meet with ie cuz you could get sick... and cant listen to opera cuz you could get your ears destroyed >.>

quality of invision products had been going downhill... the money they are making is getting to their heads

No forum is 100% secure, however Neowin is a target because of the fact it is a technology site and one of the biggest IPB boards, but I hate the way people criticised phpBB said "well I am secure now because I am with IPB", well your not no forum is safe but keeping it up to date helps.....

[thollian]

always someone trying to mess things up...

[Allan]

Whois.ws shows ...

Registrant Contact Information:

Name: Steven Mears

Organization: N/A

Address 1: Sagewind

City: Houston

State: Texas

Zip: 77089

Country: US

Phone: +001.2814846065

Email: zchxsikpgz@mail.ru

IP Address: 81.95.145.173

Website Status: inactive

Cache Date: 2006-07-08 10:34:06 MST

I don't know if Admin can use this info, but thought it might be useful.

[lerum]

Allan?: Its probebly fake, which means you *could* try and get the domain removed:))

[Axon]

Looks like this attacker has been busy:

http://forums.invisionpower.com/index.php?...=2&bug_cat_id=9

And it seems that people with cleaned forums (meaning they'd removed the trojan and had a new 2.1.6) were still getting attacked...

-Ax

[sn00pie]

I was getting a MySQL error page, I'm on XP Pro with NOD32/ZA no notifications here. :|

[Slimy]

Does this have anything to do with having a new admin? I just noticed FrogBoy :laugh: - forgive me if he's been around for a while!

[fr33k]

that was 13,000 post slimy

BTW can't there be an announcement/warning on the front page to block "zchxsikpgz.biz"?

[mad_onion]

yeah i am getting this on ie7 beta 3 everytime i go to the forums i added that to restricted to stop it. i used firefox to find out what to do ;)

so you still get the warnings even if you have fixed the exploit right? my pc is completely up to date and it still happen to me but notihng has happened to my pc i guess cause i have patched it?

what would have happened if i hadnt? would my pc have destroyed itself?

oh ps: on firefox, no users seem to have signatures and there intellitext ads in the forums, this doesnt happen on ie7 :s

[2shae]

2 Of my forums got hacked and i was about to put on the 2.1.6 update today

here is a tracert of his domain, someone should contact the companys listed to tell them what this site is doing

___________

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\jamie>tracert zchxsikpgz.biz

Tracing route to zchxsikpgz.biz [81.95.145.173]

over a maximum of 30 hops:

1 58 ms 63 ms 63 ms 159.134.155.63

2 65 ms 63 ms 59 ms 159.134.126.49

3 75 ms 63 ms 72 ms 159.134.127.29

4 82 ms 75 ms 79 ms 83.71.112.202

5 105 ms 83 ms 83 ms 195.66.226.185

6 77 ms 99 ms 75 ms sougreat-limited.demarc.cogentco.com [149.6.80.2

50]

7 128 ms 127 ms 104 ms 96.194.linkey.ru [213.159.96.194]

8 130 ms 123 ms 132 ms 96.22.linkey.ru [213.159.96.22]

9 117 ms 127 ms 127 ms ip-145-173.rbnnetwork.com [81.95.145.173]

Trace complete.

C:\Documents and Settings\jamie>

_____________

[DaveLegg Developer]

on firefox, no users seem to have signatures and there intellitext ads in the forums, this doesnt happen on ie7 :s

I'm guessing you haven't signed in on Firefox. We disable signatures for guests to save on the bandwidth and have ads for a bit of added revenue from the lurkers :)

[Matrix XII]

Firefox is keeping me safe :)

:D

[mad_onion]

Firefox is keeping me safe :)

actually any browser that doesnt run on the ie core is keeping you safe. firefox isnt actively doing anything.

I'm guessing you haven't signed in on Firefox. We disable signatures for guests to save on the bandwidth and have ads for a bit of added revenue from the lurkers :)

oh yeah thats it obvious. i should have thought of that. im always logged in so ive never had that happen before

[primexx]

I came here and I saw the iFrame....and I knew something was wrong, the same thing happened at Invisionize a few days ago. NoScript completely blocked it though, so no troubles here :D

http://forums.invisionize.com/index.php?showtopic=107880

And their solution:

http://forums.invisionize.com/index.php?showtopic=107874

[simsie]

Opera is good, didn't even notice until i saw this post

[Orange]

I'm in Firefox now, but when I was viewing Neowin in Internet Explorer seven different trojans appeared. :p

Same here well i always browse in Firefox but i gave IE ago and bamm got hit. So gonna be a fan boy here and say go with Firefox or Opera :devil:

[James123]

I don't mean to offend but... what are the coders doing?

Two or three different people have posted official invision links of how to fix this (at least, temporarily), and the code of the exploit itself has been posted so they would be able to see what's happening and how to stop it but the problem is STILL there!

Do you not think it's unacceptable for a site of this size to have a script potentially infecting any unsuspecting user for over 12 hours (15+ now), plus "Neowin Coder(s)" have been posting here since this morning, so they've been aware of it for ages.

Again, no offence intended, just pointing out that it's taking an awful long time to patch a small security hole, with patches available from invision, or even to write a custom fix, and yes, I know you're not affected if you don't use IE or you have a anti-virus, but that's no excuse.

[Shof]

I don't mean to offend but... what are the coders doing?

Two or three different people have posted official invision links of how to fix this (at least, temporarily), and the code of the exploit itself has been posted so they would be able to see what's happening and how to stop it but the problem is STILL there!

Do you not think it's unacceptable for a site of this size to have a script potentially infecting any unsuspecting user for over 12 hours (15+ now), plus "Neowin Coder(s)" have been posting here since this morning, so they've been aware of it for ages.

Again, no offence intended, just pointing out that it's taking an awful long time to patch a small security hole, with patches available from invision, or even to write a custom fix, and yes, I know you're not affected if you don't use IE or you have a anti-virus, but that's no excuse.

what if it is already fixed and you dont know yet?

[aos101]

I don't mean to offend but... what are the coders doing?

Two or three different people have posted official invision links of how to fix this (at least, temporarily), and the code of the exploit itself has been posted so they would be able to see what's happening and how to stop it but the problem is STILL there!

Um, where is it? The only iframes I can see in the code are Neowin ones.