Rigby Posted July 10, 2006 Share Posted July 10, 2006 (edited) You can't JUST blame the browser. Did you download the update released for this vulnerability that has been out since January? Uh, yes. Unless you think that everyone in this thread that had virus warnings and popup windows did not have the patch installed. The patch apparently doesn't stop IE from downloading the WMF automatically and opening it in the picture and fax viewer. Why IE still opens wmf files without even asking is beyond me, especially IE7. Yes I blame the browser. Firefox and Opera do not have any issue with this at all but IE went nuts when I visited the page. Oddly it made the little plonk sound and showed the blocked content bar, but it still downloaded the wmf file without my permission. Edited July 10, 2006 by TRC Link to comment https://www.neowin.net/forum/topic/476942-have-the-forums-been-hacked/page/7/#findComment-587688562 Share on other sites More sharing options...
Tomi Posted July 10, 2006 Share Posted July 10, 2006 All 2.1.6. boards are vulnerable. That's not entirely true. Matt said that the vulnerability has already been patched in 2.1.6, but if you've already been hit when you had 2.1.5 [like Neowin has been already], the hackers had left a back door for themselves hidden in one of your folders, most likely style_emoticons, apparently. Matt released a tool to check for foreign files. Link to comment https://www.neowin.net/forum/topic/476942-have-the-forums-been-hacked/page/7/#findComment-587688759 Share on other sites More sharing options...
ASFx Posted July 10, 2006 Share Posted July 10, 2006 The people at invision have been saying it's only people who have have their 2.1.5 installations exploited, but that still doesnt explain all the people with fresh 2.1.6 installations that are getting hacked. This is really out of control now. People are still able to inject iframes in 2.1.6 boards and they don't even need to make those malformed posts anymore. Link to comment https://www.neowin.net/forum/topic/476942-have-the-forums-been-hacked/page/7/#findComment-587688958 Share on other sites More sharing options...
Jordan M. Posted July 11, 2006 Share Posted July 11, 2006 boy im lucky im using vista ie7 and no mouseover highliteing Link to comment https://www.neowin.net/forum/topic/476942-have-the-forums-been-hacked/page/7/#findComment-587689987 Share on other sites More sharing options...
problemsolver Posted July 11, 2006 Share Posted July 11, 2006 We have this hack utilised on our forums all the time, just stupid script injection Ah -- me stupid -- my forum has been hacked with this -- home page is diverting to zchxsikpgz.biz etc -- IPB newbie -- where's that code again? How do I clean it up? Link to comment https://www.neowin.net/forum/topic/476942-have-the-forums-been-hacked/page/7/#findComment-587690016 Share on other sites More sharing options...
crimsonhead Posted July 11, 2006 Share Posted July 11, 2006 I feel like I slept through an earthquake. Firefox (Y) Link to comment https://www.neowin.net/forum/topic/476942-have-the-forums-been-hacked/page/7/#findComment-587690039 Share on other sites More sharing options...
Garry Posted July 11, 2006 Share Posted July 11, 2006 Hello all. Just to let you know, my forums were hit with the same vulnerability while I was running 2.1.4 a couple of weeks ago. I then did a completely fresh install of 2.1.6 and installed the 30/6 patch but got hit again. I've run the AV tool and nothing was found. The first time, my admin password was changed, but not the second time. Link to comment https://www.neowin.net/forum/topic/476942-have-the-forums-been-hacked/page/7/#findComment-587690055 Share on other sites More sharing options...
Firefawx Posted July 11, 2006 Share Posted July 11, 2006 Has this already been brought up? - Details: Attempted Intrusion "HTTP Cobalt Raq Apache Disclosure" from your machine against www.neowin.net(66.28.242.203) was detected and blocked. Happens whenever I visit the www.neowin.net homepage (not forums). Link to comment https://www.neowin.net/forum/topic/476942-have-the-forums-been-hacked/page/7/#findComment-587691662 Share on other sites More sharing options...
kstruble Posted July 13, 2006 Share Posted July 13, 2006 i'm getting the same message from NAV2006. Right when I pull up the neowin main page Link to comment https://www.neowin.net/forum/topic/476942-have-the-forums-been-hacked/page/7/#findComment-587696126 Share on other sites More sharing options...
Japlabot Posted July 13, 2006 Share Posted July 13, 2006 Some forums that have been hit by this exploit have had their member email address database harvested and they are already starting to send spam. I'm trying to inform some forums about this, where can I get get information about this exploit to link them to? Link to comment https://www.neowin.net/forum/topic/476942-have-the-forums-been-hacked/page/7/#findComment-587696758 Share on other sites More sharing options...
nwBen Posted July 13, 2006 Share Posted July 13, 2006 Thank god I dont use Windows or IE anymore. It's good to be able to not worry about this stuff. Link to comment https://www.neowin.net/forum/topic/476942-have-the-forums-been-hacked/page/7/#findComment-587696817 Share on other sites More sharing options...
chconline Veteran Posted July 13, 2006 Veteran Share Posted July 13, 2006 If its fully patched you should be fine... Btw 2.1.7 is out. Just upgraded my forums, took like 2 minutes literally :yes: Link to comment https://www.neowin.net/forum/topic/476942-have-the-forums-been-hacked/page/7/#findComment-587699087 Share on other sites More sharing options...
Shof Posted July 13, 2006 Share Posted July 13, 2006 Btw 2.1.7 is out. Just upgraded my forums, took like 2 minutes literally :yes: with the neowin problems, i doubt they will do that any time soon Link to comment https://www.neowin.net/forum/topic/476942-have-the-forums-been-hacked/page/7/#findComment-587699108 Share on other sites More sharing options...
midway40 Posted July 14, 2006 Share Posted July 14, 2006 Kerio just reported this when I first logged into the forum (first time I seen Kerio in action, lol): Technical details about the intrusion attempt: Injector application: C:\Program Files\Internet Explorer\iexplore.exe Description: Internet Explorer File version: 7.00.5450.4 (winmain(wmbla).060623-0309) Product name: Windows? Internet Explorer Product version: 7.00.5450.4 Created: 2006/6/20, 22:42:31 Modified: 2006/6/23, 10:38:40 Accessed: 2006/6/23, 10:38:40 Target application: C:\Program Files\Internet Explorer\IEXPLORE.EXE Description: Internet Explorer File version: 7.00.5450.4 (winmain(wmbla).060623-0309) Product name: Windows? Internet Explorer Product version: 7.00.5450.4 Created: 2006/6/20, 22:42:31 Modified: 2006/6/23, 10:38:40 Accessed: 2006/6/23, 10:38:40 Address of injection: 0x7E2FCD5E Plus I have been getting stack overrun windows. Link to comment https://www.neowin.net/forum/topic/476942-have-the-forums-been-hacked/page/7/#findComment-587699255 Share on other sites More sharing options...
Recommended Posts