With much regret I am notifying you that BleepingComputer was hacked today.

It is with great displeasure and embarrassment that I am notifying the BleepingComputer.com community that a component of BleepingComputer was hacked today. This was accomplished through a vulnerability that allowed the hacker to add malicious code to certain portions of the site (forums and startup database). The other sections of the site were unaffected. The hacking occurred at 12:18 EST on 9/15/2010 and I was able to remove the hack and upgrade the software by 1:15 EST on 9/15/2010.

I have spent the rest of the time looking into what other locations of the site may have been tampered with and have found no other modifications. No email addresses, account names, passwords, etc have been accessed. The only thing that was modified was the inclusion of the malicious iframe on certain pages.

I want to assure everyone who visits BleepingComputer.com that security is of the utmost concern for the site and our visitors. Unfortunately, as we have learned even if you stay on top of the updates, sometimes you just cannot upgrade fast enough. For example, the vulnerable component of the site was only updated yesterday and I did not receive notification that an update was available.

For now, I suggest everyone scan their computer using a variety of tools such as ESet Online Scanner, Kaspersky Online Scanner, and Malwarebytes' Anti-Malware.

I will provide an update later after I analyze the malicious code.

Once again I apologize for having to write this post.

Thank you for the heads up.

Everything appears to be secure at my end.

My computer passed all scans successfully.

Google search on my computer is also functioning as it is supposed to as well. It is going to the sites I have selected.

I as I hope everyone else, keeps my anti-virus and anti-malware scanning software up-to-date and I check for updates daily.

Hopefully all is well with everyone else.

Bruce.

Edited by MrBruce1959, 15 September 2010 - 05:18 PM.

Update: For those who may be concerned that they were hacked, the above hack only affected visitors who were not logged in. If you were logged into the site during that period you would not have been shown the code.

It appears that the malicious code was a multi-exploit kit that was being used to try and exploit common vulnerabilities on your computer to install malware. What that means is that if you have the latest version of Java, Adobe Reader, Shockwave, Realplayer, or Flash and all your Windows updates then your computer would not have been affected. So as an aside, please make sure you always keep your programs, especially those I just listed, updated and all your Windows updates installed. Instructions on using Secunia PSI to scan for outdated programs can be found here:

How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

For those who may have been infected, though, then you may find that your computer has become infected with the TDSS infection. I suggest that you follow the steps here:

How to remove Google Redirects or the TDSS, TDL3, or Alureon Rootkit

You will know that your computer is infected when you attempt to click on a Google search result and are redirected to a different page than you should be going to.

I have tested TDSSKiller against the malware that may have been installed and it should be able to remove it.

When done, I also suggest scan your computer using a variety of tools such as ESet Online Scanner, Kaspersky Online Scanner, and Malwarebytes' Anti-Malware. I know for a fact that MalwareBytes, if installed, would have blocked access to the site running the exploits.

Once again, I am sorry that this happened and I stress that I always prioritize the security of our visitors and the site ahead of any other tasks. If you have any questions, concerns, or issues please ask here.

I would also like to send a big thanks to tetonbob for notifying me about the issue and helping me test it. Thanks again!

Have you learned anything about the malicious code yet? Such as what damage it could do to your computer?

Edit: You beat me to it. Not sure if I was logged in or out at that time. Anyways, gonna run scans to make sure.

Edited by Rewster, 15 September 2010 - 05:01 PM.

Thanks for the heads up. I'm fairly certain I visited the site today near the time frame indicated to check on a log I am currently working. No alarms went off on my end. I'm running Windows 7 64-bit with ESET SmartSecurity 4 and mbam. I've also noticed no ill effects...no search problems. Nothing. I am nonetheless scanning as you recommend. Thanks again! Excellent, quick work by an outstanding team here.

I can tell you that Eset would have blocked it.

What a nightmare! Thanks for the heads up

Yeah, and I read Bob's post...he has ESET and his popped up a warning when following the email he got. I didn't visit via an email link. I just remember clicking the bookmarked links to all the logs I currently have. I know that's how I arrived so I must not have come during the critical time element.

Thanks again!

My god good thing I was logged in this site is EXTREMELY helpful. Unfourtantley the site is a worry to the evil people who create malware EDIT im using a gaming console to post this but is the hack gone completely? because on my computer im not signed in so if I go now on my computer will I get infected?

Edited by pleasehelp123, 15 September 2010 - 07:24 PM.

Yes, its completely gone.

Thanks Grinler for the quick response and repair. I ran all my scans yesterday, I'm okay but I will do it again with ESet Online. Thanks again for fixing things.

GRRR, bleeping hackers!!!

GRRR, bleeping hackers!!!

Couldn't agree more!

What component was hacked ?
We had some problems with OpenX banner system and we disabled it for a while.

http://img193.imageshack.us/img193/8171/10hoo42.png
http://img155.imageshack.us/img155/49/image000.png

PC Tools ThreaFire and Foxit PDF Reader 4 successfully blocked the attack:

http://img210.imageshack.us/img210/2976/99255932.png
http://img203.imageshack.us/img203/1479/75592880.png

*The exploit tried to open CMD.exe => to execute WMP, to execute Windows Calculator, to execute Windows Help & Support or to create a new account for Windows with full admin rights (lol).

I'm running Windows 7 64-bit and I do not have any problems so far.

Seems all security sites are targeted, because G2G was attacked with URL injection some time ago.

http://img188.imageshack.us/img188/2947/g2gv.png


Thanks for letting us know, boss !


Regards,
G.

Edited by B-boy/StyLe/, 16 September 2010 - 01:45 PM.

Yes, I do not think this was a targeted attack against the site. Just a targeted attack against a vulnerable software.